Backup forum

A place to discuss Backup software and online services

You are not signed in.

Announcement

Signed in and can't post? Click here!Hot Tags: account Android Archive cleanup Code42 CrashPlan Backup bug bugs cleanup CcrPU Delete desktop error fail failed failure feature request idevsutil iDrive community incremental internet issue linux log login mac Mobile password performance progress QNAP REST restore Security slow speed suggestions support sync Synology upgrade upload windows backblaze carbonite SugarSync Dropbox Veeam Memopal Netgear Asustor Pro Softnet Corporation Raghu Kulkarni

#1 2022-02-27 23:19:49

Zeke
On hiatus
From: San Francisco
Registered: 2020-07-24
Posts: 44
Website

Private encryption key exposed when logged in?

I read an article several months back about cloud backup security, though I can no longer locate it to provide the link. The author claimed that IDrive's private encryption key becomes exposed to IDrive employees when you are logged into your account via the web. Is this true? I used this site's web search for "private encryption" and got zilch results, BTW. Thanks for anyone's help.


Brindlekin Tales (or "Flaco & Lucky: a Tale of 2 Doggies")
https://zekeblog.wordpress.com/brindlekin-tales/

Offline

 

#2 2022-02-28 01:20:51

SteveA
Administrator
Registered: 2018-02-23
Posts: 417
Website

Re: Private encryption key exposed when logged in?

I've not heard this myself.

IDrive's official line is:

"Should you choose to use a user defined private key for encrypting your data, IDrive personnel will not have access to this key and it will not be stored on the IDrive servers. It is very important that you store your user defined private key in a safe place and maintain this key in printed form for reference. Any data backed up using the Services can only be retrieved using your key and if you forget or misplace this key then your data may not be retrievable. IDrive is NOT responsible for loss of data arising as a result of such cases."

Offline

 

#3 2022-02-28 03:17:24

Zeke
On hiatus
From: San Francisco
Registered: 2020-07-24
Posts: 44
Website

Re: Private encryption key exposed when logged in?

SteveA wrote:

I've not heard this myself.

I wish I had saved the link where it said your private key could be accessed by an employee with admin permission. I can't find anything about this now, after extensive searching.

IDrive's official line is:

Yes, I've already read that before posting my query here. It says no "IDrive personnel" could discover your private key...but does that include admin access? I sent their support service the same question, and it generated a boilerplate reply, which was:

" Private encryption is a user-defined key and is known only to the user. IDrive does not store your private encryption key on its servers. It is recommended that you archive it safely to backup and restore your data."

It did not say something like "even when you log into our web based service." And when they say that your private key is not stored on their server, that does not mean the same thing as possibly intercepting it during the login process.

I think I just needed to understand how encryption works online. The following discussion talks about a "session key," and explains how that can't be intercepted, either:

"Looking at the protocol section of the TLS article on Wikipedia, the two ends carefully exchange just enough information during the protocol setup to lead to an encrypted connection. Basically, at no point is any encryption key sent in the clear. "

But still, the article I can no longer find may be talking about the particular way IDrive's website is set up security wise, vs. other sites that perhaps use a more secure method. So I'm kinda stuck in limbo for now, until I get some more research under my belt.

My subscription renewal is up this coming June, and I am considering switching to another backup service such as Backblaze, Polarbackup, Icedrive or Filen. My backup needs are modest for one person, private use...and it's unlikely I'll ever need even CLOSE to 500 GB storage till the day I slip off into the void.

Thanks for your reply, Steve...I hope you are doing very well.


Brindlekin Tales (or "Flaco & Lucky: a Tale of 2 Doggies")
https://zekeblog.wordpress.com/brindlekin-tales/

Offline

 

#4 2022-02-28 11:08:49

SteveA
Administrator
Registered: 2018-02-23
Posts: 417
Website

Re: Private encryption key exposed when logged in?

There's a bit more info here:

How does the private encryption key work? Is it stored on IDrive servers?
- A sample value is encrypted using a one-way encryption mechanism when you provide the key during the first login via IDrive desktop application.

- This encrypted sample value is sent to the server using dynamically salted AES 256-bit encryption.

- The encryption key that you set on your local machine will be further used to encrypt data using industry standard AES 256-bit on the client before it is transmitted to the server.

- The personal key can be decrypted only by the IDrive application. This encrypted sample value on the server is used for validation for future logins.

