4

Assuming that online storage providers are considered untrusted, if files and directories are encrypted, how can these be protected against fingerprinting?

The files are encrypted using rclone's implementation of Poly1305 and XSalsa20 before being backed up to the cloud provider.

According to rclone's documentation, the available metadata is file length, file modification date and directory structure.

  • What can be identified?
  • What can be inferred?
  • What attack vectors are there against the encrypted files and directories if the online storage provider is compromised assuming the passphrase is at least 24 characters long and is a combination of alphanumeric and special characters (uppercase and lowercase) as well as salted with similar entropy?

The encrypted data is considered to be sensitive.

How can I protect those files from being fingerprinted and the contents inferred such as ownership, source and the like?

Ryan
  • 93
  • 5
  • can you upload an archive instead of individual files? you only have the meta of what's uploaded, and if that's many things at once, then small diffs in file size become virtually meaningless. – dandavis Jan 13 '20 at 20:27
  • @dandavis - Yes that is an option although it isn't viable since the archive would have to be deflated each time a change is required to files. Can you expand on "if that's many things at once, then small diffs in file size become virtually meaningless"? – Ryan Jan 14 '20 at 07:44
  • seeing password.txt add 20 bytes is more interesting than dailybu.zip adding 15 bytes... – dandavis Jan 14 '20 at 19:52
  • @dandavis - If I have understood you correctly, that would mean that password.txt is in cleartext. – Ryan Jan 15 '20 at 07:19

0 Answers0