The New Age of (Self) Encryption
Data breaches happen daily around the globe and third parties either have no legal duty, or worse, just don’t care about making sure your data is securely encrypted. Here at MaidSafe, our core values are privacy and security and as a result, these principles are central in how we design and build the SAFE Network. And self-encryption is no different.
First things first, what is self-encryption?
It is a version of convergent encryption with an additional obfuscation step….what?!
Let’s take a few steps back. If we remove the prefix ’self’ for the moment, you have encryption — a way of concealing information using a mathematical approach to obfuscate, so that only those intended to see the files can gain access. Sounds good right?
This is already a common practice by cloud-based solutions such as Dropbox. They encrypt all data in transit using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) between Dropbox apps and its servers. Once it reaches Dropbox servers, it is then encrypted with 256-bit AES, which is an industry recognised standard and (almost) impossible to crack without the encryption key.
So you might be thinking, “surely these solutions already encrypt my data so why do I need anything else?”. However they don’t provide client-side encryption which means you, the client, encrypts the file before it leaves your computer (although with Dropbox you can add your own encryption) they, the third party, manage the encryption keys along with your data. There are a couple of issues with this. First, the way data is stored on some cloud solutions means that your files are decrypted as soon as you log in. Why is this a problem, surely this makes the user experience more seamless as you don’t need to take any extra steps? The problem arises if someone has access to your password. They can access your files — the encryption is now pointless and doesn’t offer you any protection.
However, a second more sinister issue is Man in the Cloud attacks. Here, a hacker doesn’t need your passwords. They simply access your computer, steal the synchronization tokens which are provided by the company to identify you as a user, and then place them on different computers. Because these cloud solutions cannot identify if the token is being used on another machine, this will go unseen. Therefore the hacker will then not only have access to the documents but also control your entire drive. Yikes!!
And last but not least, anyone who grants a third party responsibility for managing the safety and security of your data is troublesome, and we don’t need to tell you why.
So we earlier mentioned that Self-encryption is a version of convergent encryption, which is also known as a content hash keying which creates identical ciphertext from an identical plaintext file. It contains some applications in cloud computing to eliminate all duplicate files from storage services, without a provider needing to have access to encryption keys.
Self-encryption is something new because it has no keys. A file is encrypted using its own contents as keys for encryption. After encryption, a Data Map is generated and this Data Map is used for decryption. And why is this so important? Because crucially, it ensures that all of your private data stored on the Network is unrecognisable and only those with the correct credentials and the relevant Data Map can fetch the chunks, decrypt them and put them together. And even if an encryption algorithm is compromised, a hacker won’t be able to decipher the data. Cool huh?!
Let’s Take An Example
Right so how does this work? Things are always easier with an example, so let’s say Bob has a Word doc he’d like to store on the Network. The Network takes this file and divides this up into a minimum of three chunks; Chunk 1, Chunk 2, Chunk 3. From this, the system creates a Data Map. A Data Map lays out the pre and post encryption details and the location of each chunk to enable Bob to retrieve his files whenever he likes. And, the Data Map can be run through the self-encryption process too.
So once each chunk has been hashed and documented on the Data Map it goes through the encryption process. To do this, the Network encrypts using the algorithm AES 256 encryption protocol and hashes each chunk. And this is where the additional obfuscation step comes in. So the hash of C1 is encrypted with the hash of C2, C2 is encrypted using the hash of C3 and C3 is encrypted using the hash of C1. To further obfuscate the data, every chunk is passed through an XOR function using the hashes of other chunks. So C1 would be XOR’ed with the hash of C2, and C3. And the hash of C2 would be encrypted with the XOR of C3 and C1 and…you’ve probably worked out how C3 would be encrypted. The output is then documented on the Data Map, which also can be run through the Self-encryption process.
All this happens on Bob’s computer so that his data is already encrypted before it hits the Network and only Bob with his Data Map can access and decrypt his file. And this happened instantaneously, with no disruption to how Bob would normally store a file.
If Bob had bigger files (for example a file full of photography), this would automatically split into chunks and distributed autonomously across the decentralised network. This means larger data files are not stored in one central place, adding another level of security.
So there we have it. Self — encryption, the way the SAFE Network will solve issues with existing encryption solutions, based on trusted cryptography and a way for you to truly take control of your data.
If you are new to SAFE and are interested in understanding more about what we’re doing to make the world a better place, join us on the Forum.
