Web-based Attacks on Host-Proof Encrypted Storage

Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of socalled host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing. We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces. 1 Host-Proof Web Applications The remarkable increase in website attacks in recent years and the consequent loss of sensitive user data has motivated a security-focused redesign of web applications where data is now routinely stored in encrypted form on web servers and only decrypted when needed. This architecture protects users from malicious hackers who may steal a database from the server but will not be able to decrypt it. However, it does not prevent data theft by disgruntled employees, who may have access to the decryption keys. Moreover, since the server application has access to decrypted data and is itself accessible over the web, any vulnerability in its code risks leaking user data to a web-based attacker through standard attacks like cross-site request forgery (CSRF). Server-side encryption may be adequate for casual websites, but users of cloud-based storage and privacyFigure 1: Host-proof web application architecture sensitive applications such as password managers demand stronger security guarantees. For example, when the storage service Dropbox [5] revealed that some of its employees could read user files, it was widely criticized for violating user privacy [15]. Conversely, when the password manager LastPass [7] announced that its servers may have been compromised [16], public reaction was mitigated because of the host-proof [6] design that LastPass implements against this class of attacks. A host-proof web application follows the architecture depicted in Figure 1. Personal data is encrypted on the client using a key or passphrase known by the user, while the web server only acts as an encrypted data store. The full functionality of the application is implemented in the client-side app, which performs all encryptions and decryptions, backs up the database to the server and, only when the user authorizes it, shares decrypted data with other users or websites. Since the server never sees unencrypted data (nor any decryption key, ideally), even if an attacker steals the database from the server, he cannot recover the plaintext without substantial computational effort to brute-force through every user’s decryption key.