Center for it-sikkerhed

Cloud security – a Dropbox case study by Alon Hazay

This article was publish on the GOTO Conference Magazine 2011 Aarhus Denmark

Introduction

Cloud computing is an evolution of an innovative computing technology from the 50s and 60s of last century until major IT technologies (such as servers, operating systems, databases, application servers, etc.) were commoditised, i.e. turned into reversible products that have no significant differentiation and compete only on price.
In one cloud computing model, computing infrastructure (computing power, memory, and storage), applications, or platforms for application development, are offered for consumption and can be used as a service based on payment-according-to-use terms.

In addition, the service is not limited, allowing for some elasticity in the resources provided in that they can be increased or decreased as needed (on-demand). Unlike the old methods of hosting, this model allows the consumer control over the resources through a Web interface or using APIs.

The technological changes inherent in cloud computing enable a service-based economy, which paves the way for business developments and agility implementation within the organisation and its connection with other organisations.

However, there are significant risks in the cloud: for example security, compliance, integration and regulation risks, which might necessitate additional investments

In this paper we will present:

• a security analysis for Dropbox as an example of cloud computing risks, and
• Our encryption applications for Dropbox as an example of our security strategy for the cloud.

Dropbox

Let us take a look at one of the most popular cloud storage solutions called Dropbox. This service allows you to store your data in the cloud using any of your devices with internet connection, from desktops and laptops to tablets and smartphones. Dropbox has created easy-to-use applications targeting different devices and operating systems, which makes it one of cloud computing’s most popular services with 10 million users.  More than 100 billion files were stored as of May 2011 [1], and Dropbox saves 1 million files every 5 minutes.

When you start using Dropbox, you will need to register to the service and create an account by choosing username and password, which will generate a unique Host ID. The Host ID will be stored in all of the devices that access Dropbox with this account. A file folder will be created on your computer, which will be monitored by the Dropbox application. Whenever you change the contents of this folder, by adding, modifying or deleting files, the Dropbox servers automatically synchronise these changes with your account’s folder. There’s nothing earthshaking about this capability, but the whole process is amazingly simple and userfriendly, and private users can get up to 2 GB storage for free.

In order to save storage space and data traffic, every file is split into smaller files of up to 4 megabytes in size. When a user tries to upload a file to his Dropbox folder, the local application on his device calculates the file hash (using a SHA-256 algorithm) and sends it to the Dropbox servers, which will compare it with all the file’s hash in their database. If the file exists, Dropbox will add another link to this file that will associate it with this user account and save the need to upload it again.

Dropbox security and privacy issues

In their paper called “Dark Clouds on the Horizon”, the SBA Research Institute [2] has reviewed three weaknesses in this mechanism. Those weaknesses were caused by not verifying the hash result of the files and the weakness in the Host ID authentication.

The Host ID is the only parameter that is used for authenticating users and devices. This means that any disclosure of the Host ID will allow an attacker to get access to all the user data in Dropbox. The Host ID is common to all the devices in the specific account and never changes.
These weakness issues have been discussed by information security blogger Derek Newton [3] who also reveals that changing the Dropbox account password would not change the Host ID. So changing password becomes useless.

SBA research [2] also pointed out the possibility of Amazon staff (Amazon is the infrastructure provider that runs the System for Dropbox) getting access to the decryption keys of Dropbox users’ secure connection (SSL) and to Dropbox databases (stored on Amazon storage service S3).

This problem also demonstrates one of the main security issues in cloud computing, namely the third-party service provider. Many of the service providers are cloud customers themselves, which makes it complicated for end users to keep track of the data security controls that secure their data in the cloud.

Those weaknesses could lead to different attacks from the obvious hidden channel or more sophisticated attacks such as uploading malicious files to the user’s Dropbox folder and let the victim unsuspectingly spread the attack to his different devices.

Another attack that was suggested in the SBA research paper [2] is called Online Slack Space attack.  This enables an attacker to hide his data in the victim’s Dropbox folder and get access to the victim’s data without it being associated with him. This kind of attack also gives the attacker access to free and unlimited storage.

