Un-f*$#ing Cloud Storage Encryption

Presented at ShmooCon XV (2019), Jan. 20, 2019, 11 a.m. (60 minutes)

Individuals, enterprises, and government agencies encrypt information before uploading to commodity cloud storage systems like Box or Amazon’s S3 to gain strong security in the event the storage provider is compromised. Regulations like HIPAA and PCI (and good security hygiene) require that encryption keys be rotated periodically. The current schemes in use for rotating encryption keys are either infeasible or insecure as we discuss in this presentation. We describe attacks against the current scheme and present two new encryption schemes that improve the security of key rotation offering different security and performance trade-offs.

Presenters:

• Adam Everspaugh
  Dr. Adam Everspaugh (@AdamEverspaugh) is a cryptographer and software engineer. He researches and presents on topics including oblivious password hardening, secure random number generators, and updatable encryption. Adam is a security engineer for Coinbase, and a cryptographic advisor to Keeper Security (password management service), and the distributed app platform Mainframe.com.

Links:

• https://infocon.org/cons/ShmooCon/ShmooCon 2019/Un-f--ing Cloud Storage Encryption.mp4

Similar Presentations:

• 32C3 (2015) / The Magic World of Searchable Symmetric Encryption: A brief introduction to search over encrypted data
• Global AppSec - DC 2019 / Beyond data-at-rest: Advances in Native NoSQL Database Encryption
• Black Hat USA 2010 / Secure Use of Cloud Storage