So while IDrive does not store the encryption key, a sample one-way encryption value is stored to validate future logins. Only the sample encrypted value is transmitted and at no time the key is transmitted to the servers. You can not deduce the key from encryption value as it is a one-way encryption.

Note:IDrive decrypts the file locally; the decryption happens on local clients and not on servers while using Desktop Apps. Now, on the Web or the web based interface situation is slightly different. The process is exactly the same, except that the 'client' here is an 'intermediate processor' and not the desktop. The data is not decrypted on the actual servers that host the data, but on the 'intermediate processor' on the fly and then brought to the browser interface via SSL interface. The 'intermediate' processors are segregated from the servers that host the encrypted data. This is a slight compromise for ease of use. You can avoid accessing private key enabled accounts via the web to avoid this entire process that involves intermediate processors.


So their "intermediate processors" are able to decrypt your data, so your private key must be transmitted to them. If that's over SSL, there's a theoretical possibility that the key could be sniffed, for example on a corporate network where the company uses its own CA to allow https content inspection.

Offline

 

#5 2022-02-28 17:32:15

Zeke
On hiatus
From: San Francisco
Registered: 2020-07-24
Posts: 44
Website

Re: Private encryption key exposed when logged in?

SteveA wrote:

There's a bit more info here:

Wow, thanks for tracking down the info!

So their "intermediate processors" are able to decrypt your data, so your private key must be transmitted to them. If that's over SSL, there's a theoretical possibility that the key could be sniffed, for example on a corporate network where the company uses its own CA to allow https content inspection.

There ya go...what that article I could no longer find was talking about. Interesting that their support team did not inform me of this theoretical possibility, when it's mentioned on one of their own pages.

Do you think this is a typical scenario for most backup services, or unique to just a few, like IDrive? And how much do you think one should worry about this, if at all? Thanks again, Steve!

BTW I just replied to support, with the same quote you provided, and the URL. Let's see what they'll have to say.

Last edited by Zeke (2022-02-28 18:18:33)


Brindlekin Tales (or "Flaco & Lucky: a Tale of 2 Doggies")
https://zekeblog.wordpress.com/brindlekin-tales/

Offline

 

#6 2022-02-28 18:25:45

SteveA
Administrator
Registered: 2018-02-23
Posts: 417
Website

Re: Private encryption key exposed when logged in?

Zeke wrote:

Do you think this is a typical scenario for most backup services, or unique to just a few, like IDrive? And how much do you think one should worry about this, if at all?

Well I moved from Tape Streamers to IDrive and I haven't strayed, so I don't know how the other services do it!

As to whether one should worry - I guess it depends on the value or sensitivity of one's data.

Anything that needs an extra layer of protection could be stored in an encrypted ZIP file (don't store the key for that on your computer!)

Offline

 

#7 2022-02-28 18:53:08

Zeke
On hiatus
From: San Francisco
Registered: 2020-07-24
Posts: 44
Website

Re: Private encryption key exposed when logged in?

Well, I could use total encryption on the external hard drive I use to store all my data. I'll look into that. Or, simpler solution is to just not log into the web based account. I've also posted this issue on Reddit, at

https://www.reddit.com/r/....val_media/

And learned that Backdrive also has the same issue.

Thanks again!


Brindlekin Tales (or "Flaco & Lucky: a Tale of 2 Doggies")
https://zekeblog.wordpress.com/brindlekin-tales/

Offline

 

#8 2022-03-05 07:30:42

Zeke
On hiatus
From: San Francisco
Registered: 2020-07-24
Posts: 44
Website

Re: Private encryption key exposed when logged in?

IDrive support got back to me, and this is what they said:

"We understand your concern. In this case, for more secure access with your private encryption key accounts, you may use the IDrive desktop application for backup and restore of the data."


Brindlekin Tales (or "Flaco & Lucky: a Tale of 2 Doggies")
https://zekeblog.wordpress.com/brindlekin-tales/

Offline

 

Board footer

Protect your brand, users & email deliverability. Let’s Encrypt- free, automated, and open certificate authority (CA) StatusCake Monitoring Service Stop Forum Spam

Powered by © Copyright 2002–2005 Rickard Andersson
SteveA's forums are free for everyone to use, however if you would like to contribute to the upkeep I would be grateful for any donation!