ETH Zurich : Computer Science : Pervasive Computing : Distributed Systems : Education : Student Projects : Abstract

Verifying Cloud Encryption Credentials through Mobile Device Interactions (B)

Status: Abgeschlossen

Users store an increasing amount of personal data in social networks and cloud storage systems, to have it available anytime, anywhere, and share with friends and family. The privacy of such personal data has become one of the biggest concerns for end-users and regulators today. Encryption solutions such as PGP encryption are available, which could be used by end-users to encrypt data before uploading it to the cloud. However, they remained widely unused, the biggest problem being the distribution, and in particular the secure verification of public keys over a trusted channel.

Given the high number of user contacts, the standard method of verifying PGP keys today - through manual verification of a 40 character long fingerprint of the key - has major usability and scalability drawbacks. As a consequence, most PGP users use unverified public keys exchanged over an insecure Internet channel, and thus remain vulnerable to man-in-the-middle attacks and compromise the security of their communications.

In this thesis, we propose making use of the ubiquitously available mobile devices to verify exchanged pubic key via several out-of-band, trusted channels, such as SMS messages or direct, physical device interactions (e.g., Bluetooth connections, QR Codes). Once verified, the trusted keys are automatically signed by the device and uploaded to the cloud, to be available on any user device, such as personal laptops, desktops, etc.

The central part of this thesis is a mobile phone application for the Android platform that can:

- encode and display the fingerprint of a public key in a QR codes

- capture and decode the QR code

- transmit the fingerprint of a public key in an SMS message (send and receive functionality by intercepting an incoming SMS)

- sync the list of verified contacts to other devices through a shared Dropbox account. The list of verified contacts should be signed with the users' private key.

Additionally, this thesis work can implement a Firefox plugin or Java desktop application that connects to the shared Dropbox account and syncs up on the exchanged and verified public keys.