Home > Cryptography > CipherCloud DMCA

CipherCloud DMCA

Something interesting is happening over at Crypto.SE. Someone a while back posted a question about CipherCloud (cached here). Turns out that CipherCloud wasn’t too happy about the analysis and sent a DMCA to StackExchange. The question has been deleted.

This raises a bunch of questions about CipherCloud. The analysis on Crypto.SE looked pretty scary. Especially given that the company has raised $30 Million. I looked over their leadership team, their board of directors, job postings, etc and don’t see a single cryptographer listed. That raises another set of warning flags.

The Analysis
I don’t want to repost the analysis here, but the basic idea was that it seemed to be using a constant mapping from plaintext to ciphertext. Thus the word ‘the’ always mapped to ‘qmf’. Thus, patterns in the ciphertext are recognizable and the security of the system is minimal. This analysis was all done on screenshots/videos of the product. It could be that it was just marketing material and does not reflect the actual security of the product. It is hard to tell though as they do not publish the details of their work. They offer a white paper if you give them your personal information (which I may do and post my own analysis here).

Why the big deal?
Why is this such a big deal? Well, cryptography research (and thus practical cryptography) is very hard to do. I’d venture to say that the practical stuff is even harder than the theoretical stuff. If you don’t publish loads of information on your cryptographic protocols, etc, how can anyone know it is secure? There isn’t really a certification group for cryptographic protocols. If you are afraid of losing your IP, you could hire reputable cryptographers to review your product. It doesn’t appear CipherCloud has done any of this. This is why it is a big deal. The security of the system could be imaginary at best. Bruce Schneier once said something to the effect of “anyone can design a cipher that they themselves cannot break”. Same goes with protocols, security systems, etc.

Recommendations
To potential users of CipherCloud, I’d recommend you contact them and tell them you want open evaluations of their products or you won’t be using it. Also tell them sending DMCA notices to StackExchange is very counter-productive. Instead a well reasoned response on Crypto.SE would have been better. Defend your product, don’t try to censor those who are curious about the security.

About these ads
  1. April 22, 2013 at 6:19 pm

    Any organization looking to secure data using a new method must have access to peer reviewed, published and validated information on the method to a level of detail that it can be analysed by respective experts as a whole. Best practice in security and cryptography dictates transparency and independent cryptanalysis with published results.

    The work we have been doing with NIST in this area on standards based Format-Preserving Encryption, aka NIST 800-38G FFX mode AES, is a good example of that. Its a big investment, but its absolutely the right one to make and the standard is now in its final phase of completion at NIST. Interested parties can learn more about it, along with its security proofs, bounds and analysis here :

    http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffx/ffx-spec.pdf

    As with any security claim, vendor affirmations about a method are insufficient and can’t be assumed to be secure nor suitable for data security or compliance requirements until proven otherwise – transparently.

    Users must demand transparency – otherwise there’s the risk risk losing both data and compliance status in the blink of an eye.

    Regards,
    Mark Bower
    VP Product
    Voltage Security

    Disclaimer: I work for a vendor who specializes in advanced cryptography techniques for data security purposes including the development of FFX mode AES with UC Davis, NIST et al.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: