About Encryption

29 12 2014

Would you like to be able to use QR-Codes in order to let people quickly get some sensitive information, but also want to be able to restrict the number of people with access to the data? And what about iWork documents containing personal data? Is there a way to securely manage them?

IMG_3645-2.PNG

If you use an app like Qrafter by Kerem Erkan you may have the idea to use password-protected QR-Codes for sending sensitive data e.g. via mail or a messaging app like iMessage.

IMG_3322.PNG

The idea seems to be fascinating but let’s face the facts with an answer of the developer Kerem I got via E-Mail:

The encryption is 48-bit, meaning it is weak for any sensitive information. More secure encryption methods take too much data and QR Codes do not have such capacity. You should not use QR Code encryption for anything sensitive.

For the sake of security, it’s hard to beat the old-school, in-person hand off. It’s not the most sexy of options in the digital age, but surely there’s something titillating about a top-secret document hand off. Bring your briefcase and make it like a spy movie. Or don’t.

Don’t send your sensitive documents over email. It may seem private, but even if you’re using an email account that uploads attachments over a more secure HTTPS connection, like GMail, you have no control over your recipient’s server, and they may download your attachment from an unencrypted HTTP connection. Now say they did that from a public Wi-Fi network. Things just got very un-secure.

Some basics …

If you want your data to be NSA-resistant all files must be encrypted on your device before being transferred to the cloud. Your password should never be stored on your device or, if it’s stored there should never leave it. So no unauthorized user, not even employees of your provider, could ever access your data. Client-side encryption is the keyword.

Since encryption occurs before files leave your device it effectively wraps a protective wall around your data in the cloud. Employees then have very limited access to your data. They can only see how many files you have stored and how much storage space they occupy. The files themselves, as well as all metadata (folder names, file names, comments, preview images, etc.), are encrypted. The following chart illustrates three typical encryption schemes. The scheme in the middle is what is used by most cloud storage providers.

IMG_3323.PNG

What matters most when encrypting data is not the particular encryption algorithm (e.g. AES), but how it is used. Basically, there are three encryption schemes:

  • 1 None
    No encryption is used. Your data is sent to the storage in plain view, visible to anyone who has access to your network connection as well as to the storage provider. This is a little bit like sending someone a postcard: everyone involved in handling the postcard can read it.
  • 2 Encrypted connection (e.g. SSL)
    In this scheme, a secure channel is established between your computer and the storage provider before data is uploaded. That way, no one can eavesdrop on the transfer. However, the provider sees all your data. Often storage providers implement additional measures like creating corporate policies that disallow their employees to view your data. Another additional measure is using encrypted disks to store your data, so someone breaking into the data center and stealing the hard drives won’t be able to read it. However, it is still visible to the provider and its employees. This approach has the advantage that the provider can process your data for you, such as for creating a search index. Also, it is technically easy to make the data available in the web browser or through an API. The problem with this approach is that your privacy is limited. The storage provider can, for example, be forced to provide your data to a government agency. What’s more, employees will be able to read your data even if prohibited by company policies. It is also much more likely that bugs or other errors could result in data leaks. This is the most widespread approach implemented by cloud storage providers.
  • 3 Client-side encryption
    This approach is inherently more secure than the others. Apart from Box and Wuala, there are only a few other cloud storage providers following this scheme, mostly backup services. All data is encrypted locally on your device before it is uploaded. No one not explicitly authorized by you can see your data. Since not even the storage provider can see your data, they cannot be forced to hand it over to government agencies. The employees are also not able to read your data. As a side effect, it is impossible to recover your password in case you forget it. You can test your cloud storage provider’s security by checking whether they offer password recovery or password reset. If yes, then it does not employ client-side encryption. With client-side encryption, security is embedded deeply in the design of the storage.

    One of the main challenges with client-side encryption is key management. If you only want to back up, a single master key is enough. However, if you want to be able to share data selectively, your cloud storage must feature a sophisticated key management scheme.

With this in mind here is a more secure method to store sensitive data permanently or to exchange information with others.

Use a secure cloud storage, e.g. WUALA or BOX or an encryption software like BOXCRYPTOR and send the information as an encrypted file, a simple text message, a PDF file, or an iWork document.

Say you and your tech-savvy recipient set up a shared folder. Anything you put in that folder would travel encrypted from your folder to the provider’s servers to your recipient’s folder. That’s it.

Boxcryptor …

You use a cloud storage with standard, that means no, additional sevcurity?
Don’t worry. There is a solution for all well-known clouds including all other clouds which support the WebDAV protocol. It’s an application developed by the German company Secomba GmbH.

This video explains how Boxcryptor works.


(2:36 min)

Boxcryptor creates a virtual drive on your device that allows you to encrypt your files locally before uploading them to your cloud or clouds of choice. It encrypts individual files – and does not create containers.

IMG_3324.PNG

Any file dropped into an encrypted folder within the Boxcryptor drive will get automatically encrypted before it is synced to the cloud. To protect your files, Boxcryptor uses the AES-256 and RSA encryption algorithms.

