Featured Research

from universities, journals, and other organizations

Flaw in 'secure' cloud storage could put privacy at risk

Date:
April 15, 2014
Source:
Johns Hopkins University
Summary:
Computer scientists have found a flaw in the way that secure cloud storage companies protect their customers’ data. The scientists say this weakness jeopardizes the privacy protection these digital warehouses claim to offer. Whenever customers share their confidential files with a trusted friend or colleague, the researchers say, the storage provider could exploit the security flaw to secretly view this private data.

The researchers' illustration of how the security weakness could be exploited by a cloud computing storage provider.
Credit: Johns Hopkins University Information Security Institute

Johns Hopkins computer scientists have found a flaw in the way that secure cloud storage companies protect their customers' data. The scientists say this weakness jeopardizes the privacy protection these digital warehouses claim to offer. Whenever customers share their confidential files with a trusted friend or colleague, the researchers say, the storage provider could exploit the security flaw to secretly view this private data.

Related Articles


The lead author of the new article is Duane C. Wilson, a doctoral student in the Department of Computer Science in the university's Whiting School of Engineering. The senior author is his faculty adviser, Giuseppe Ateniese, an associate professor in the department. Both are affiliated with the Johns Hopkins University Information Security Institute.

Their research focused on the secure cloud storage providers that are increasingly being used by businesses and others to house or back up sensitive information about intellectual property, finances, employees and customers. These storage providers claim to offer "zero-knowledge environments," meaning that their employees cannot see or access the clients' data. These storage businesses typically assert that this confidentiality is guaranteed because the information is encrypted before it is uploaded for cloud storage.

But the Johns Hopkins team found that complete privacy could not be guaranteed by these vendors. "Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim," Wilson said. "However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data."

The problem, Wilson said, is that privacy during file-sharing is normally preserved by the use of a trusted third party, a technological "middle-man" who verifies the identify of the users who wish to share files. When this authentication process is finished, this third party issues "keys" that can unscramble and later re-encode the data to restore its confidentiality.

"In the secure cloud storage providers we examined," Wilson said, "the storage businesses were each operating as their own 'trusted third party,' meaning they could easily issue fake identity credentials to people using the service. The storage businesses could use a phony 'key' to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient."

Wilson added, "As a result, whenever data is shared with another user or group of users, the storage service could perform a man-in-the-middle attack by pretending to be another user or group member. This would all happen without alerting the customers, who incorrectly believe that the cloud storage provider cannot see or access their data."

These storage services generally do not share the details of how their technology works, so Wilson and Ateniese substantiated the security flaw by using a combination of reverse engineering and network traffic analysis to study the type of communication that occurs between a secure cloud storage provider and its customers.

The researchers pointed out that their study focused only on three storage providers that claimed their customers' data would remain completely confidential. Other file-sharing services, such as Dropbox and Google Drive, make no pledge of privacy. Instead, they say that after a user's data is uploaded, it is encrypted with keys that are owned by the file-sharing service.

To solve the security flaw, the researchers recommend that the arrangements between customers and secure storage providers be revised so that an independent third party serves as the file-sharing "middle-man," instead of the storage company itself.

"Although we have no evidence that any secure cloud storage provider is accessing their customers' private information, we wanted to get the word out that this could easily occur," said Ateniese, who supervised the research. "It's like discovering that your neighbors left their door unlocked. Maybe no one has stolen anything from the house yet, but don't you think they'd like to know that it would be simple for thieves to get inside?"


Story Source:

The above story is based on materials provided by Johns Hopkins University. Note: Materials may be edited for content and length.


Journal Reference:

  1. Duane C. Wilson, Giuseppe Ateniese. 'To Share or Not to Share' in Client-Side Encrypted Clouds. arXiv, 2014; (submitted) [link]

Cite This Page:

Johns Hopkins University. "Flaw in 'secure' cloud storage could put privacy at risk." ScienceDaily. ScienceDaily, 15 April 2014. <www.sciencedaily.com/releases/2014/04/140415125259.htm>.
Johns Hopkins University. (2014, April 15). Flaw in 'secure' cloud storage could put privacy at risk. ScienceDaily. Retrieved November 29, 2014 from www.sciencedaily.com/releases/2014/04/140415125259.htm
Johns Hopkins University. "Flaw in 'secure' cloud storage could put privacy at risk." ScienceDaily. www.sciencedaily.com/releases/2014/04/140415125259.htm (accessed November 29, 2014).

Share This


More From ScienceDaily



More Computers & Math News

Saturday, November 29, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Recharge Your Phone in 30 Seconds? Israeli Firm Says It Can

Recharge Your Phone in 30 Seconds? Israeli Firm Says It Can

Reuters - Innovations Video Online (Nov. 28, 2014) With consumers demanding more and more from their mobile devices, scientists in Israel and Singapore are developing super fast-charging batteries to power them. Amy Pollock has more. Video provided by Reuters
Powered by NewsLook.com
EU Pushes Google For Worldwide Right To Be Forgotten

EU Pushes Google For Worldwide Right To Be Forgotten

Newsy (Nov. 27, 2014) Privacy regulators recommend Google expand its requested removals to apply to all its web domains. Video provided by Newsy
Powered by NewsLook.com
Predictions Of Tablets' Demise Sound Familiar

Predictions Of Tablets' Demise Sound Familiar

Newsy (Nov. 26, 2014) The tablet's days are numbered, at least according to a recent IDC report. The market-research firm paints a grim outlook for tablets. Video provided by Newsy
Powered by NewsLook.com
Today's Prostheses Are More Capable Than Ever

Today's Prostheses Are More Capable Than Ever

Newsy (Nov. 26, 2014) Advances in prosthetics are making replacement body parts stronger and more lifelike than they’ve ever been. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins