This Message Will Self-Destruct …

July 21, 2009

I’ve talked a few times here, most recently yesterday, about some of the risks associated with the move to “cloud computing“, where applications and data reside on the Web, and are accessed through a Web browser, rather than being stored locally on the user’s PC.  One of the concerns with putting data on a Web host is its security: whether it will be adequately protected, and accessible when you need it.  Of equal concern in some situations is that there may be no reliable way of making sure that data is deleted.  E-mail messages are an example: when you send a message to someone else, it typically is passed along via a number of intermediate mail servers.  (You can see this by setting your mail program to show all mail headers, and look for the lines that begin with “Received:“.)  You generally have no control over this dynamic routing, and it is not guaranteed to be the same for a message sent to the same destination a few seconds earlier or later.  Any of the servers through which the mail passes may retain a record of the message in the system logs, something you also cannot control.  Standard E-mail has been appropriately compared to a post card written in pencil, as far as security and privacy are concerned.

The New York Times has an article about a new approach to handling sensitive information on the Web and in E-mail.  A group of computer science researchers at the University of Washington have developed a new software tool called Vanish, which encrypts data with a secret key, and stores the key in way that ensures it will disappear after a period of time, making the data unreadable:

… the researchers said they had struck upon a unique approach that relies on “shattering” an encryption key that is held by neither party in an e-mail exchange but is widely scattered across a peer-to-peer file sharing system.

This approach differs from the more conventional approach of encrypting data, because anyone who has the  Vanish software and access to the encrypted data can decrypt it during the lifetime of the key.  Once the lifetime has passed, though, no one (including the originator) can decrypt it.  A potential advantage of this is that it does not require the user to rely on a third party to maintain the protection:

The significance of the advance is that the Vanish “trust model” does not depend on the integrity of third parties, as other systems do. The researchers cite an incident in which a commercial provider of encrypted e-mail services revealed the contents of digital communication when served with a subpoena by a Canadian law enforcement agency.

The secret encryption key, which is not known to any of the participants in the conversation, is broken into pieces and stored in a distributed hash table, using a public file sharing service, Vuze (formerly called Azareus).  The nature of the service, where machines enter and leave the network regularly, ensures that the lifetime of the key is limited; and once the key is no longer available, the data is effectively gone.

The authors suggest that the Vanish system might, after further development, be used as a partial substitute for telephone calls; for example, many people will telephone a colleague to communicate a piece of sensitive information, not wishing to entrust to E-mail:

In many ways Vanish begins to approximate the ephemeral nature of a phone call. While our system is still a research prototype and we encourage people treat it with a skeptical eye for now (like any new security system), one could envision it or a derivative being used in corporate settings, when talking with lawyers, or when conducting a variety of private matters online.

You might use this as a way of distributing account information, for example.

The demonstration system can be used for E-mail, but is also usable for other types of Web-resident data.  The project overview page has a selection of examples, along with a demonstration video, and an overview of how the system works.   The technical paper [PDF] describing the system,.which is scheduled to be presented at the 18th USENIX Security Symposium, gives more details of the implementation.  The demonstration software is available for download, and there is also documentation available.

It’s good to see that the growing realization of the pitfalls of cloud computing is stimulating some original work to address them.

%d bloggers like this: