Paper 2017/570
Assessing the No-Knowledge Property of SpiderOak ONE
Anders P. K. Dalskov and Claudio Orlandi
Abstract
This paper presents the findings of an independent security review of SpiderOak ONE, a popular encrypted cloud storage application. In this application, the storage provider claims that, since all the users' data is password encrypted and the password never leaves the client, even the storage provider cannot learn any information about the users' data. After providing a formal description of the key design choices in the reviewed application (e.g., how user's accounts are registered, how new devices are registered, how and what cryptographic keys are used, how file encryption is handled, etc.), we present a number of vulnerabilities that can be exploited by a malicious storage server to break, to different degrees, the confidentiality of the users' password and therefore the users' data. Our findings have been communicated to SpiderOak in April 2017. The vendor promptly replied to our concerns by releasing an updated version of the application (v. 6.3.0, June 2017) which resolves most of the issues described in this paper.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Preprint. MINOR revision.
- Keywords
- Cloud storageend-to-end encryptionSpiderOak
- Contact author(s)
- anderspkd @ gmail com
- History
- 2018-01-11: last of 2 revisions
- 2017-06-14: received
- See all versions
- Short URL
- https://ia.cr/2017/570
- License
-
CC BY