One consequence of the Snowden affair is a renewed interest in encrypting public cloud data. Governments and vendors are in on the act.
It looks as if the NSA has declared open season on overseas traffic and has developed capabilities for capturing huge amounts of data, including almost all intercontinental fiber traffic and mobile communications.
Needless to say, the reaction from foreign governments has been less than positive, even though their own intelligence services must have known the extent of the data gathering.
We might expect the president to issue guidelines to “clarify” what can or cannot be kept, but the reality is that even he may not know the full extent of NSA’s activities. After all, this is the organization that, banned from gathering domestic intelligence, put together a shadow service called "Echelon" with the United Kingdom and others that had no such ban. By law, anything gathered by overseas agencies could be fed back to the US, essentially nullifying the ban.
The CEOs of the large cloud service providers (CSPs) recently met with President Obama to explore ways to mitigate what they fear will be a $35 billion loss of business due to a reluctance to trust in US-based sites.
The CSPs are already in damage control mode. Following Amazon Web Services' lead, they have announced that data stored in their systems will be encrypted, with Google offering to double encrypt, once with its keyset and then with a user-owned key.
On the surface this looks like a big step forward in security. But a bit of research indicates that it’s just a bright pink form of lip-gloss! The keys owned by Google probably are accessible to the NSA, under current laws and agreements.
We are back to a single encryption method -- AES-256. Using a technique that was the essence of the first computer hacking system, ULTRA, in World War II, a brute force attack to break the encryption is relatively easy.
People are structured in the way they form messages, with common phrases such as "To Director of National Intelligence Clapper" at the beginning. Data files are even more predictable, with header structures that are easy to figure. The trick is to encrypt all of the likeliest phrases and compare them with the cypher text. Rumor has it NSA can break a cypher key in a few minutes!
So much for the CSPs’ plan. Worse, it doesn’t protect data in transit. The NSA listens to a huge portion of the world’s Internet traffic. They admit to only 1.6 percent, but, when all of the streaming and vendor websites are taken away, that 1.6 percent is most of the remaining traffic.
At this point, you must be wondering if the cloud is safe for anything. You must assume that data will be captured and reviewed, so you have to tackle the problem.
All is not lost. It’s easy to encrypt your cloud traffic over the Internet, but brute force decryption remains a risk. If all the command messages are encrypted using the same key as the data, you’ve just exposed many fixed format messages.
To be safe, you need to use hardened encryption such as RSA for the control messages. This isn’t too costly in compute time, but it does require the CSP to cooperate, and that might be impossible in the US with today’s regulations.
The data part is easier. Just encrypt the data three times with AES-256, using different keys. For extra security, add a block or two of meaningless padding at the start of each file, and/or super-encrypt the data with a totally different algorithm.
There is more bad news. It doesn’t matter where the CSP lives. This is not just a US problem. China, Russia, and most of the EU are interested in those files, too. Everyone worldwide is going to have to address this, and it isn’t just a cloud issue, since data between computer centers can be captured as well.
How worried are you? Are you going to continue business as usual, abandon your cloud services, or add more security controls to protect your data? Let us know in the comments below.