Cryptology ePrint Archive: Report 2017/570

Assessing the No-Knowledge Property of SpiderOak ONE

Anders P. K. Dalskov and Claudio Orlandi

Abstract: This paper presents the findings of an independent security review of SpiderOak ONE, a popular encrypted cloud storage application. In this application, the storage provider claims that, since all the users' data is password encrypted and the password never leaves the client, even the storage provider cannot learn any information about the users' data.

After providing a formal description of the key design choices in the reviewed application (e.g., how user's accounts are registered, how new devices are registered, how and what cryptographic keys are used, how file encryption is handled, etc.), we present a number of vulnerabilities that can be exploited by a malicious storage server to break, to different degrees, the confidentiality of the users' password and therefore the users' data.

Our findings have been communicated to SpiderOak in April 2017. The vendor promptly replied to our concerns by releasing an updated version of the application (v. 6.3.0, June 2017) which resolves most of the issues described in this paper.

Category / Keywords: applications / Cloud storage, end-to-end encryption, SpiderOak

Date: received 12 Jun 2017

Contact author: anderspkd at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20170614:205210 (All versions of this report)

Short URL: ia.cr/2017/570

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]