Malicious attacks are not the only problems when you are using a cloud service like Dropbox.
Dropbox demonstrated how dangerous it could be during one of their code updates. Dropbox introduced a bug affecting their authentication mechanism [4]. While conducting this code update during four minutes, any user could have logged into an account without the correct password, meaning that he could get access to any account and any data that was stored on Dropbox servers.

A security problem that occurs while a code update is being conducted could happen on any system, but when it happens on a cloud service, it exposes the users to a larger risk due to the multi-tenant characteristics of the cloud.

Another disturbing issue called “Patriot Act” which relates to the fact that any American company must disclose any data stored in their system to the U.S authorities upon request. Dropbox increase the users’ concerns about those issues while changing their “Term Of Use” (TOS) several times [5].

The Alexandra Institute’s encryption solution for Dropbox

To meet some of the threats presented in this paper, the Alexandra Institute has created a solution that allows users to independently encrypt their files before uploading them to Dropbox servers. You can find many solutions that support encryption for Dropbox [6], but what makes this solution unique is that it has been designed to fully support Dropbox service functionality.

The solution – which is currently only a proof of concept, contains two applications: one for the computer and another for the smartphone. The solution allows users to encrypt the files before uploading them to Dropbox servers.

With these applications, we enable the user to create his own independent encryption that he can trust, thus making him less dependent on the service provider to secure his data.

How does it work?

First you need to install the applications both on your computer (desktop or laptop) and on your smartphone. Then you need to set your Dropbox user account (Host ID) information into our applications.

The next step is to generate your private key that will be used to encrypt and decrypt the files (AES 128b symmetric encryption scheme). The key will be sent to the smartphone by using a QR code (Quick Response code), which is a visual image of the key displayed on our computer screen. We take a picture of the image by using our smartphones camera, and the application will generate the private key for our smartphone application. Now we can encrypt and decrypt files with our smartphone on our Dropbox service (we are generating the key only on the computer due to security and performance issues).

In this process we encrypt not only the files but also the file names. In case an intruder has succeeded in getting access to our account (got our Host ID), he cannot view our files or their names. This functionality is obtained by using XML files that hold the file names and generate them when the user provides the correct encryption key.

Our proof of concept is a Linux laptop application using the Python programming language and an application for the Android smartphone using Java. This flexibility is gained by using standard encryption algorithms and tools.

Given that Dropbox provides the API’s used in the proof of concept for a large range of operating systems, building a more full-fledged solution is “straightforward”.

Conclusion

In this paper we try to demonstrate the risks of using cloud computing services by discussing the vulnerabilities and security issues of the popular cloud storage service Dropbox, as this concerns many of the cloud users and their potential customers. We show a simple and easy-to-use security solution for Dropbox users that allows them to independently encrypt files before uploading them to Dropbox servers. Our solution does not solve all the security issues presented in this paper. But it demonstrates our vision on securing the cloud by creating trust between provider and users through transparency and tools that give the users a sense of control and governance that otherwise seem to be lost in the cloud.

 

References

[1] At Dropbox, Over 100 Billion Files Served–And Counting, retrieved May 23rd, 2011.
Online at http://gigaom.com/2011/05/23/at-dropbox-over-100-billionfiles-served-and-counting/.

[2] Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space by SBA Research

[3] Dropbox authentication: insecure by design – Derek Newton Information Security Insights blog

[4] http://blog.dropbox.com/?p=821 The Dropbox blog

[5] DROPBOX: We’ll Turn Your Files Over To The Government If They Ask Us To Steve Kovach

[6] http://getsecretsync.com/ss/getstarted/, http://lifehacker.com/5794486/how-to-add-a-second-layer-of-encryption-to-dropbox

[7] COX, M., ENGELSCHALL, R., HENSON, S., LAURIE, B., YOUNG, E., AND HUDSON, T. Openssl, 2001.

[8]  NCrypto Homepage, retrieved June 1st, 2011. Online at http://ncrypto.sourceforge.net/.

Der er lukket for kommentarer.