back to article So you broke our encrypted files? Ha! They were DOUBLY encrypted

Developers have launched a sync-and-share service aimed at small businesses that adds an extra layer of encryption absent from popular services such as Dropbox and Box. InfraScale says its Filelocker software protects data by encrypting it locally, in-transit and again in the cloud. Files are encrypted with a user's personal …

COMMENTS

This topic is closed for new posts.
  1. jake Silver badge

    Trusting a second, third, fourth or fifth party is contraindicated ...

    First: Your good self. If you trust you, keep it to yourself.

    Second: whoever is actually in control of your computer.

    Third: whoever provides your connectivity.

    Fourth: whatever "cloud" !GooMyFaceYouMStwit you choose to store stuff on.

    Fifth: All the assholes who really are out to get you.

    1. The Man Who Fell To Earth Silver badge
      Boffin

      Re: Trusting a second, third, fourth or fifth party is contraindicated ...

      I've used cloud backup for quite some time, but from day one it seemed obvious to locally encrypt my files and only send my encrypted versions to the cloud. If the confidentiality of the data is important, why would one not re-encrypt it?

      1. Charles 9

        Re: Trusting a second, third, fourth or fifth party is contraindicated ...

        Or in my case, I only use the cloud for low-security stuff. If anyone hacks into my Dropbox. all they'll know is that I belong to a gaming clan and coordinate with clanmates on common maps. Plus a handful of handy programs I don't wanna have to re-search the net to retrieve every day. IOW, stuff to which I'd respond with, "Big fricking deal."

  2. Anonymous Coward
    Anonymous Coward

    Password Length

    Took me a while to register on there, trying to use a 50+ character password to register for an account you end up on a error page with HTTP GET message string.

    Check password, check confirm password.

    Turns out they have a undetermined limit on password length.

    Great...

    1. Anonymous Coward
      Anonymous Coward

      Re: Password Length

      Your name isn't Little Bobby Tables, is it?

  3. JaitcH
    WTF?

    General David Petraeus and his recent squeeze, Paula Broadwell, really needed this

    If this lovelorn couple had these facilities to hand, likely the FBI would be busy trying to decrypt their love letters and Petraeus would still be CIA chief.

    And what of Cameron's "what you see, we see" plan? May be he will have to resort the old bLIAR trick, your password or your freedom.

  4. frank ly

    If you encrypt it seven times ...

    .... it's impossible to crack it. (I read that somewhere on the internet, so it must be true.)

    1. Anonymous Coward
      Anonymous Coward

      Good thing ROT-13 is so quick!

      Or I'd be here all night doing the extra six passes!

      In fact I think I'll exceed your recommendation and do it one more time...there! Bite on me, spookery!

    2. JDX Gold badge

      Re: If you encrypt it seven times ...

      THis is true. It's similar to how you can keep ZIPping the same file and it will eventually reach a single byte in size.

      1. Anonymous Coward
        Anonymous Coward

        Re: If you encrypt it seven times ...

        >and it will eventually reach a single byte in size.

        Ancient joke alert: http://www.textfiles.com/humor/COMPUTER/zzzmodem.txt

        Also, I thought it was 7 proxies and you'll never get rumbled for piracy/CP/whatever?

      2. Anonymous Coward
        Anonymous Coward

        Re: If you encrypt it seven times ...

        > THis is true. It's similar to how you can keep ZIPping the same file and it will eventually reach a single

        > byte in size.

        That reminds me of the chap who in response to a spammer took the biggest drive he had, filled it with a file containing zeds and zipped that. According to the tale, it compressed rather well and he sent it as an attachment named "Urgent Order".

        Having since learned about 2GB and 4GB limits on old versions of zip I am not convinced of the veracity of this tale, but it made us all chuckle back in the mid-nineties.

        1. Chris007
          Windows

          Re: If you encrypt it seven times ...@ AC 13:14 GMT

          It was a very nice trick you could do with PKARC - it would read the file and if it contained all the same chars would create a very small archive. I did it myself as the HDD's at work were far bigger than most others.

          For some reason why they release PKZIP it didn't do this anymore (I assume because of the above)

        2. Anonymous Coward
          Anonymous Coward

          Re: If you encrypt it seven times ...

          "That reminds me of the chap who in response to a spammer took the biggest drive he had, filled it with a file containing zeds and zipped that. According to the tale, it compressed rather well and he sent it as an attachment named "Urgent Order"."

