Cloud storage less secure?

Some cloud storage providers, which want to gain a lead in cloud security, have adopted the "0 knowledge" policy, which says that customer data cannot be spied upon in such policies. But computer scientists at Johns Hopkins University have questioned the safety of this zero-knowledge strategy.

0 Knowledge cloud services work by storing customer data in an encrypted manner, only to the customer to decrypt the key, and the vendor cannot obtain those keys. But the researchers found that if the data were shared in the cloud services, the keys could be compromised, allowing attackers to pry into customer data. The study raises questions about the 0 knowledge cloud computing [note] and suggests that end users should have a good understanding of how vendors handle their data.

Researchers at Johns Hopkins University have examined 0 knowledge suppliers, such as http://www.aliyun.com/zixun/aggregation/8313.html ">spider Oak, Wuala and Tresorit, The method used by these vendors is to encrypt data when it is stored in the cloud and to be decrypted only when the user downloads the data from the cloud. This pattern is safe, but the researchers warn that if the data is shared in the cloud, which means that the data is sent through the cloud rather than the user downloading to its system, then the vendor will have an opportunity to view the data. "When data is shared with another recipient through the cloud storage service, vendors have access to their customers ' files and other data," said Duane Wilson, a PhD candidate at the Johns Hopkins University computer Science Department's Institute of Information Security. ”

These vendors typically rely on the intermediary service to authenticate the user before decrypting the data. The researchers found that suppliers sometimes provided their own validation. This gives the vendor an opportunity to issue fake certificates, decrypt data, and view customer data. This is akin to a traditional man-in-the-middle attack.

The researchers said they found no evidence that the customer data had been compromised and they found no suspicious behavior from any suppliers, but the researchers said it could be a loophole. "Although we did not find any evidence that any security cloud storage providers were accessing their customers ' privacy information, we thought that might happen," said Giuseppe Ateniese, an associate professor at the university. "It's like finding your neighbor's door unlocked, and maybe nobody's stealing from it, But don't you think it's easy for thieves to get in?

A representative of one of the suppliers, Spider Oak, said they agreed with some of the results of the study. Spider Oak encourages users to use desktop applications to transfer files, rather than through the company's portal, using Spider Oak desktop applications will ensure that end users are authenticated to decrypt the data, eliminating the possibility of vendors snooping on the data. Users deploying spider oak services are required to check the contract to see that they understand that implementing real 0 knowledge requires the use of a desktop application.

Spider Oak says it wants to implement collaborative services around its cloud platform, meaning the data will be transferred in its cloud. To implement this feature, Spider Oak says they plan to combine RSA security IDs with key and encryption platforms. They also want to provide a way for users to verify who is browsing the files. Some vendors, such as the cryptographic communications provider Silent Circle, use speech recognition tools to provide this functionality, while Spider Oak says they are evaluating similar methods to ensure that the data is shared only among people who are approved by the owner.