Privacy in the Cloud: Ephemerising your Data


This post is the first in a series that I would like to call Privacy in the Cloud. My aim is to look at various techniques and technologies that can be used to not only protect our data being stored in the Cloud, but to also  inform us of that protection. I shall also look at the notion of privacy from the view points of the entities involved i.e. service provider and service requester, in terms of legal obligations and ramifications, and the societal aspects. Other topics will be introduced and addressed once I have thought of them…

Destroying Data

One of the interesting problems that can arise in the Cloud is that of data availability, where data is reliably available on the cloud. Another, related and just as important notion is that of data unavailability, where data is made unrecoverable after a set period. This is important for information that is sensitive and transitory in nature. Recall the messages (or instructions) in the popular television series Inspector Gadget and Mission Impossible:

This message will self destruct in 40 seconds.

In such messages the aim is to reduce number of copies that can be made and also stop access to that data after a set period of time has elapsed.

The obvious solution is to use encryption in which the data is encrypted and the keys used are deleted after a certain period of time. Note normal erasure methods i.e. deletion and repeated rewrites of the data on disk, are not enough as the data can still be recovered via special techniques, obfuscation of the data is needed. The crux of the problem regarding any cryptographic system is that of key management. Recently I have read the Sun Micro-systems technical report SMLI TR-2005-140 in which Radia Perlman introduced the idea of the Ephemeriser as a means to provide self-destructing data. This has been part of recent reading for a course I am undertaking.

In this post I shall introduce the idea of the Ephemeriser , subsequent posts shall look at a variant of the Ephemeriser called Timed-Ephemeriser and other data destroying methods such as Vanish.

The Ephemeriser

In the Ephemeriser System there are three entities:

  1. Alice — the data generator
  2. Bob — the data consumer, who can also be Alice herself, and
  3. Eve — the Ephemeriser that provides key management

The aim of the Eve (an external server) is to create and advertise a series of Public Key and expiration time pairs. These keys shall be used to encrypt the ephemeral (transitory) data and that after the expiration time the Secret Key is then destroyed. Once Alice has selected and encrypted her data using the key, she then sends the message to Bob. In order for Bob to access the data he collaborates with Eve.

The message passing can be summarised as follows:Ephemeriser Message Sequence

In order to ensure the proper destruction of data and also the unwanted copying of the data, Perlman assumes that the software involved (especially in relation to Bob) does not have the ability to copy the decrypted data or hold it in stable storage for use later on.

In the tech. report Perlman provides two implementations of Ephemeriser, one using Triple Encryption using Public Key Encryption and another more efficient implementation that uses blind encryption. In this posting only the Triple Encryption variant shall be described.

Implementation Using Triple Encryption

Each entity has their own long term encryption and encryption key pairs. Eve will advertise a triple that consists of a public key, Key ID and expiration time. The Key ID is used to identify the corresponding secret key that is stored by Eve.

Please note that the notation used to denote asymmetric encryption goes against the grain of the standard, but this is the notation used in the report itself.


In order to encrypt the message m, Alice:

  1. Encrypts M using a secret per message key S
  2. Chooses an ephemeral secret T, that will act as an integrity check
    and link between the message encryption key and the ephemeral key.
  3. Selects an expiration date, thus obtains a suitable ephemeral key from Eve.
  4. The key S shall be triply encrypted using the Public Key of Bob,
    the Ephemeral Key and finally the ephemeral secret T
  5. Produces a message authentication code of the message encryption key S that has been double encrypted using the public key of bob and the ephemeral key, that has been concatenated to the ephemeral key using a keyed hash function using the ephemeral secret T as the key.

Finally Alice sends to Bob the following:


which is the encrypted ephemeral secret T, the protected per-message key S, the encrypted message M, the Key ID of the ephemeral key, the ephemeral key and the message authentication code.


The decryption itself consists of three stages the initial decryption of the data by Bob, the use of Eve to remove the ephemeral protection and finally the actual access to the data by Bob.

Bob’s First Task

On receipt of Alice’s message Bob will:

  1. Obtains the ephemeral secret T.
  2. Obtain the protected per-message key using T.
  3. Verifies the produced per-message key through calculation of a message authentication code and comparison against the sent one.
  4. Then Bob chooses a per-message key J to secure communication between himself and Eve.
  5. Encrypts this key with the ephemeral key sent by Alice.
  6. Encrypts the protected per-message key using J.

Finally Bob sends to Eve the following:


which is the key id, the protected per-message key J and the protected per-message key S.

Eve’s Task

On receipt of Bob’s message Eve:

  1. Selects the decryption key corresponding to the ephemeral key ID sent.
  2. Obtains the per-message key J.
  3. Using J obtains the protected per-message key S used.
  4. Decrypts the protected per-message key S using the secret ephemeral key, so that it is now only protected by Bob’s public key.

Finally Eve re-encrypts the protected per-message key S using J and sends this back to Bob, hence the final message is:


Bob’s Second Task

Thus on receipt of Eve’s message, Bob:

  1. Decrypts the protected per-message key S using J.
  2. Obtains S by decrypting the previous result using his secret key.

Once Bob has obtained S he can then obtain the message M.