          Zipbombs and the like were common. An easier way to make one was to dd /dev/zero through gzip or the like, redirecting it to a file (using dd or the like as a gatekeeper if you liked).

          With zip/lha etc. archives, there used to be some nifty archive checkers for BBSen that could check uploads without falling foul of such tricks, too, though there was a bit of an arms race with archives in archives and the like.

          Ah, the things people did when they had too much time on their hands, before proper fast internet full of amusing cat videos...

          1. J.H.
            Thumb Up

            Re: If you encrypt it seven times ...

            ahhh, LHA - now you're taking me back!

            1. Anonymous Coward 15

              Re: If you encrypt it seven times ...

              When I were a lad...

  5. Anonymous Coward
    Childcatcher

    If you encrypt something more than once...

    ... how much more secure does it make it? I know we have 3DES so obviously it does up the security somewhat , but by how much? Is there a law of dimishing returns so for example if you encrypt something 4 times over its no more secure mathematically than doing it 3 times?

    Sorry , if this is a daft question since I'm no cryptography expert but I'm just curious. If encrypting something multiple times is a good idea why isn't it done more often?

    1. JimmyPage Silver badge
      Boffin

      Re: If you encrypt something more than once...

      I have a very vague memory that multiple encryption can weaken the resulting ciphertext. Can't remember why. It will also become increasingly (and exponentially) harder - and therefore slower.

    2. Adrian Harvey
      Boffin

      Re: If you encrypt something more than once...

      Depends on the algorithm... As you point out, DES is an algorithm where this is good. However most of the analysis on this is directed to the it's of a brute-force attack, whereas I think the point here is not to increase the crypto strength but to have 3 keys in different people's hands so that a compromise of one doesn't leak your files. Eg: provider hacked, keys stolen - still secure as they need your keys too.

    3. David Hicks
      Pint

      Re: If you encrypt something more than once...

      It's not a simple question.

      I'm not sure that's really what's going on here - I think it's storing encrypted files remotely and transferring them over an encrypted link, meaning they can't be spied on in transit and the data is useless to anyone unauthorised anyway.

      On the broader issue - it's already been said that it depends on the algorithm. Triple DES is an EDE mode where you single-DES encrypt with one key, decrypt with another then encrypt again with the first. The mathematical properties of DES are such that just encrypting twice with different keys (Double DES) doesn't help and may in fact be worse than just single DES.

      It seems to be better to use a stronger algorithm like AES and a longer key length. In the appropriate (GCM type) mode of course

    4. A J Stiles

      Re: If you encrypt something more than once...

      Multiple encryption doesn't necessarily increase the security.

      After all, consider a substitution cipher. If you encrypt text using a substitution cipher, then encrypt again using a different substitution cipher, the combined operation is demonstrably equivalent to a third substitution cipher.

    5. Arion

      Re: If you encrypt something more than once...

      I wouldn't think that re-encrypting (with different keys) would weaken the crypto in any way. If it did then the first thing a cryptanalyst would do with ciphertext would be to encrypt it again to introduce that weakness.

      The main benefit of repeating the encryption is that if for example you do it twice, then you have two keys, and therefore double the total key length.

      DES is algorithmically secure. There are no known attacks faster than brute force. Unfortunatly DESs 56 bit key size (64 - 8 checksum bits), makes it computationally feesible to brute force the key. 3des makes the key 3 times longer, so its currently safe, but slow.

      I dont see any benefit in encrypting twice using AES-128 both times over using AES-256 once. In this example(situation described in article), I dont see the benefit in what is effectively them having half the key, and you having the other half. Having that said, from a defence in depth perspective, Its a good strategy to defend against both known, and unknown/imaginary threats. Googling for "This was fixed six months ago in OpenBSD" should illustrate my point.

      1. David Hicks

        Re: If you encrypt something more than once...

        @Arion -

        Good point on the re-encryption. Must be that it just doesn't help when talking about double DES.

        You're wrong about it being algorithmically secure, by the way, check wikipedia - there are three known attacks, one of which requires time equivalent to 2^39 - 2^40, quite a bit less than 2^56 brute force. From what I remember this may be down to a badly designed S-box.

      2. Yet Another Anonymous coward Silver badge

        Re: If you encrypt something more than once...

