OT: Dropbox and Skydrive encryption
< Next Topic | Back to topic list | Previous Topic >
Posted by Alexander Deliyannis
Oct 25, 2014 at 05:05 PM
dan7000 wrote:
>The only way to ensure it’s secure is if it
>is encrypted *locally* (on your local machine) with a strong passphrase
>that is never stored anywhere. You want a system where there is no way
>for the server administrator to ever decrypt your data—the only way
>for the data to be decrypted is if you personally disclose the
>passphrase. Locally-encrypted systems are more likely to have this type
>of security.
Apparently this is the logic of Wuala:
https://www.wuala.com/en/learn/technology
“As a side effect, it is impossible to recover your password in case you forget it. You can test your cloud storage provider’s security by checking whether they offer password recovery or password reset. If yes, then it does not employ client-side encryption. With client-side encryption, security is embedded deeply in the design of the storage.”
I haven’t used Wuala much, but it is marketed as the Swiss approach to data security—with clear connotations of Swiss banks and money security…
Dan, after reading your very good summary of approaches, I was wondering how Wuala handles sharing of files. They explain the procedure, though I admit I didn’t proceed to read the full paper:
“One of the main challenges with client-side encryption is key management. If you only want to back up, a single master key is enough. However, if you want to be able to share data selectively, your cloud storage must feature a sophisticated key management scheme. Wuala features such a system, called Cryptree, whose basic principles are described in this paper. http://dcg.ethz.ch/publications/srds06.pdf
Currently, Wuala uses AES- 256 for encryption, RSA 2048 for signatures and for key exchange when sharing folders, and SHA-256 for integrity checks.”
Posted by dan7000
Oct 27, 2014 at 05:56 PM
I tried Wuala a couple of years ago and ended up dropping it because, if I recall, their Android client was slow and/or ugly. It’s interesting that they have a dual-key encryption scheme to allow sharing—- that’s what I think mega.com is doing too. Theoretically dual-key will be unbreakable (absent brute force) if nobody except the expected recipient gets the public key. See Wikipedia if you are interested - it’s really cool stuff. But in practice most dual-key systems do you the favor of saving your public key for you so they can transparently decrypt your shared files for your recipients. Obviously if a provider can encrypt a file for your share recipient, they can also decrypt it under subpoena. Switzerland is a signatory to the Hague convention and thus will allow US litigants to compel the production of documents from Swiss companies (with the exception of banks pursuant to the Swiss Banking Privacy Act). See http://bern.usembassy.gov/obtaining_evidence.html
Posted by Alexander Deliyannis
May 2, 2015 at 09:33 AM
FYI (not very relevant to the initial question, but it might be of interest):
—————Forwarded message—————
From: Dropbox
Date: Sat, May 2, 2015 at 8:26 AM
Subject: Update: Changes to better serve our users around the world
Hi there,
If you’re a user living outside of North America (U.S., Canada, Mexico), we’re updating our Terms of Service to better serve you and the growing number of Dropbox users around the world. These changes include the fact that we’ll be providing our services (including Dropbox, Dropbox for Business, Carousel, and Mailbox) to you via Dropbox Ireland starting on June 1, 2015. Please note that none of our services or features are changing as a result of this. You can read the updated terms at https://www.dropbox.com/terms.
Have questions about these changes? Visit our Help Center.
Thanks for using Dropbox!
The Dropbox Team
© 2015 Dropbox