This page is automatically translated.
Is there a way to securely store more than ID and password?
The TeraCLOUD route is encrypted with SSL, and the ID and password are connected to the server using the encrypted route.
Since the password database in the server is encrypted by a one-way function (hashed) owned by the OS, a certain strength exists.
However, there are many cases where user IDs are exchanged with people using public functions, etc., or they are made to be the same as major SNS such as Twitter, or become well-known names.
Therefore, in fact, there are many cases where it is considered that it is not enough to protect data to be saved, because it depends on only the strength of the password.
Generally speaking, there are three possible ways to encrypt data.
*However, for various reasons, the only method that can be used with TeraCLOUD is (3) as a result.
(1) How to pass the password entered by the customer to the server and encrypt the key stored on the server based on it
In this method, the key for data encryption / decryption is stored on the server.
Passwords are changed periodically (the timing you think necessary), and since the strength is too low to use as a key, instead of encrypting the data with the password itself, it is necessary to change the randomly generated key Encrypts and decrypts the data, encrypts the key with your password, and saves it on the server.
In this method, encrypted data "decrypts the key stored on the server side" with the password sent from the client and decrypts the data using that key, so when the customer changes the password Also, you do not need to re-encrypt the data stored on the server.
However, this method has the following problems.
- It can not say that it is sufficient strength because it can "decrypt the key itself" with a password composed of alphanumeric characters and symbols of about several to tens of characters that the customer inputs
- Even though you encrypted it with your password, the decryption key is stored on the server
- If the password leaks out, it can not deal with it, and that the password leakage is the highest possibility
Therefore, with this method, there is no change in the state relied only on the strength of the password set by the customer, and if the encrypted key and data leaks due to some kind of accident, the data will be decrypted.
Also, since it is incompatible with the "shared function" many people use on TeraCLOUD, shared data is compounded when creating a shared folder without a password, so depending on the size of the folder, It will cause time to lose control.
*TeraCLOUD performs processing one by one in order to prevent data corruption. Since the encryption / decryption process is heavy processing, it takes time that the user can not operate.
(2) How to send a key file every time
Unlike the method (1), this method is a method of sending the key generated by the client to the server.
As mentioned above, since the route is encrypted with SSL, the key transmission itself becomes robust, but since it uses the proprietary protocol, standard client software can not be used, and from the web browser Access will only be made.
TeraCLOUD emphasizes that it can be used with standard client software as much as possible, so it is robust but it will be incompatible with this service.
(3) a method of having an encryption engine in a client and sending encrypted data as it is
In this method, in addition to (2), by having the encryption engine on the customer's computer side, only encrypted data is stored on the server.
The merit of this method is that even if data is leaked due to some kind of accident (leakage of password, etc.), even if it is not known what the data contains and it is found to be encrypted data, Compoundization is almost impossible.
Also, if you encrypt volume by volume instead of file unit, you do not know what kind of file it contains.
In addition to the above, you can upload only the files you want to share separately, so it is possible to keep robustness and convenience relatively.
As a result, TeraCLOUD can only do (3) (as of January 2014).
There are various methods of encrypting on the customer's computer side, but there are software such as "TrueCrypt" and encrypted "sparse bundle / disk image" of Mac OS X.
In case of using TrueCrypt, considering the occurrence of large amount of data communication, we recommend you to create with volume of about 1 GB.
TrueCrypt's homepage is here
Updated on January 28, 2016