OwnCloud 4.0 and Encryption

May 24 2012

Recently, the new version 4.0 of the OwnCloud open-source software has been released. According to Wikipedia, “OwnCloud is a software suite that provides a location-independent storage area for data (cloud storage). The project was launched in January 2010 from KDE developer Frank Karlitschek to create a free alternative to commercial cloud providers. In contrast to commercial storage services, ownCloud can be installed on a private server at no additional cost“. So, anybody sensitive to the privacy of his own data, but still willing to store them in the cloud, might be tempted to install the feature-rich OwnCloud application on a dedicated server. Even more interestingly, the feature list of the latest version mentions the following:

Do you want to make sure that your files remain secure on the server? With the Encryption Application enabled, all files stored on the ownCloud server are encrypted to your password so not even the admin can look inside your files. Add to this an SSL connection, and your files are secure while in motion and at rest.

I did not resist to take a closer look at these claims…

The file encryption capabilities are implemented as the OC_Crypt class. Here is a quick summary of my findings:

  • The key is generated using four calls to the mt_rand() PHP routine, which implements the Mersenne Twister pseudo-random generator and is unfortunately not of cryptographic quality:
  • Let us assume a moment that the Mersenne Twister would be a cryptographically strong PRNG. Unfortunately, the seeding mechanism of the mt_rand() routine is also not very robust: Note that it depends on the current time, on the PID of the PHP interpreter and on a pseudo-random number taken out of another pseudo-random generator of the PHP engine. This one is a and is seeded as follows: The computation of the overall entropy, and thus the effort to guess a key, is left to the reader… Not to mention the maximal achievable amount of  4\cdot\log_{2}(99999-10000+1)\approx 65.8 bits of entropy, which are far from the recommended minimal value of 80 bits.
  • The generated key is encrypted using the provided user password with help of Blowfish in ECB mode and then stored in a file named encryption.key. Anybody able to steal this file will be in position to brute-force the password.
  • Note that this key is the same for all files stored by a same user, and that files are encrypted … server-side! So, the encryption key can be stolen in other scenarios:
    • The password encrypting it is transmitted in clear from the client to the server using the HTTP Basic mechanism. If the communication is not secured with HTTPS, then anybody able to snoop at the communication will steal the password, be able to access the OwnCloud account and get the data.
    • The encryption key is stored in clear in the session data Those session data are stored in clear on the server side, most of the time into the /tmp directory. Hence, a malicious OwnCloud server administrator will have no difficulty to decrypt data. Note that, as the encryption is performed server-side, a malicious sysadmin would have no difficulty to modify the OwnCloud application for recovering the data anyway.
  • The encryption algorithm is Blowfish in ECB mode implemented with help of the PEAR Crypt_Blowfish class: While this block cipher, if properly keyed, poses no real problem in practice, the ECB mode used is notoriously known to leak information.

In summary, one can only recommend to never use OwnCloud 4.0 for storing confidential data !

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

26 responses so far

  1. Which cloud implementation is safe to store private (or confidential) data in? Is it a good pattern to store confidential data on computers connected to the internet?

  2. Where the owncloud developers informed about this? I planning to move from dropbox to owncloud, sadly on a shared webspace where i’m not root.

  3. I have contacted them through their Twitter account as well as their contact form.

  4. Nice article, but it would be interested to provide an update as you know how to implement good crypto.

  5. [...] supuesto, ownCloud tiene sus limitaciones. La seguridad de su cifrado ya ha sido puesto en tela de juicio, y como otras soluciones Open Source, su potencia parece pensada solo para usuarios con una cierta [...]

  6. I’m sure that you can help the owncloud team to make an awesome encryption in the next version!

  7. [...] El cifrado de ownCloud no es aceptable:  Ya lo hablamos el otro día en los comentario de ownCloud 4.0: un software genial, pero eso de cifrado en el lado del servidor simplemente no es aceptable. Lo explica bien Pascal Junod en su blog. [...]

  8. i had a good laugh about the crypto you picked apart in this article. it serves as yet another reminder that people have a hard time understanding that someone claiming “it’s encrypted” isn’t sufficient to give any real protection.

    if you or any of your readers are interested in legit high security cloud storage, checkout https://www.cyphertite.com/ . it doesn’t have all the shiny sync options (yet) but it is designed with security in mind from the ground up. would be interested to hear what you think about cyphertite’s crypto.

    remember, safety first! =)

  9. [...] OwnCloud 4.0 and Encryption [...]

  10. [...] Verschlüsselung ist unsicher, weil der generierte Verschlüsselungskey ereinmal mit einem Verfahren erzeugt wird, der dafür [...]

  11. [...] hand, cloud computing really so unsecure, and, on the other hand, ownCloud really safe? Some, like Pascal Junod, say the later is [...]

  12. ultimately, what are the real dangers? if you are using ssl, good passwords, iptables, intrusion detection, fail2ban etc, then i don’t see any issue with it.
    owncloud is designed to run on your own server which generally means that you are the system admin. the issue (as stated here) is concerns if you are storing your data on an owncloud server where you can’t/don’t trust the system admin of the owncloud server. it’s really no different from any other server eg mail, file server where the system admin can look at those files.

  13. The OwnCloud designers claimed that the data are secure even with respect to a malicious sysadmin. This is blatantly wrong !

  14. [...] Version 4.0 ser­ver­sei­tig – *fa­zi­al­pal­mier* – kam? Hier mal eine kurze Krypto-Analyse. Für PHP gewiss überragend “sicher”. Also ich würd’ das ja [...]

  15. Hi Pascal,

    this is really interesting.
    Got any response from the ownCloud developers?

    Mark

  16. Not really…

  17. [...] SSL einrichtigen ist doch nicht so schwer, oder? Aber wer auch eine unsichere Verschlüsselung benuntzt und seinen Benutzern was von Sicherheit erzählt, dem ist wohl nicht mehr zu helfen. [...]

  18. Hi Pascal,
    I’m sorry that you didn’t get any answer from us yet. This shouldn’t happen again since we improved the communication management.
    Thank you for pointing out this issue, recently we setup our security page which also includes a hall of fame and advisories. (http://owncloud.org/security/policy/)
    I’d like to include you in our hall of fame (+ create an advisory), please contact me via email for this.
    Last but not least: We’re rewriting the encryption module for ownCloud 5 (https://github.com/owncloud/core/tree/files_encryption/apps/files_encryption) – this uses OpenSSL and also includes a client side encryption via the sync client.

    Thanks,
    Lukas
    ownCloud

  19. That’s excellent news ! I am sure that OwnCloud will benefit a lot from a good design and implementation of security features.

  20. Thank you for taking the time to post this helpful information Pascal. It was a real eye opener. And also, a big thank you to Lukas for stopping by to let readers know that improvements like client-side encryption are in the works. That’s AWESOME!

  21. [...] le chiffrement est apparemment caduque (voir http://crypto.junod.info/2012/05/24/owncloud-4-0-and-encryption/) [...]

  22. [...] ownCloud verwendet. Erst ein Blick in den Quelltext verrät den Ansatz der Entwickler. In einem Blog Eintrag hat Pascal Junod die Verschlüsselung untersucht. Er beschreibt dort diverse Szenarien bei dem die [...]

  23. [...] Links http://blog.rotzoll.net/2013/01/pogoplug-usb-stick-vergrosern-und-dateisystem-auf-ext4-andern/ http://owncloud.org/ http://owncloud.org/support/webdav/ http://blog.martinfjordvald.com/2011/01/no-input-file-specified-with-php-and-nginx/ http://crypto.junod.info/2012/05/24/owncloud-4-0-and-encryption/ [...]

  24. Encryption in owncloud 5.x: This here could be relecvant for you:

    http://forum.owncloud.org/viewtopic.php?f=3&t=8089

  25. Hello,

    ownCloud 5.0.9 with the new encryption module is now available. I hope we have taken care of most items, besides that it is only a data at rest side encryption. Next step would be client side encryption, but that will come with some loss of functionality. Looking forward to your feedback!

  26. Owncloud 6.0 is now on a countdown for mid october I believe, i’d be very interested if you were able to take a second look at Owncloud around then.

    JBT

Leave a Reply

*