End-to-End Encrypted Cloud Storage in the Wild A Broken Ecosystem (Sync, pCloud, Icedrive, Seafile, and Tresorit)

https://brokencloudstorage.info/

Cloud storage is ubiquitous: Google Drive, Dropbox, and OneDrive are household names. However, these services do not provide end-to-end encryption (E2EE), meaning that the provider has access to the data stored on their servers. The promise of end-to-end encrypted cloud storage is that users can have the best of both worlds, keeping control of their data using cryptographic techniques, while still benefiting from low-cost storage solutions.

However, previous analyses of MEGA and NextCloud have shown that even the largest providers of E2EE cloud storage are affected by cryptographic vulnerabilities and creating secure E2EE cloud storage is a harder problem than initially thought.

Indeed, we show that the current ecosystem of E2EE cloud storage is largely broken. We conduct a cryptographic analysis of five major providers in the field, namely Sync, pCloud, Icedrive, Seafile, and Tresorit, in the setting of a malicious server. We unveil severe cryptographic vulnerabilities in the first four.

The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext. Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs.

4 Likes

“Tresorit is a Swiss-based cloud storage provider founded in 2011 with an estimated 10 million users worldwide.

Our attacks allow a malicious server to present non-authentic keys when sharing files and to tamper with some metadata in the storage.”

Imo it’s still worth keeping the recommendation but may help to cite this in the cloud storage section.

Tresorit’s answer to BleepingComputer

The study of ETH Zürich’s world-class research team examined the possibility of ten classes of attacks on end-to-end-encrypted cloud storage systems, including confidentiality breaches and file injection vulnerabilities. The findings confirmed that Tresorit’s thoughtful design and cryptographic choices made our system largely unaffected by these attacks. While we are pleased with these results, we also recognize the untapped potential the research highlighted.

Presenting public key fingerprints to users when sharing folders is on our 2025 roadmap. This will completely prevent key replacement attacks by allowing out-of-band verification. We already do this for business invitations so the user can get cryptographic evidence about their future data administrator before joining. Our Common Criteria EAL4 + AVA_VAN.5 evaluated client software — a first among cloud storage services — requires out-of-band key authentication for folder sharing, too.

Even though some metadata, such as the file size, the time of last modification, and folder memberships are shared with the servers, these are also stored as cryptographically authenticated data to prevent tampering. This metadata is also needed to be known on the server side: for the proper bookkeeping of our customers’ storage quota, and to enforce server-side access rules as an additional layer of security.

At Tresorit, security is our top priority, and we are committed to continuous improvement, using these insights to strengthen our platform further. This research not only helps us evolve but also guides the broader industry toward more secure solutions. Security is the foundation of everything we build, and we are proud to collaborate with academic institutions like the Technical University in Budapest to ensure that we stay at the forefront of innovation in secure cloud storage.

1 Like

AI summary

Sync:

  • Users: Over 2 million
  • Clients: Web, Desktop, Mobile (web analyzed)
  • Cryptography:
    • Symmetric: AES-GCM with random IVs
    • Asymmetric: RSA with PKCS1v1.5 padding
    • KDF: PBKDF2-SHA256 with random 12-byte salt
  • Key Hierarchy: Master keys (K_master, K’_master), Metadata key (K_meta), Share key (K_share), File key (K_file), Link share key (K_link)
  • Sharing: Link sharing (password in URL), Permanent folder sharing (unauthenticated public keys)
  • Vulnerabilities Found: Lack of key authentication, Unauthenticated public keys, Link-sharing pitfalls, Tampering with file names/location/metadata, Folder injection

pCloud:

  • Users: Over 19 million
  • Clients: Not specified (presumably web, desktop, mobile)
  • Cryptography:
    • Symmetric: Custom counter mode (keys), Bespoke block cipher mode (data), Modified CBC (filenames)
    • Asymmetric: RSA-OAEP with SHA1
    • KDF: PBKDF2-SHA512 with random 64-byte salt
  • Key Hierarchy: Master key (K_master), Folder keys (K_folder_enc, K_folder_HMAC), File keys (K_file_enc, K_file_HMAC)
  • Sharing: None for encrypted files
  • Vulnerabilities Found: Lack of key authentication, Unauthenticated public keys, Tampering with file data/metadata, File injection, Chunking issues

Icedrive:

  • Users: ~150,000
  • Clients: Web, Desktop, Mobile (web analyzed)
  • Cryptography:
    • Symmetric: TwoFish with custom block cipher mode (data), TwoFish-CBC with fixed IV (filenames)
    • KDF: PBKDF2-SHA256
  • Key Hierarchy: Master key (K_master)
  • Sharing: None for encrypted files
  • Vulnerabilities Found: Unauthenticated encryption mode (CBC), Tampering with file names/location/metadata, Information leakage (fixed IV)

Seafile:

  • Users: Over 1 million
  • Clients: Web (insecure), Desktop, Mobile (desktop analyzed)
  • Cryptography: Version-dependent (see Table 1 in original text)
  • Key Hierarchy: Master key (K_master), Random key (K_random), File key (K_file)
  • Sharing: Not specified
  • Vulnerabilities Found: Protocol downgrade, Unauthenticated encryption mode, Unauthenticated chunking, Tampering with file names/location/metadata

Tresorit:

  • Users: Not provided
  • Clients: Not specified
  • Cryptography: Not explicitly detailed, but uses per-user public keys for sharing.
  • Key Hierarchy: Master key (K_master), Profile key (K_profile), Group key (K_group), Folder key (K_folder), File key (K_file), Link key (K_link)
  • Sharing: Uses per-user public keys (unauthenticated)
  • Vulnerabilities Found: Unauthenticated public keys, Tampering with file metadata

The analysis reveals significant vulnerabilities in most of the providers, primarily stemming from a lack of proper authentication of keys and ciphertext, and the use of insecure cryptographic primitives or modes of operation. These vulnerabilities allow a malicious server to compromise confidentiality, integrity, and authenticity of user data.

proton drive/pass affected?

It isn’t mentioned in the paper, looks like the researchers haven’t tested it

1 Like