You are looking at a specific version 20170614:205210 of this paper. See the latest version.

Paper 2017/570

Assessing the No-Knowledge Property of SpiderOak ONE

Anders P. K. Dalskov and Claudio Orlandi

Abstract

This paper presents the findings of an independent security review of SpiderOak ONE, a popular encrypted cloud storage application. In this application, the storage provider claims that, since all the users' data is password encrypted and the password never leaves the client, even the storage provider cannot learn any information about the users' data. After providing a formal description of the key design choices in the reviewed application (e.g., how user's accounts are registered, how new devices are registered, how and what cryptographic keys are used, how file encryption is handled, etc.), we present a number of vulnerabilities that can be exploited by a malicious storage server to break, to different degrees, the confidentiality of the users' password and therefore the users' data. Our findings have been communicated to SpiderOak in April 2017. The vendor promptly replied to our concerns by releasing an updated version of the application (v. 6.3.0, June 2017) which resolves most of the issues described in this paper.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
Cloud storageend-to-end encryptionSpiderOak
Contact author(s)
anderspkd @ gmail com
History
2018-01-11: last of 2 revisions
2017-06-14: received
See all versions
Short URL
https://ia.cr/2017/570
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.