Linked by Thom Holwerda on Tue 24th Apr 2012 17:39 UTC
Google Well, this has been a very, very long time in the making. Google has finally unveiled its big Dropbox competitor: Google Drive. You start with 5GB for free, and you can go all the way to 1TB for $50 per month. This is a big deal for many (if you were to use rumouring as a gauge), but all I can think of is this: why on earth would you entrust your files to a company - any company - whose sole interest is extracting money from you, and who, to boot, is subject to crazy American laws?
Thread beginning with comment 515596
To read all comments associated with this story, please click here.
Time for a cryptography update...
by minifig404 on Tue 24th Apr 2012 21:26 UTC
minifig404
Member since:
2012-02-26

This comment assumes the following as background:
https://en.wikipedia.org/wiki/Secret_sharing
https://en.wikipedia.org/wiki/Secure_multi-party_computation
https://en.wikipedia.org/wiki/One-time_pad
https://en.wikipedia.org/wiki/One-time_password
https://en.wikipedia.org/wiki/Byzantine_Fault_Tolerance

Now. You want an unbreakable remote storage? You need some parts.

1, You need 3+ computers. Grab some Rasberry Pi's, secure them in the usual manner. For better security, each of them should run a different OS (different versions of Linux don't count, Linux + BSD is possibly OK). These computers will store your data via a secret sharing scheme with a threshold. If the adversary breaks in to more servers than the threshold, they can discover the files. Hence the OS diversity. The client will need to access these servers in turn in order to get the files. Note that you need at least 3 computers so that 1/3 of them can fail in any arbitrary manner, and this puts an upper limit on the threshold for secret sharing.

2, You need a One-Time Password mechanism. There are several sites that sell OTP generators. Trick is, I don't know what algorithm they use. The security of this system is entirely in the quality of the RNG used. This authentication system can be tricked if someone steals your OTP generator or if someone can predict the next password given the current one. OTP systems work by the server storing the seed and running the generator, so in order to make the auth system work securely, SMPC is required.

If you don't like that version of 2, you can try:
2, You need a Zero-Knowledge proof system that asserts your client knows something without telling the server what that thing is. Hamiltonian Circuit looks fun, if the graph is never transmitted.

3, you need some way of communicating securely. The bullet-proof version is One-Time Pad. I won't say another word about the infeasibility of that. Most internet traffic uses TLS, and if this is used, all computers should have certs from a trusted authority. Alternatively, you can use Diffie-Helman Key Exchange to get a symmetric key, and use AES or whatever.

Reply Score: 2