Boxcryptor is free for one device and one cloud provider. You cannot use two iOS devices to manage encrypted files as long as both devices are linked to Boxcryptor. If you want to share encrypted files with others you can do that without a subscription.

A workaround …

You cannot turn off iCloud for individual iWork documents. So, creating a new document with sensitive data is a risk because the content automatically finds its way into iCloud.
Even if you turn off iCloud for documents but still use iCloud for backing up your device, your documents will be stored in iCloud and Apple has the key to decrypt them.

Here is a workaround which lets you manage encrypted iWork documents using Boxcryptor.

IMG_3325-0.PNG

This is definitely not a comfortable way but the only option to keep sensitive information away from unauthorized people. Even if government comes knocking there is no chance to decrypt your data regardless of the provider keeping your files. I would understand if you say “I hear the message well but lack faith’s constant trust.”.

Summary …

Sad to say that effective encryption is still not a standard feature of using cloud storages. Even Apple doesn’t use client-side encryption and so you should be careful when creating documents with sensitive data. Even if you deactivate syncing via iCloud your documents will find their way into the cloud when your iPad or iPhone initiates the next backup to iCloud.

Related links …

About QR-Codes

Mystic signs of progress

About encryption

Notes on encryption

About clouds

The cloudy iCloud

Risky free clouds

iOS cloud clients

Box for iOS

Thanks for flying with iNotes4You.





Merry Christmas

24 12 2014

May the message of Christmas fill your life with joy and peace. Best wishes to you and all your beloved family members.

IMG_3680.PNG

Christmas also can give an occasion to all non-Christian people to think about peace, social equity, human dignity, and happiness in their near and far surroundings.

All the best to you for the upcoming New Year 2015.

The New Year is the time of unfolding horizons and the realization of dreams, may you rediscover new strength and garner faith with you, and be able to rejoice in the simple pleasures that life has to offer and put a brave front for all the challenges that may come your way.

Stay hungry, Stay foolish, Think Differently

Mobiles can help to

Power on your brain.

To all the friendly people living in the home country of my wife …

สุขสันต์วันคริสต์มาส

Note
I created the mind map with iThoughts for iOS by toketaWare, UK. See an app review here …

iThoughts, Redesigned, Reengineered, Re-everythinged





Innovation takes time

17 12 2014

The mobile market is fiercely competitive. Customers expect ongoing innovation and many of the captious critics do not accept that real innovation takes time.

IMG_3232.JPG

In some way innovating today seems to be like car racing. There is a free practice, a qualifying, and the final showdown, aka race.
Some Asian companies are #1 in the qualifying but a well-known wisdom saying teaches us

to finish first you have to finish first
… your products!

Customers don’t like three iterations of a wearable device within one year.
I’m talking about the Samsung Galaxy Gear watch.

Innovation can be seen as added value given to every iteration of already existing products.

So

Don’t upset the Apple car!

It’s running steadily towards the chequered flag of the Grand Prix of Mobiles. Long-distance races are won by sophisticated technology based on simplicity.

Related links …

About Innovation

Thanks for surfing by.





Apple’s Sponsoring

11 12 2014

Steve Jobs was into Porsche. Folklore tells how Steve wanted the first Mac to look like the Porsche 928 he was driving. There is also the legend of how Steve gave examples of his favourite Porsche Design watch away, to those he thought could recognize good design when they saw it.

IMG_3237.PNG

The love of Steve Jobs for German cars and motorcycles is well known. In the lobby of the building Bandley 3 in Cupertino, where he worked the Macintosh team, Steve had installed a BMW motorcycle , because it was the inspiration for its designers.
As the ’90s onwards guide him exclusively Mercedes, a young Jobs was a real fan of Porsche. In 1984 he gave a best seller of Macintosh in the United States while four years earlier, in 1980, sponsored a Porsche 935 K3 Apple Computer participated in the 24 Hours of Le Mans and managed by the American Dick Barbour Racing Team.

Dick Barbour Racing has been a magnet for some of the world’s best and most popular drivers including Brian Redman, Rolf Stommelen, John Fitzpatrick, Paul Newman, Rick Mears and Johnny Rutherford. Foremost Dick Barbour’s long lists of accomplishments are his team’s 3 consecutive overall or class wins at the 24 Hours of Le Mans and 12 Hours of Sebring.

Related links …

About some similarities between Steve Jobs and Ferdinand Porsche and both companies …

Going Apple

Apple and Porsche

Thanks for stopping by.





iParking

4 12 2014

This blogpost is about an admired German car and the invention of intelligent parking by Apple.

Software engineer Randy Adams worked at NeXT before heading to Adobe, where he co-created Acrobat, and the PDF. At that time, he and Jobs both ran Porsche 911s. To avoid car-door dings, they parked near each other, taking up three parking spaces between them.

IMG_3234.PNG

One day, Steve rushed over to Randy’s cubicle and told him they had to move the cars.

Randy, we have to hide the Porsches. Ross Perot is coming by and thinking of investing in the company, and we don’t want him to think we have a lot of money.

They moved the cars around to the back of NeXT’s offices in Palo Alto. Perot invested $20 million in the company in 1987 and took a seat on the board.

Thanks for dropping by.








%d bloggers like this: