The fuzzy mud puddle test: can your cloud storage provider access your encrypted data?

July 27, 2012
3

Cloud storage providers (like Dropbox, iCloud or SpiderOak) store your data in encrypted form. But depending on who stores the decryption key (and how), the cloud storage provider may still be able to decrypt your data, and hand it over to law enforcement on request. For a laymen this is hard to tell, so Matt Green introduced the mud puddle test to determine whether a cloud service provider has access to your data or not. The test (as it stands) is a bit imprecise though and can lead to false positives.

The original test runs like this:

  • First, drop your device(s) in a mud puddle.
  • Next, slip in said puddle and crack yourself on the head. When you regain consciousness you'll be perfectly fine, but won't for the life of you be able to recall your device passwords or keys.
  • Now try to get your cloud data back.

Did you succeed? If so, the cloud storage provider has access to your (unencrypted) data. (If not, you have learned nothing: even though youmay not be able to recover your data, this does not necessarily mean the cloud storage provider cannot --- although from a customer service perspective that would be highly unlikely...)

The test is imprecise, because success is also claimed if you recover the data after answering some security questions (like a 'significant date', 'name of your first pet', etc.). A student of mine and I have shown however that such password recovery protocols can be implemented securely. This means the test may falsely claim a cloud service provider has access to your data while in fact it may not.

Currently, this is a moot point: it is highly unlikely that current implementations of such password recovery strategies are secure. But it is certainly possible to implement a cloud storage service where the service has no knowledge of the encryption key whatsoever, while still implementing a recovery scheme allowing a customer to regain access to his data. (Maybe some Internet startup should implement this...)

Of course, the big question then becomes how to tell good and bad implementations of such recovery schemes apart. I propose the following fuzzy mud puddle test

  • First, drop your device(s) in a mud puddle.
  • Next, slip in said puddle and crack yourself on the head. When you regain consciousness you'll be perfectly fine, but won't for the life of you be able to recall your device passwords or keys or secrets associated (not shared) with your cloud storage provider.
  • Now try to get your cloud data back.

Did you succeed? If so, the cloud storage provider has access to your (unencrypted) data.Cloud service providers that offer a password reset service pass the test: they have access to your data. This includes Dropbox. SpiderOak fails the test (and may be more private as a result). Services that use additional security questions fail the test as well. In practice this may still mean that they do have access to your data.

The test also works for other cloud based service. For example, Skype offers a password reset service. This means Skype can recover your profile data (assuming it is encrypted in the first place). As explained by Chris Soghoian, this means Skype can, in principle, get access to the content of your Skype calls.

P.S.: This all assumes of course that a strong enough encryption scheme is used to encrypt the data in the first place.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
De generaal en het meisje. Wat ze ons leren over surveillance, privacy, en veilige communicatie. « Jaap-Henk Hoepman – on security, privacy and…
, 2012-11-15 09:25:27
(reply)

[…] folder bestanden voor elkaar achter te laten. Maar pas op welke cloud service provider je kiest. Het is pas echt veilig als je je bestanden echt kwijt bent als je PC of mobiel stuk is en je je […]

Pantsercloud beschermt niet tegen boter op het hoofd. | Jaap-Henk Hoepman - on security, privacy and…
, 2013-09-23 16:22:22
(reply)

[…] als we dan al een cloud dienst willen opzetten, dan graag een cloud die faalt voor de fuzzy mud puddle test: als de gebruiker zijn computer verloren heeft en zijn wachtwoord vergeten is, krijgt hij nooit […]

Apple has taken a first step. Now it needs to pursue its privacy pledge. // Jaap-Henk Hoepman
, 2015-08-04 10:34:30
(reply)

[…] there is iCloud. Like most cloud services it is not secure. The information Apple provides about iCloud security is misleading, claiming that for many of the […]