On End-to-end encryption for Cloud-based Services

Cloud-based services are now an integral part of everyday lives of many users. Indeed, users who do not use Facebook, Gmail, Dropbox, GoogleDrive, QQ, Baidu or similar services are now a rarity. These services offer seamless integration of user data with multiple user-owned devices, reliable online backup, and enable easy and instant communications between users. Such features, at an affordable price of zero dollars, make these services very popular, even though they are an antithesis to user privacy, and help create large-scale surveillance programs such as NSA PRISM. Several mechanisms have been proposed and implemented to make these services privacy-friendly. Most past proposals rely on public key systems with user-managed private keys, or password-based symmetric encryption. We explore a symmetric-key approach without password-derived keys to facilitate end-to-end encryption of stored user data (e.g., cloud storage) and communication messages (e.g., web-based email). We propose Keyfob, a key management scheme for easy key transfer between user-owned devices, and between users. Keyfob uses high-entropy random keys for encryption instead of password-derived keys, and leverages DH-EKE (Bellovin and Merritt, IEEE S&P 1992) with weak secrets for secure key transfer. Each user needs to manage one user-master key, and all other keys are derived from that master key or a pair-wise shared master key. We implemented Keyfob as a Firefox extension using the Firefox Sync service, which implements an EKE variant. Keyfob can make several applications and services privacy-friendly, if appropriate intermediate layers are implemented, e.g., as plugins between a target cloud-service application and the Keyfob extension. We have implemented two such plugins to support encrypted Dropbox (in desktop and Android) and Gmail (in desktop). Our hope in proposing Keyfob with a symmetric-key approach is to highlight challenges in such a lesser-explored mechanism, and attract researchers towards the long-standing problem of enabling end-to-end encryption in a cloud-dominated environment

Implementing Client-Side File Encryption for an Enterprise Document Management Platform

M-Files is a document management platform used by enterprise customers. Customers may wish to use M-Files for sensitive documents, the confidentiality of which cannot be trusted with third parties. To this end, a system should be implemented that enables a customer to use M-Files for managing such documents, without requiring trust in the security capabilities of M-Files. This thesis examines how client-side file encryption can be implemented for M-Files. This thesis proposes the M-Files Confidential Document System (MFCDS), a client-side file encryption system. A customer of M-Files can use the MFCDS to create confidential documents, that are encrypted on the client side with keys owned by the customer. The system is integrated as part of the web client of M-Files, using browser-based technology. An implementation plan for the MFCDS system is presented. Hybrid encryption is used to enable users to share access to encrypted files using public key cryptography. More efficient symmetric cryptography is used for encrypting files. User keys are stored in a remote key management system, owned by the customer. The key management system is accessed via a web API, that implements a simple protocol for key management. The protocol enables envelope encryption and public key infrastructure with user keys. The proposed implementation plan is followed to its completion, and a proof of concept is implemented. The protocol of the key management API is defined and the API is implemented as a cloud application on the Azure cloud computing platform. The client-side implementation entails changes to the web client of M-Files. The built-in browser-based cryptography module Web Crypto is used for cryptographic algorithms on the client side. A simple user interface is implemented to demonstrate the system in practice. The efficiency of the implementation is evaluated with performance tests. It is found that the implementation provides good performance for files of a moderately large size. The performance was also found to scale well when the system is used to share encrypted files with hundreds of users

Securing email through online social networks

Despite being one of the most basic and popular Internet applications, email still largely lacks user-to-user cryptographic protections. From a research perspective, designing privacy preserving techniques for email services is complicated by the requirement of balancing security and ease-of-use needs of everyday users. For example, users cannot be expected to manage long-term keys (e.g., PGP keypair), or understand crypto primitives. To enable intuitive email protections for a large number of users, we design FriendlyMail by leveraging existing pre-authenticated relationships between a sender and receiver on an Online Social Networking (OSN) site, so that users can send secure emails without requiring direct key exchange with the receiver in advance. FriendlyMail can provide integrity, authentication and confidentiality guarantees for user-selected messages among OSN friends. FriendlyMail is mainly based on splitting the trust without introducing new trusted third parties. A confidentiality-protected email is encrypted by a randomly-generated key and sent through email service providers, while the key and hash of the encrypted content are privately shared with the receiver via the OSN site as a second secure channel. Our implementation consists of a Firefox addon and a Facebook application, and can secure the web-based Gmail service using Facebook as the OSN site. However, the design can be implemented for preferred email/OSN services as long as the email and OSN providers are non-colluding parties. FriendlyMail is a client-end solution and does not require changes to email or OSN servers

USER PERCEPTIONS OF AND ATTITUDES TOWARD ENCRYPTED COMMUNICATION

As people rely more heavily on online communication, privacy becomes an increasingly critical concern. Users of communication services (e.g., email and messaging) risk breaches of confidentiality due to attacks on the service from outsiders or rogue employees, or even government subpoenas and network surveillance. End-to-end encryption, in which anyone cannot read the user's content, is the only way to fully protect their online communications from malicious attackers, rogue company employees, and government surveillance. Although in recent years we have witnessed considerable efforts to push end-to-end encryption into broader adoption, and indeed several popular messaging tools have adopted end-to-end encryption, some obstacles still remain which hinder general users from proactively and confidently adopting end-to-end encrypted communication tools and acknowledge their security benefits. In this dissertation, we investigated the adoption of end-to-end encrypted communication from a variety of user-centered perspectives. In the first part, we conducted a lab study (n=52), evaluating how general users understand the balance between the usability and security for different key management models in end-to-end encryption. We found that participants understood the models well and made coherent assessments about when different tradeoffs might be appropriate. Our participants recognized that the less-convenient exchange model was more secure overall, but found the security of the key-directory based model to be "good enough" for many everyday purposes. In the second part, we explored how general users value the usability and security tradeoffs for different approaches of searching over end-to-end encrypted messages. After systematizing these tradeoffs to identify key feature differences, we used these differences as a basis for a choice-based conjoint analysis experiment (n=160). We found that users indicated high relative importance for increasing privacy and minimizing local storage requirements. While privacy was more important overall, after the initial improvement was made, further improvement was considered less valuable. Also, local storage requirement was more important than adding marginal privacy. Since significant research indicated that non-expert users' mental models about end-to-end encryption led them to make mistakes when using these tools, in the third part of this dissertation, we took the first step to tackle this problem by providing high-level, roughly correct information about end-to-end encryption to non-expert users. In a lab study, participants (n=25) were shown one of several variations on a short tutorial. Participants were asked about their understanding of end-to-end encryption before and after the tutorial, as well as which information they found most useful and surprising. Overall, participants effectively learned many benefits and limitations of end-to-end encryption; however, some concerns and misconceptions still remained, and our participants even developed new ones. The results provided insight into how to structure new educational materials for end-to-end encryption