Cloud storage startup Nasuni has issued a challenge some might see as a straw man. It is betting $5,000 that nobody...
can decrypt a file that has been secured and stored on Amazon Web Services' Simple Storage Service (S3) using its Nasuni Filer virtual appliance.
Nasuni CEO Andres Rodriguez said he wants to prove that ground-level assumptions about the safety of cloud computing can be relied on. He says that all the other issues around data security aside, companies should know that they can at least rely on modern encryption to work, no matter where a file resides.
"Everyone is freaking out about data leakage in the cloud," Rodriguez said, whose last startup, Archivas, was sold to Hitachi Data Systems in 2007 for $120 million. He said that he is trying to demonstrate that the state of the art in encryption technologies is both perfectly reliable and affordable.
"In pure dumb cloud storage, you can afford true modern cryptography," he said.
Breaking down Nasuni's bounty
Nasuni's challenge is straightforward. An image containing a random number sequence has been encrypted under the OpenPGP protocol using AES-256 bit encryption with a 2048 bit key. This was done using Nasuni's Filer, a virtual machine (VM) that links up to a user's Amazon S3 account.
A challenger must download the file and provide the unencrypted image to Nasuni for verification to win the prize. On the face of it, that's pretty unlikely. A file encrypted with AES-256 needs a secret key, randomly generated, that can withstand an impractical amount of guessing by computers. Properly implemented, say experts, such a key couldn't be found by the combined power of all the CPUs in the world running for an almost unlimited amount of time. Millions of years would not be sufficient.
Given that one of the authors of the OpenPGP standard, David Shaw, works for Nasuni, it's likely the firm has implemented OpenPGP correctly. CEO Rodriguez says he's confident in the encryption and most of the worry they've had around the contest is around their own communications. Contestants may try breaking into their mail servers or internal network to discover clues around the cipher, since the basic encryption is too strong, he said.
"All the work there is way more important -- the crypto is the last thing I'm worried about," he said.
But does that fact make this an exercise in futility?
How much value is in Nasuni's stunt?
"It doesn't take a stunt like this to prove that data encrypted using industry standard algorithms and protocols can then be stored safely off-premise," said Craig Balding, a security professional based in Europe. He said there was little doubt that the challenge would stand unless Nasuni had done something monumentally stupid, but it didn't address any other concerns about the product that could compromise the security of encrypted files.
"It doesn't follow that a provider offering this service has a trustworthy offering; that boils down to many things -- some technical -- including key management, custom software and platform security," Balding said via email. He added that he would be far more worried about a vendor's custom code or insecurities in the application platform, for instance.
Bottom line, Balding said, this 'hack me' contest showed that Nasuni understands marketing very well, but not necessarily the enterprise security mindset.
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.