Budapest University of Technology and Economics Faculty of Electrical Engineering and Informatics Department of Networked Systems and Services Gergő Ládi TRANSPARENT ENCRYPTION FOR CLOUD-BASED SERVICES ADVISOR Dr. Levente Buttyán BUDAPEST, 2017 Table of Contents Table of Contents ........................................................................................................ 2 Összefoglaló ................................................................................................................. 7 Abstract ....................................................................................................................... 8 1 Introduction .............................................................................................................. 9 1.1 Definitions ........................................................................................................... 9 1.2 Problem Statement ............................................................................................... 9 1.3 Challenges ......................................................................................................... 11 1.4 Outline............................................................................................................... 12 2 Goals, Tasks, Objectives, and Strategies ............................................................... 13 2.1 Goals ................................................................................................................. 13 2.2 Tasks ................................................................................................................. 13 2.3 Objectives and Strategies ................................................................................... 15 3 Initial Research ....................................................................................................... 16 3.1 Related Work ..................................................................................................... 16 3.1.1 Publications ................................................................................................ 16 3.1.2 Similar Software ......................................................................................... 17 3.1.2.1 Boxcryptor ........................................................................................... 17 3.1.2.2 Cipherdocs ........................................................................................... 17 3.1.2.3 CloudFogger ........................................................................................ 18 3.1.2.4 SeaFile ................................................................................................. 18 3.1.2.5 Cryptomator ......................................................................................... 18 3.1.2.6 Tresorit ................................................................................................ 18 3.1.3 Summary of Related Work .......................................................................... 19 3.2 Enumerating Potential Services for Encryption .................................................. 19 4 Picking and Analysing Services ............................................................................. 21 4.1 Detailed Analysis of Evernote's Communication Protocol .................................. 21 4.1.1 Protocol Analysis ........................................................................................ 21 4.1.2 Message Analysis ....................................................................................... 24 4.1.2.1 Initial Page Load .................................................................................. 24 4.1.2.2 Reading Note Contents ......................................................................... 25 4.1.2.3 Creating Notes ..................................................................................... 26 4.1.2.4 Editing Notes ....................................................................................... 26 4.1.2.5 Editing Reminders ................................................................................ 27 4.1.2.6 Deleting Notes ..................................................................................... 29 4.1.3 Analysis Summary ...................................................................................... 29 4.2 Detailed Analysis of Google Calendar’s Communication Protocol ..................... 30 4.2.1 Protocol Analysis ........................................................................................ 30 4.2.2 Message Analysis ....................................................................................... 32 4.2.2.1 Initial Page Load .................................................................................. 32 4.2.2.2 Dynamic Loading ................................................................................. 34 4.2.2.3 Creating Events .................................................................................... 35 4.2.2.4 Editing Events ...................................................................................... 37 4.2.2.5 Deleting Events .................................................................................... 37 4.2.3 Analysis Summary ...................................................................................... 38 4.3 Quick Analyses .................................................................................................. 39 4.3.1 Dropbox ...................................................................................................... 39 4.3.2 Dynalist ...................................................................................................... 40 4.3.3 OneNote (Online) ....................................................................................... 40 4.3.4 SimpleNote ................................................................................................. 40 4.4 Analysis Summary ............................................................................................. 40 5 Designing a Transparent Encryption Layer .......................................................... 42 5.1 Intercepting Traffic ............................................................................................ 42 5.1.1 Hijacking DNS Queries ............................................................................... 42 5.1.2 Proxying Connections ................................................................................. 43 5.1.3 Handling Certificates .................................................................................. 44 5.1.3.1 The “Problem” with Certificates ........................................................... 44 5.1.3.2 Becoming a Trusted Root Certificate Authority .................................... 44 5.1.3.3 Validating the Provider’s Certificate..................................................... 45 5.2 Inspecting and Altering Traffic .......................................................................... 45 5.3 Encrypting/Decrypting Messages ....................................................................... 46 5.3.1 Key Management ........................................................................................ 46 5.3.2 Using Format Preserving Encryption ........................................................... 46 5.3.2.1 Format-Preserving Encryption for Text ................................................ 48 5.3.2.2 Format-Preserving Encryption for Date and Time ................................ 48 5.4 Design Summary ............................................................................................... 48 6 Implementing a Prototype ...................................................................................... 49 6.1 Intercepting traffic ............................................................................................. 49 6.1.1 DNS Hijacking............................................................................................ 49 6.1.2 Creating Certificates ................................................................................... 50 6.1.3 Implementing the Proxy .............................................................................. 51 6.2 Inspecting and Altering Traffic .......................................................................... 52 6.3 Encrypting/Decrypting Messages ....................................................................... 54 6.3.1 Key Management ........................................................................................ 54 6.3.2 Initialization Vectors ................................................................................... 54 6.3.3 Format preserving encryption ...................................................................... 54 6.3.3.1 Format-Preserving Encryption for Text ................................................ 55 6.3.3.2 Format-Preserving Encryption for Date and Time ................................ 56 7 Testing the Prototype ............................................................................................. 57 7.1 Smoke Testing ................................................................................................... 57 7.1.1 Smoke Testing the DNS Hijacking Component ........................................... 57 7.1.2 Smoke Testing the TLS Proxy..................................................................... 58 7.1.3 Smoke Testing the FPE Module .................................................................. 59 7.2 Unit Testing ......................................................................................................