Home / Another high-profile cybersecurity breach

Another high-profile cybersecurity breach

It is increasingly easy to generate large amounts of content online. With a click of a button, moments of our lives are created in photo and video and whisked immediately into the cloud. These digital assets can become a target to attackers for purposes of extortion, public embarrassment, using location meta-data for stalking, etc. In addition to malicious outside actors, both abuses by employees at cloud services and unintentional bugs may reveal private photos and videos to other users.

What can be done about this? A study (https://go.unu.edu/HGRas) from a team at Columbia Engineering considers a solution.  Their answer, called Easy Secure Photos (ESP), encrypts photos before sending them to cloud systems and decrypts them for viewing automatically, in a way that is transparent to users and without any modification to or needing to trust existing cloud photo services. At the heart of ESP is the novel encryption scheme that is compatible with the standard image formats (e.g., JPEG, PNG). This way when uploading the encrypted images to a cloud photo hosting platform, the images can still be decrypted with minimal quality loss after the usual compression performed by the cloud service.  ESP also allows for and creates encrypted thumbnails necessary for resource and bandwidth-limited mobile devices.

Realizing that most users do not understand encryption keys, the solution introduces unattended key management. This allows users to access their photos from multiple devices without having to manually share the encryption key. This greatly enhances security as the user is not in charge of handling the key. Other devices are given the key through QR Codes and the presence of another previously authorized device. Both processes are already familiar to many users.

While, ultimately, users should take great care in deciding what they should put online in the first place, there is extreme value in situating the encryption and decryption process at the user level. Naturally, as the paper demonstrated with the invisible, secure key management system, usability is key to security. The system is only practical if the encryption/decryption process is seamless. The level of difficulty and cost involved should be very high for malicious actors looking to compromise the system, yet also as low as possible for authorized users.