Thursday, June 16, 2011

Dropbox encrypts the data but keeps the key

Dropbox, a cloud storage service very popular, is the center of a controversy: the data, advertised as 256-bit AES encrypted, are available to company employees. Indeed, the company has a copy of the encryption key for one simple reason: it needs to limit the costs of storage service. Explain. Start from a specific point: the storage has a cost.

And therefore, the amount of data stored has an impact on the company's accounts. To try to limit these costs, Dropbox integrates management of duplicate files at the server level: a file is physically present only once on Dropbox, even if multiple users send. The interest is double-side Dropbox: firstly, it is stored pressed once (and not five, ten, a hundred times) and secondly there is a gain bandwidth, since the sending a file is already present snapshot, regardless of its actual size.

The problem is that to check if a file is already present, it is necessary to analyze it, which is obviously incompatible with encryption. So in practice, and the company recently announced on his website, employees can access your data, even if it is encrypted. Employees can access data such as size or the name of your files, but also - in some cases - the information contained in your files.

The problem is the illusion of security that leads AES encryption: if the servers are hacker Dropbox, your data, even encrypted in AES 256-bit, are not protected: the hacker could retrieve the key at the same time content. In practice, is this really a problem? Probably not for most users, but it is important to know that the encrypted data is accessible to people other than you and remember to use another service if this is important to you.

No comments:

Post a Comment