Protbox: Secure and trustworthy file sharing over cloud storage using eID tokens - Ed Duarte

Desktop App and Conference Paper

Protbox: Secure and trustworthy file sharing over cloud storage using eID tokens

Protbox is an open-source, cross-platform application for securely sharing files within existing cloud storage services like Dropbox, OneDrive, Google Drive and SugarSync.

  • confidentiality, to prevent non-authorized readings;
  • integrity control, to detect malicious tampering;
  • protection against un-wanted file removals, either by malicious or legitimate persons;
  • access control to the shared data based on strong identification and authentication of people, using the nowadays widespread electronic, personal identity tokens (eIDs for short).
Protbox desktop application
Protbox desktop application running in the background, protecting two shared folders from Dropbox.

Although similar solutions already exist, these tend to require all keys to be stored on a centralized database owned by the service provider, and hence the necessary data required for access to the shared files has to be granted to a third-party service. With Protbox, the key distribution between peers is done by leveraging special files that are exchanged through the exact same cloud storage space that is used for file sharing, thus no extra services are required other than the trustworthy national PKIs (Public Key Infrastructures) used to validate eID signatures. The files exposed to others by means of cloud sharing are completely protected from malicious or involuntary tampering.

Protbox randomly generates and uses a key per folder to protect all its contents, including files and sub-directories. Files are encrypted with AES and their integrity is ensured with HMAC-SHA1. Encrypted file names, which contain bytes that are not acceptable for naming files in existing file systems, are coded in a modified Base64 alphabet, which should work in most file systems.

The application is fully open-source, and can be freely downloaded. It works with any operating system with a suitable Java Runtime Environment. The application also features a graphical user interface for dealing with key distribution requests, which was designed to be similar to the Dropbox user interface in order to be accessible to common Dropbox users.

There are only two requirements for the host cloud storage solution: it should allow the sharing of folders by many persons, and it should allow client operating systems to have a local mount point of the shared folder. In other words, Protbox is already compatible with the most widely used cloud storage applications out-of-the-box.

Publication

A research paper describing the architecture of Protbox was published in Proceedings of the Open Identity Summit 2014, volume P-237, pages 73-84. The full text can be read on LNI or arXiv.

To cite this paper, you may use the following BibTex record:

@inproceedings{EdDuarte/openidentity2014/protbox,
  author = {Eduardo Duarte and Filipe Pinheiro and Andr{\'{e}} Z{\'{u}}quete and Helder Gomes},
  title = {Secure and trustworthy file sharing over cloud storage using eID tokens},
  booktitle = {Open Identity Summit 2014, volume P-237},
  pages = {73--84},
  year = {2014},
  publisher = {Gesellschaft für Informatik},
  isbn = {978-3-88579-631-2}
}

Talk

The paper and desktop application described in this page were presented on the 6th of November 2014 at Open Identity Summit 2014 in Stuttgart, Germany. Below are the slides used for that presentation, hosted on Speaker Deck.


  1. Moritz Borgmann, Tobias Hahn, Michael Herfert, Thomas Kunz, Marcel Richter, Ursula Viebeg, and Sven Vowé. On the Security of Cloud Storage Services. Technical report, Fraunhofer Institute for Secure Information Technology, 2012.
  2. Stephen Geerlings. Measurements for the Paranoid: The Effect of Encrypting Files in Cloud Storage. 2013.
  3. Bernd Zwattendorfer, Bojan Suzic, Peter Teufl, and Andreas Derler. Secure Hardware-Based Public Cloud Storage. Open Identity Summit, 2013.

Other posts in the open source projects collection

Other posts in the projects section

Other posts in the publications section