OmniShare: Securely Accessing Encrypted Cloud Storage from Multiple Authorized Devices

Cloud storage services like Dropbox and Google Drive are widely used by individuals and businesses. Two attractive features of these services are 1) the automatic synchronization of files between multiple client devices and 2) the possibility to share files with other users. However, privacy of cloud data is a growing concern for both individuals and businesses. Encrypting data on the client-side before uploading it is an effective privacy safeguard, but it requires all client devices to have the decryption key. Current solutions derive these keys solely from user-chosen passwords, which have low entropy and are easily guessed. We present OmniShare, the first scheme to allow client-side encryption with high-entropy keys whilst providing an intuitive key distribution mechanism to enable access from multiple client devices. Instead of passwords, we use low bandwidth uni-directional out-of-band (OOB) channels, such as QR codes, to authenticate new devices. To complement these OOB channels, the cloud storage itself is used as a communication channel between devices in our protocols. We rely on a directory-based key hierarchy with individual file keys to limit the consequences of key compromise and allow efficient sharing of files without requiring re-encryption. OmniShare is open source software and currently available for Android and Windows with other platforms in development. We describe the design and implementation of OmniShare, and explain how we evaluated its security using formal methods, its performance via real-world benchmarks, and its usability through a cognitive walkthrough.

[1]  Tommaso Melodia,et al.  U-Wear: Software-Defined Ultrasonic Networking for Wearable Devices , 2015, MobiSys.

[2]  Charles E. Cook,et al.  Linear FM Signal Formats for Beacon and Communication Systems , 1974, IEEE Transactions on Aerospace and Electronic Systems.

[3]  A. W. Roscoe,et al.  Usability and security of out-of-band channels in secure device pairing protocols , 2009, SOUPS.

[4]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[5]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[6]  Ramakrishnan Srikant,et al.  Order preserving encryption for numeric data , 2004, SIGMOD '04.

[7]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[8]  Jeremy Clark,et al.  Usability of anonymous web browsing: an examination of Tor interfaces and deployability , 2007, SOUPS '07.

[9]  Thomas Wu,et al.  The SRP Authentication and Key Exchange System , 2000, RFC.

[10]  Cathleen Wharton,et al.  The cognitive walkthrough method: a practitioner's guide , 1994 .

[11]  Cas J. F. Cremers,et al.  Operational Semantics and Verification of Security Protocols , 2012, Information Security and Cryptography.

[12]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[13]  Christopher Soghoian,et al.  Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era , 2009, J. Telecommun. High Technol. Law.

[14]  Adrian Perrig,et al.  SafeSlinger: easy-to-use and secure public-key exchange , 2013, MobiCom.

[15]  Si Chen,et al.  ${\ssr{PriWhisper}}$ : Enabling Keyless Secure Acoustic Communication for Smartphones , 2014, IEEE Internet of Things Journal.

[16]  J. A. Clark,et al.  Modelling user-phishing interaction , 2008, 2008 Conference on Human System Interactions.

[17]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[18]  Guoliang Xue,et al.  The Power of Whispering: Near Field Assertions via Acoustic Communications , 2015, AsiaCCS.

[19]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[20]  Sunghyun Choi,et al.  Chirp signal-based aerial acoustic communication for smart devices , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[21]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.