Online backup : how could encryption and de-duplication be compatible?

Question

A "soon to enter beta" online backup service, Bitcasa, claims to have both de-duplication (you don't backup something already in the cloud) and client side encryption.

http://techcrunch.com/2011/09/12/with-bitcasa-the-entire-cloud-is-your-hard-drive-for-only-10-per-month/

A patent search yields nothing with their company name but the patents may well be in the pipeline and not granted yet.

I find the claim pretty dubious with the level of information I have now, anyone knows more about how they claim to achieve that? Had the founders of the company not had a serious business background (Verisign, Mastercard...) I would have classified the product as snake oil right away but maybe there is more to it.

Edit: found a worrying tweet : https://twitter.com/#!/csoghoian/status/113753932400041984, encryption key per file would be derived from its hash, so definitely looking like not the place to store your torrented film collection, not that I would ever do that.

Edit2: We actually guessed it right, they used so called convergent encryption and thus someone owning the same file as you do can know wether yours is the same, since they have the key. This makes Bitcasa a very bad choice when the files you want to be confidential are not original. http://techcrunch.com/2011/09/18/bitcasa-explains-encryption/

Edit3: https://crypto.stackexchange.com/questions/729/is-convergent-encryption-really-secure have a the same question and different answers

Answer 1

I haven't thought through the details, but if a secure hash of the file content were used as the key then any (and only) clients who "knew the hash" would be able to access the content.

Essentially the cloud storage would act as a collective partial (very sparse, in fact) rainbow table for the hashing function, allowing it to be "reversed".

From the article: "Even if the RIAA and MPAA came knocking on Bitcasa’s doors, subpoenas in hand, all Bitcasa would have is a collection of encrypted bits with no means to decrypt them." -- true because bitcasa don't hold the objectid/filename-to-hash/key mapping; only their clients do (client-side). If the RIAA/MPAA knew the hashes of the files in question (well known for e.g. specific song MP3s) they'd be able to decrypt and prove you had a copy, but first they'd need to know which cloud-storage object/file held which song.

Clients would need to keep the hash for each cloud-stored object, and their local name for it, of course, to be able to access and unencrypt it.

Regarding some of the other features claimed in the article:

• "compression" -- wouldn't work server-side (the encrypted content will not compress well) but could be applied client-side before encryption
• "accessible anywhere" -- if the objid-to-filename-and-hash/key mapping is only on the client then the files are useless from other devices, which limits the usefulness of cloud storage. Could be solved by e.g. also storing the collection of objid-to-filename-and-hash/key tuples, client-side encrypted with a passphrase.
• "patented de-duplication algorithms" -- there must be more going on than the above to justify a patent -- possibly de-duplication at a block, rather than file level?
• the RIAA/MPAA would be able to come with a subpoena and an encrypted-with-its-own-hash copy of whatever song/movie they suspect people have copies of. Bitcasa would then be able to confirm whether or not that file had been stored or not. They wouldn't be able to decrypt it (without RIAA/MPAA giving them the hash/key), and (particularly if they aren't enforcing per-user quotas becausrer they offer "infinite storage") they might not have retained logs of which users uploaded/downloaded it. However, I suspect they could be required to remove the file (under DMCA safe harbour rules) or possibly to retain the content but then log any accounts which upload/download it in the future.

Answer 2

The commercial ad you link to, and the company web site, are really short on information; and waving "20 patents" as a proof of competence is weird: patents do not prove that the technology is good, only that there are some people who staked a few thousand dollars on the idea that the technology will sell well.

Let's see if there is a way to make these promises come true.

If data is encrypted client-side, then there must be a secret key K_f for that file. The point of the thing is that Bitcasa does not know K_f. To implement de-duplication and caching and, more importantly, sharing, it is necessary that every user encrypting a given file f will end up using the same K_f. There is a nifty trick which consists in using the hash of the file itself, with a proper hash function (say, SHA-256), as K_f. With this trick, the same file will always end up into the same encrypted format, which can then be uploaded and de-duplicated at will.

Then a user would have a local store (on his computer) of all the K_f for all his files, along with a file ID. When user A wants to share the file with user B, user A "right clicks to get the sharing URL" and sends it to B. Presumably, the URL contains the file ID and K_f. The text says that both users A and B must be registered users for the sharing to work, so the "URL" is probably intercepted, on B's machine, by some software which extracts the ID and K_f from that "URL", downloads the file from the server, and decrypts it locally with its newly acquired knowledge of K_f.

