These storage services generally do not share the details of how their technology works, so Wilson and Ateniese substantiated the security flaw by using a combination of reverse engineering and network traffic analysis to study the type of communication that occurs between a secure cloud storage provider and its customers. This would all happen without alerting the customers, who incorrectly believe that the cloud storage provider cannot see or access their data." "As a result, whenever data is shared with another user or group of users, the storage service could perform a man-in-the-middle attack by pretending to be another user or group member. The storage businesses could use a phony 'key' to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient. "In the secure cloud storage providers we examined," Wilson said, "the storage businesses were each operating as their own 'trusted third party,' meaning they could easily issue fake identity credentials to people using the service. When this authentication process is finished, the third party issues "keys" that can unscramble and later re-encode the data to restore its confidentiality.
The problem, Wilson said, is that privacy during file-sharing is normally preserved by the use of a trusted third party, a technological "middle-man" who verifies the identify of the users who wish to share files. "However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data." "Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim," Wilson said. These storage businesses typically assert that this confidentiality is guaranteed because the information is encrypted before it is uploaded for cloud storage.īut the Johns Hopkins team found that complete privacy could not be guaranteed by these vendors. These storage providers claim to offer "zero-knowledge environments," meaning that their employees cannot see or access the clients' data. Their research focused on the secure cloud storage providers that are increasingly being used by businesses and others to house or back up sensitive information about intellectual property, finances, employees, and customers. Both are affiliated with the Johns Hopkins University Information Security Institute. The senior author is his faculty adviser, Giuseppe Ateniese, an associate professor in the department. Wilson, a doctoral student in the university's Department of Computer Science in the Whiting School of Engineering. The flaw is detailed in a technical paper posted on, a Cornell site that hosts preprints of scientific papers in select disciplines, including computer science. Whenever customers share their confidential files with a trusted friend or colleague, researchers say, the storage provider could exploit the security flaw to secretly view private data.
Johns Hopkins computer scientists have found a flaw in the way that secure cloud storage companies protect their customers' data, a weakness they say jeopardizes the privacy protection these digital warehouses claim to offer.
0 kommentar(er)
