End-to-end encryption without key rotation is a fatal shortcut

End-to-end encryption

People and organizations all have data that they want to collaborate on and keep safe. We use a multitude of online services that make our life easier, by outsourcing the day-to-day management of IT infrastructure. Long gone are the days when you had a central copy of your data on your PC, while local file-sharing servers are also becoming obsolete. The catch with the cloud and online services built on it is that they are hacked; regularly. But let’s not kid ourselves, local IT infrastructure is vulnerable to hacking as well.

End-to-end encryption is a great technology that can be used to ensure that data is only visible to the users with whom it has been shared. An end-to-end encrypted service has no access to user information, because it only sees encrypted content. All the encryption and key management happens on the user’s machine via installed software or in the browser.

End-to-end encryption has come a long way over the past decade:

  • All password managers use end-to-end encryption to protect all your other passwords. A few players to mention are built-in browser solutions such as LastPass, Dashlane, Bitwarden and 1Password.
  • In the chat space, companies like WhatsApp and Signal are leading the way. Now, all major players in the consumer market are either end-to-end encrypted like iMessage, or have the option to turn it on, like Facebook Messenger.
  • In the online conference call space, Zoom and Microsoft Teams have end-to-end encryption available as an option in certain limited settings.
  • In the storage space, Tresorit has provided end-to-end encrypted file and folder sharing for enterprises and consumers alike for over a decade. Apple has just released its advanced data protection feature for iCloud, while Dropbox has just acquired Boxcryptor IP and is rumored to be implementing its own end-to-end encrypted solution.

If end-to-end encryption is applied properly, it can achieve on-premise-level security in the cloud. However, the recent data breach of LastPass has shown that not all end-to-end encrypted products provide the same level of security. As with any IT question, this issue quickly becomes very complex, but in this article, we aim to break it down.

The first assumption we will make about the security model is that all the providers are regularly hacked. In other words, the encrypted data stored on the service is accessible to everyone. We make this assumption because end-to-end encrypted providers promise that even if they are hacked, your encrypted data is still safe.

Perhaps you are someone who always uses a strong password (18+ character random-like), whose devices are secured with strong encryption with a pin code that nobody can ever “accidentally” spy.  Perhaps you are also someone who knows, without doubt, that everyone you share confidential content with is maintaining the same security practices. If so, read no further, because all end-to-end encrypted solutions on the market will keep your data safe. But if you happen to be in the other 100% of readers, then let’s see what can go wrong.

At Tresorit, we analyzed multiple password managers on the market in depth in light of the LastPass data breach. We were unpleasantly surprised by the lack of cryptographic features in some products, the most notable of which was the lack of key rotation and key versioning.

In end-to-end encrypted products, every data item can be decrypted via a chain of keys following a set structure. You start off with your password, from which you derive a master key. You open a folder key with your master key, and in that folder, you find a file key that opens the file.

Services like Apple advanced data protection and 1Password eliminate the reliance on user passwords all together, instead trusting your device and biometrics to keep the master key safe. Both services allow you to create a recovery key that you need to keep safe. However, if you lose all your devices, then without the recovery key, you lose everything.

In real life, passwords are leaked and devices are lost. Therefore, users need the ability to change passwords and revoke devices. In such a scenario, all cryptographic keys that were accessible via the device or password should be considered leaked as well.

This means that all new data should be encrypted with a brand-new chain of keys. This is called lazy re-encryption. Since there is no point is re-encrypting all the data —as it has already leaked — it should be considered public knowledge from a security point of view.

Tresorit implements lazy re-encryption via key versioning, which means that the master key has a version number that increases monotonously. At any point in time, if something is encrypted using a key with a smaller version than the master key, a new key is randomly generated instead and assigned a version number the same as the current master key. The master key is rotated regularly proactively and at high-risk events such as a password change or device removal.

Lazy re-encryption becomes trickier with shared folders. Tresorit shared folders all have their own shared master key with their own lazy re-encryption. This master key is shared using asymmetric sharing keys between users. Sharing keys are also rotated proactively and regularly, and at high-risk events such as a password change or device removal. If a sharing key is rotated, then all shared master keys must be rotated and their version increased. Master keys are also rotated whenever folder memberships change, so removed users will no longer be able to decrypt new content in the shared folder.

You may grasp from the above that this functionality is extremely complex to implement. Tresorit takes pride in the fact that these procedures have been part of the product since day one.

Organizations using LastPass have a real problem on their hands: their shared folders have no key rotation or versioning. Even if your employees change all of the organization’s master passwords, as well as the passwords stored in shared folders, you are left just as vulnerable as before — because if even a single employee’s old master password gets cracked further down the line, hackers will be able to access the new shared passwords in case of another data breach. Why? Because the new shared passwords are encrypted with the same encryption key.

LastPass assumed that all their users would use secure passwords and never get breached or phished — now, in such a devastating scenario, their organizations may not have a way out. In IT security, you need to be able to detect an attack and then recover from that attack. Forced key rotation and versioning reduces the attack surface and makes recovery easier.