For some extra resilience and usability, the set of known keys K_f for some user could be stored on the servers, too -- so you just need to "remember" a single K_f key, which you could transfer from one computer to another.

So I say that what Bitcasa promises is possible -- since I would know how to do it, and there is nothing really new or technologically advanced here. I cannot claim that this is what Bitcasa does, only that this is how I would do it. The "hard" part is integrating that in existing operating systems (so that "saving a file" triggers the encryption/upload process): some work, but hardly worth a patent, let alone 20 patents.

Note that using K_f = h(f) means that you can try an exhaustive search on the file contents. This is unavoidable anyway in a service with de-duplication: by "uploading" a new file and just timing the operation, you can know whether the file was already known server-side or not.

Answer 3

Bruce Schneier touched on the subject in May http://www.schneier.com/blog/archives/2011/05/dropbox_securit.html related to the Dropbox problem of that week. TechRepublic offers a great 7 page white paper on the subject for the price of an e-mail sign up at http://www.techrepublic.com/whitepapers/side-channels-in-cloud-services-the-case-of-deduplication-in-cloud-storage/3333347.

The paper focuses on the side channel and covert channel attacks available in cloud deduplication. The attacks leverage the cross user deduplication. For example, if you knew Bob was using the service and his template-built salary contract was up there you could craft versions of same until you hit his salary. Success indicated by the time the file took to upload.

Of course your protection is to encrypt prior to using the service. That will however prevent the cost savings to the service that makes it economically viable as it would eliminate almost all deduplication opportunities. Thus the service will not be encouraging the choice.

---

---

Answer 4

In addition to the other good answers here, I'd like to point you to the following two academic papers, which were published recently:

• Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl, Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space, Usenix Security 2011.

  This paper describes how Dropbox does de-duplication and identifies attacks on the mechanism. They propose a novel way to defend against some -- but not all -- of these attacks, based upon requiring the client to prove they know the contents of the file (not just its hash) before they're allowed to access the file.

• Danny Harnik, Benny Pinkas, Alexandra Shulman-Peleg. Side channels in cloud services, the case of deduplication in cloud storage, IEEE Security & Privacy Magazine.

  This paper analyzes three cloud storage services that perform de-duplication (Dropbox, Mozy, and Memopal), and points out the consequent security and privacy risks. They propose a novel defense against these risks, based upon ensuring that a file de-duplicated only if there are many copies of it, thus reducing the information leakage.

These papers seem directly relevant to your question. They also demonstrate that there is room for innovation on non-trivial mitigations for the risks of naive de-duplication.

Answer 5

Encryption and de-duplication between arbitrary users are not compatible if you are concerned about distinguishing certain plaintexts. If you are not concerned about these types of attacks, then it can be safe.

If the data is only de-duplicated for a certain user, the server doesn't know anything about the equivalence of plaintexts and the attacks that remain are really minor.

If the data is de-duplicated between a circle of friends that share something that isn't known to the service provider (doable automatically), only people from that circle of friends can distinguish plaintexts (via timing etc.).

But if the data is de-duplicated between all users, all the hypothetical attacker, who wishes to know which plaintexts are accessed, needs to do is to store the file to the cloud themselves and then monitor which user accounts are accessing the same data. Sure, the service can just "not log" the user accounts / IP addresses accessing the data - but that has nothing to do with encryption then and the same "protection" would remain even if the files were plaintext.

None of the other answers given here seem to propose anything that would stop this attack and I believe Bitcasa does not either. I would be glad to be proven wrong though.

(Note: There are some ways to possibly achieve something close to this - there have been quite a few papers published about secure cloud storage using all sorts of innovative techniques - but these are new research and most of them will probably be broken or shown infeasible rather fast. I wouldn't trust my data on any of them yet.)

Answer 6

The same question was asked at the cryptography stack exchange. Please see my answer there, as there is a subtlety that is easy to overlook and that has been carefully analyzed by the Tahoe-LAFS open source project: https://crypto.stackexchange.com/questions/729/is-convergent-encryption-really-secure/758#758

Answer 7

Aside from the great answer @Misha just posted on the 'known hash', client side encryption effectively removes any other way to do de-duplication unless there is an escrow key, which would potentially cause other logistical issues anyway.

Answer 8

you totally right! Using just convergent encryption is not a good choice, even for non-original files https://tahoe-lafs.org/hacktahoelafs/drew_perttula.html Fortunately, looks like there is a solution to combine encryption and deduplication. It's called ClouDedup: http://elastic-security.com/2013/12/10/cloudedup-secure-deduplication/