Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Security



Dan O'Donovan wrote:
> Hsuan-Yeh Chang wrote:
>> Is there a way to encrypt data stored with cloud services (such as
>> dropbox) that can be decrypted only by the data owner...
> 
> Sure it can, but one of the reasons that DropBox is great is because
> it saves incremental backups of your files (tracking changes and the
> like). If you start encrypting them you loose this...

Not only is the problem solvable, but there are existing open source
(rsyncrypto) and and commercial (Wuala) solutions.

The only real challenge a DropBox-like service faces when implementing
client-side encryption is one of convenience - such as how do you
provide the user with access to their files if all they have is a web
browser? Decryption would need to be done in Java or JavaScript, and the
user would have to have their key, or an adequately strong passphrase to
generate a key. It's the usability challenges that undoubtedly led to
DropBox taking the less secure approach.


Cloud storage is easy compared to securing cloud applications. With the
latter the affiliated application data needs to be unencrypted in order
for the application to interact with it.

There is, however, a researcher at IBM who is working on a type of
encryption that makes it possible to perform certain mathematical
operations on encrypted data, such that the transformation persists
after decryption. If this worked, you'd upload encrypted data to the
cloud, process it in the cloud while still encrypted, and finally
download and decrypt it. It sounds like something that will never be
possible in the general case (more than for a few specific mathematical
transformations).

About the best you can hope for is a cloud vendor that uses an
architecture where your login generates a key and your data gets
decrypted on the fly. When you log out, the key gets flushed from
memory, and your data resumes being inaccessible to anyone but you.


> Hsuan-Yeh Chang wrote:
>> If I send an e-mail (with attachment) from Gmail to Hotmail, would
>> both Google and Microsoft keep this e-mail on their respective servers
>> forever?

No, not if you delete it. (Though backups are a different story.)

Many people don't realize it, but it is possible to purge messages out
of a Gmail account. I have a few Gmail hosted accounts, and I
periodically purge all the messages out of them.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org