        >I wouldn't think that re-encrypting (with different keys) would weaken the crypto in any way. If it did then the first thing a cryptanalyst would do with ciphertext would be to encrypt it again to introduce that weakness.

        If knowing that the inner file is a certain encryption allows you to guess the properties of certain bytes (eg checksums) then you can use this with a brute force to check when you have a hit. This is what the online truecrypt crackers do.

        Obviously re-encrypting a ciphertext doesn't help crack the first layer - just the layer you have added!

  6. MooseMonkey
    Happy

    Paperwork...

    I'm not overly worried about hackers going after my stored personal files, they aren't of any use to the average person. I'm more worried that in the good old US of A, any local sheriff seems to be able to get a court order (or whatever they call them over there) and get all your data on a whim.

    My files are hosted in Germany, at least the courts make the security forces turn up before they hand all my files over. The best security of course is the fact my documents are crap, and anyone reading them will implode with boredom.

  7. Ben Norris
    Trollface

    where is the xzibit icon?

    yo dawg, I herd you like security so we put encryption in your encryption

    1. Anonymous Coward
      Anonymous Coward

      Re: where is the xzibit icon?

      Ack, actually, you should post that suggestion on the relevant thread, it would be weirdly useful and amusing :)

    2. GoldBytes
      Thumb Up

      Re: where is the xzibit icon?

      ha! We'll be happy to put some encryption in your encryption. @FileLocker

  8. Anonymous Coward
    Anonymous Coward

    on the sign up page: what is your mothers maiden name?

    i' m guessing here, but it looks as though the lost password fandango and some publicly available information will bust the triple encryption.

    1. Anonymous Coward
      Anonymous Coward

      What do you answer for that question if you were brought up in care, born out of wedlock, born to a second or subsequent marriage, adopted etc?

      1. Anonymous Coward
        Anonymous Coward

        Re: second or subsequent marriage

        That one is easy. A woman has only one maiden name, regardless of how many marriages she may have.

        Ask your mum what they called her when she was a maiden!

  9. Anonymous Coward
    Anonymous Coward

    Useful!

    Encrypting it twice will make it much harder to decrypt. After the first encryption pass, the cyphertext should be pretty much random, so frequency analysis won't yield anything useful. Brute forcing combinations in the hope the first X bytes of what you decrypt turn into the known header of a zip file or whatever will be worthless too. And without knowing the first algorithm and key used, you don't have any known plaintext to analyse the second with.

    Not to mention if different business units and countries have possession of their own individual encryption keys, it makes it much harder for law enforcement/courts to stomp in with a 'decrypt this naow!' demand. You can quite legitimately refuse with "Sorry, we only know half the key... our unit in Somalia has the other half..."

    1. Anonymous Coward
      Anonymous Coward

      Re: our unit in Somalia has the other half...

      Menacing individual points at telephone with a large stick.

  10. Richard Boyce
    Thumb Down

    Wrong solution

    If you need to protect yourself from your cloud service with this, you're clearly using the wrong cloud service.

    Some popular services like Dropbox make a point of holding your keys, making it possible for them and their friends to process your data to their commercial advantage. This also allows them to give you (or anyone they're convinced is you) access to your data if you forget or lose your password.

    Some services make a point of NOT holding your keys. If you forget or lose them, you're sunk, but only you can ever decrypt and use your data.

    Take your pick. Don't use band-aids like this software unless someone is forcing the wrong choice of cloud service upon you..

    1. Scott Wheeler
      Facepalm

      Re: Wrong solution

      Don't assume that a service provider doesn't hold your keys unless you have a means of proving that they never had them.

  11. This post has been deleted by its author

    1. Charles 9

      Re: table stakes

      I don't know. Could go either way as game theory has its merits.

  12. TReko

    Double or nothing?

    We use Syncdocs to encrypt all our Google Drive files. Nothing leaves my computer for Google Drive that isn't AES256 encrypted. If you need to share the data, you'll need to ask me for the key.

  13. GoldBytes
    Thumb Up

    Android app now available!

    Hi all, thanks for checking us out!

    First version of the Android app just posted in the Google Play store: https://play.google.com/store/apps/details?id=com.filelocker.android

    Request new features here: https://filelocker.zendesk.com/forums/21427796-4-feature-requests

    @FileLocker

This topic is closed for new posts.

Other stories you might like