[liberationtech] "Secure" (but Hackable) Cloud Computing:

Griffin Boyce griffin at cryptolab.net
Tue Apr 22 11:03:12 PDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

   Computing on a device you have full control over is not necessarily 
secure, and offloading everything onto a machine (or set of machines) 
that you have no real control over probably won't improve your security. 
  There's a lot of money to be made by people who want to convince you 
otherwise. Caveat lector.

   Incidentally, a new set of attacks (and related vulnerabilities) was 
released today:

Abstract: http://eprint.iacr.org/2014/248
Paper: http://eprint.iacr.org/2014/248.pdf

"Here we show that AES in a number popular cryptographic libraries 
including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s 
correlation attack when run in Xen and VMware (bare metal version) VMs, 
the most popular VMs used by cloud service providers (CSP) such as 
Amazon and Rackspace. We also show that the vulnerability persists even 
if the VMs are placed on different cores in the same machine. The 
results of this study shows that there is a great security risk to AES 
and (data encrypted under AES) on popular cloud services."

   A quick search for [xen vps hosting] leads to 364,000 results. And of 
course most of these are pages from service providers, not the websites 
they host.  Think of all the sites that are hosted on these thousands of 
service providers (or even just Amazon/Rackspace/Linode/Gandi) and you 
start to scratch the surface of why cloud security is still so tricky.

best,
Griffin

PGP: 879B DA5B F6B2 7B61 2745  0A25 03CF 4A0A B3C7 9A63
emoji: ᕕ(ᐛ)ᕗ

On 2014-04-22 07:47, Caspar Bowden (lists) wrote:
> On 17/04/14 20:29, David Solomonoff wrote:
>>> No longer confined behind a locked down private data center or
>>> hidden under the end user's bed, a virtual FreedomBox can finally
>>> escape to the clouds.

>  Apropos the blog, Mylar is cool, but doesn't use FHE. It sends the
> Cloud conventionally encrypted blobs to and fro - and the Client does
> all the work (thus neutralizing main vaunted benefit of Cloud, elastic
> and parallel CPU power). It also uses an encrypted search technique
> for indexing (which is also cool)

-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v0.5.1
Comment: http://openpgpjs.org

wsBcBAEBCAAQBQJTVq69CRADz0oKs8eaYwAAbnkH/0HbKOWo5yo/j/ViHTV4
Q0k4cs0I6qIXBmIP3KNXkE9BdEjpXQg05hfvgQYbmw2P4YIbphB2YMrEH43l
fVth5HMdfDiRll1TzPoQrnGcREZVch0oITwiUwaKpg/j3wyFndZg+FvMI2Wm
651BF5xKQQaD2sBlAq4foYLCyEsJ33P3Vl84hs4UyutJVLRkId5iMFANrey6
qIpCrbT15ImG1/YQXSerzsD/bWC38HJrOZqvOCvJxmSEJidDWeqdZQvd8Dfp
+VSs2Y+XxedlVFzPjla2IssgdFtcSfFvX09O0GJJn22ruYKV+quoraqwjaaU
rAaqh4b5nVUTe/JCkesJgec=
=rwxf
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list