Cloud Storage Security Challenge: Technical Unveiling

Last Wednesday, our first cloud storage challenge officially ended with an unsurprising result: nobody won the challenge. In this post we’ll provide proof that the data was actually online for the challenge and that we didn’t game the system.  In short, we’re going to prove that this was an honest unwinnable challenge.

The first step is to recover our key from escrow. Remember that best practices indicate that you should escrow your own encryption keys and do so securely. In our case we put both a digital copy (on a thumb drive) and a paper copy in a fireproof safe

Why the paper copy? Because plastics (like CDs, DVDs, and thumb drives) melt and become unusable at a lower temperature than paper – the fireproof safe will stop things from burning but don’t forget that things can melt.

Keep in mind that this is how we chose to escrow our key for this challenge. You should consider several factors when escrowing your own keys. You should keep tabs on who has access to the escrowed keys and the passwords, keep multiple copies of the keys, and protect against possible disaster. You don’t want to lose your key because without that key, your data is completely undecipherable. 

With this key in hand we can directly decrypt any object we encrypted with it. We can also extract the individual session keys for each object.

From our original security challenge page you can see the link to the Amazon bucket for the filer where we stored our prize file.

While it was impossible to determine which one of the files was the prize file, the URL to the prize file is the following:

http://nasunifiler091711366601450206709262414.s3.amazonaws.com/uni64Fb4F30-1276133704-121.1

Download that file and you’ll see it is encrypted, which means you’ll need a key. We could share our private key with everyone to reveal the contents, but alternatively we can reveal the session key for that file. To do that we extracted the session key from the object with our private key:

gpg --show-session-key uni64Fb4F30-1276133704-121.1
…
9:2E6A6186ABF201CBA17D3D8716933BDCAA6D91F71CC150E28263C5D273F431FF

Now the session key can be used to decrypt the object:

gpg -o picture.jpg --override-session-key 9:2E6A6186ABF201CBA17D3D8716933BDCAA6D91F71CC150E28263C5D273F431FF uni64Fb4F30-1276133704-121.1

The resulting prize file (picture.jpg) can then be opened and viewed:

It was really there, and unsurprisingly nobody was able to see its contents.

Fortunately, other than good key escrow practices, you don’t have to worry about all this encryption/decryption magic. The Nasuni Filer will do all this for you, working quietly behind the scenes using your private key(s) to encrypt all your data, each with its own unique session key, before sending it to the cloud.

This completes our Cloud Security Challenge, but this is merely the first of our cloud storage challenges. Stay tuned for more details.