Wuala: Willful ignorance, or fraud?Like most people working in the areas of cryptography and computer security, I come across wild and unsubstantiated claims quite frequently. In early 1999, Bruce Schneier famously provided a list of nine signs that you might be dealing with cryptographic snake oil; unfortunately, snake oil has become more sophisticated, and even the crypto-illiterate have become buzzword-literate, so separating the good from the bad has become far more difficult in the past 8 years.
Earlier today, I came across an interview between Allan Stern and Dominik Grolimund, the CEO of the online storage and file-sharing startup Wuala. Partway through, I found the following question and answer (italics are mine):
Allen: Can you discuss the security - if I upload files and they are stored on another person's computer, can they access my files?
Dominik: No, they can't, not at all! Privacy is a very important issue for us. All files are encrypted on your computer, before anything is uploaded. All encryption and decryption performed locally (again an advantage if you have software running on the client). Your password never leaves your computer, so that no one, not even our team can see what files you store or share with friends. In Europe, privacy is an important issue and we think that everyone should have a place where he can store files privately. A lot of people are concerned if all their data is stored on servers of big corporations, which is why a lot of users do not use Gmail etc. In our system, everything is encrypted and the encryption is used by the CIA for top secret files.
This brings to mind Schneier's Warning Sign #7 -- Unsubstantiated claims -- and his reference to companies which claim "military-grade" security. Moving to the Wuala website, I find the following edifying paragraph:
Security is a key design issue in Wuala: All files stored in Wuala are encrypted and all cryptographic operations are performed locally. Your password never leaves your computer - so no one, including us, can access your files unless you publish them. Wuala employs the 128 bit AES algorithm for encryption and the 2048 bit RSA algorithm for authentication.
This immediately indicates that Dominik's claim of "used by the CIA for top secret files" is bogus: The US Committee on National Security Systems Policy No.15 states that "TOP SECRET information will require use of either the 192 or 256 [bit] key lengths [of AES]". Since 128-bit AES is not 192-bit AES or 256-bit AES, the cryptography used by Wuala may not be used by any US Governmental agency for top secret files.
More important than what the Wuala website says, however, is what it doesn't say. A block cipher algorithm is only one small component of a complete encryption system: As the aforementioned Policy No.15 comments, "NSA-approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure". Even if you're not planning on using an encryption system for protecting classified information, it's worth listening to the NSA; Wuala's security depends on all of the following factors, none of which are disclosed:
- In which mode of operation are they using AES? Some modes (e.g., cipher block chaining) are good; others (e.g., electronic codebook) aren't.
- How does Wuala ensure that initialization vectors (or nonces) will not be reused inappropriately?
- Does Wuala protect the integrity of stored information, in addition to protecting (or trying to protect) the confidentiality of said information?
- How is the AES encryption key generated? If it is generated from a password, what mechanisms are used to prevent dictionary attacks?
- Are the implementations of the encryption primitives used secure against side channel attacks?
- What steps have been taken to ensure that "dumb bugs" (buffer overflows, integer overflows, off-by-one bugs, etc.) aren't exploitable by an attacker?
All told, I think Diminik Grolimund falls more into the category of "willfully ignorant" -- he doesn't understand cryptography, and he apparently hasn't made any attempt to consult people who do. But whether he's deliberately lying about the security of Wuala of actually believes what he claims -- that the encryption used by Wuala is used by the CIA for top secret files -- doesn't really matter in the end: If you care about your data, don't trust him with it.
blog comments powered by Disqus