Data privacy and security
Keep your data in your own servers with the Æoncase Sync Appliance, avoiding the security pitfalls and privacy issues from the public cloud. This page documents the techniques used to secure your Sync Appliance.
Unless configured to use external storage backends, none of the data stored in the Sync Appliance ever leaves the boundaries of your organization (except as the result of regular sync and sharing activities).
The Sync Appliance only connects to aeoncase.com
servers for specific purposes such as retrieving updates or helping sync clients locate the server.
File transfer and client-server communication
All communications between the sync clients and the Sync Appliance are encrypted using the TLS protocol. So as to prevent man-in-the-middle (MITM) attacks, the certificate used by the appliance is:
generated when the appliance is deployed
transferred securely to the client when the user enters the link code obtained via the client download page served by the embedded web server from the appliance over HTTPS
The connections will use strong cipher suites when supported by the client’s OpenSSL library, such as ECDHE-RSA-AES256-GCM-SHA384
.
The web service is accessed via HTTPS (TLS protocol), and the server is equally configured to use strong cipher suites whenever supported by the web browser used to access it.
Side-channel attacks on the server
The Æoncase sync engine features source-based deduplication, which allows a sync client not to transfer a file when it is already available at the server, both speeding up syncing and decreasing bandwidth usage and system load.
Deduplication in downloads
Source-based deduplication also works in the server-to-client direction, but in real-life scenarios it's the other direction that yields the greatest savings.The sync engine incorporates specific security measures against attacks on source-based deduplication.
Since the Sync Appliance is installed in your organization’s premises and access to it (i.e. user accounts) is tightly controlled, the scope of these attacks is greatly reduced compared to public cloud-based services.
Technical details
Naïve client-side deduplication allows these attacks:
(1) access to file contents given their hash: when a small hash value is used as a proxy of the entire file, a malicious user could attempt to trick the system into giving access to such file if it was uploaded by another user.
(2) side channel attacks to learn whether a particular file exists in the system: by observing whether a file is transmitted or not (deduplicated at the source), a malicious user could try to figure out whether the file was already uploaded by another user.
The Sync Appliance counters these attacks with specific techniques, which take place automatically during regular sync:
(1) is avoided using proofs of ownership, where a sync client uploading a file already stored in the system is required to provide a proof that it indeed has the file.
(2) is avoided using a randomized deduplication scheme that disables source-based deduplication (and thus knowledge on whether the file exists already) until an unknown (to the attacker) number of references to the file contents exist in the system, with additional protection against timing attacks.
- the user uploading the file has read access to the space
- the data exists already in the space
When these are fulfilled, the user can already access the file anyway, so there is no harm in optimizing sync via source-based deduplication.
System security
A number of techniques are used to make the Æoncase Sync Appliance as secure as possible:
all public-facing services are implemented using memory-safe languages to prevent buffer overflows and similar attacks
all SQL queries are constructed and analyzed statically, so as to prevent SQL injection attacks
HTML generation in the web server is performed using typed structures validated statically so as to prevent HTML injection attacks
user passwords (when not using external LDAP/AD authentication) are hashed using the bcrypt key derivation function
updates to the Sync Appliance are performed using The Update Framework
all services are executed using the resource isolation features of the Linux kernel
the libraries and other dependencies used by the appliance internally are kept up-to-date via regular Sync Appliance updates
Attack surface
By and large, the greatest threat to the security of the system comes from the file processing performed on the data uploaded by the users.
Even though the components of the Sync Appliance are updated regularly as security fixes are released, processing images for instance represents a large attack surface. Such processing can be disabled in the Security tab from the admin page for increased security against zero-day vulnerabilities.
Since services offered by the Sync Appliance are not open to the public, the threat is limited compared to public cloud services, however.