Microsoft Live Mesh (aka OneDrive) Security in a Nutshell

May 29, 2008 — 7 Comments

My team at Microsoft (Windows Live Mesh, aka OneDrive) shipped the Tech Preview of the new online service – Live Mesh (in April 2008, way before other “CloudDrives”). I worked on the distributed authentication service for some time. It takes care of account management, and user/device authentication and authorization. There were many questions asked by early adopters about how their data is transmitted and stored in Live Mesh, and how access is controlled. Here I provide some information about it.

Here is the diagram that illustrates all communications between user devices and Live Mesh cloud services and encryption/security mechanisms used in these communication channels:

Live Mesh Security

Live Mesh security is rooted at the authentication provider (Windows Live ID, aka Microsoft Passport, is our provider today) which is used for initial user and device authentication. Once a user or a device is authenticated and a corresponding authentication token is obtained, the Live Mesh client passes this token to the Live Mesh Account service to access the root of the user’s mesh and to get the initial set of Live Mesh tickets. These tickets are used for further Mesh operations on other resources that this root is pointing to. All communications with the Live Mesh cloud services are done via HTTPS / SSL, so 3rd parties cannot intercept and read client-server communication.

All user (or device) related resources in Live Mesh are organized in a RESTful manner, i.e. they form a graph where each node is identified by a unique URL and represents a given resource. Nodes contain resource metadata and links to other resources. Mesh operations are essentially CRUD operations on the nodes of the user tree or nodes of other user trees if those users shared any data. Live Mesh cloud services check access rights in each operation by inspecting passed tickets and authorizing access only if a correct set of tickets is passed. Tickets can be obtained from the Account service or from responses to previous cloud operations.

Live Mesh authorization tickets are standard SAML tickets. They are digitally signed with the Live Mesh private key to prevent spoofing and they expire after a limited lifetime. Some tickets are used to just authenticate users or devices, other tickets contain authorization information about user/device rights. Cloud services inspect each resource request and authorize access only if it contains valid tickets (correctly signed and not expired) and these tickets specify that the requestor indeed has access to the requested resource. For example, a device X can initiate P2P data synchronization with device Y only if it presents a ticket that is correctly signed by Live Mesh and contains a record saying that both device X and Y are claimed by the same user OR if it contains a record saying that X and Y have the same Live Mesh Folder mapped on them (in the case that the devices are claimed by different users that are members of this Live Mesh Folder). Tickets are passed to the cloud services in the Authorization header using HTTPS to prevent replay attacks.

Each device in Live Mesh (computers, PDAs, mobile phones) has a unique private key that is generated during Live Mesh installation and used to authenticate the device in P2P communications with other devices. When a P2P communication is being established between two devices, they first use asymmetric encryption (RSA algorithm) to exchange encryption keys and then use symmetric encryption (AES with 128 bit key) to transfer data/files over TCP/IP. The RSA exchange guards against leaking symmetric encryption keys. AES encryption protects actual data from prying eyes. Live Mesh also uses a keyed message authentication code (HMAC) to verify the integrity of the data exchanged on a P2P channel.

If there is no direct connection between two devices (for example, if one device is behind a firewall), then the cloud communication relay located in the Microsoft data center is used to forward data packets from one device to another. All the traffic is encrypted in the same way as in the case with direct P2P link, i.e. first keys are exchanged with RSA and then traffic is encrypted with AES. The cloud relay cannot decrypt/read user data, since encryption keys are exchanged with the use of asymmetric encryption (RSA).

Live Mesh cloud services help devices find each other and establish communications. They cannot read synchronized user data/files relayed through the cloud, except for the case when user files are synchronized with the cloud storage (i.e. Live Desktop). At the moment, the limited Tech Preview of Live Mesh synchronizes your files not only between your devices, but also with your cloud storage (which you can access via Live Desktop) until you reach your storage quota (5GB as of today). So your files and metadata that describes them are stored in the Microsoft datacenter. They are protected by strong access control mechanisms, but the data is not stored in encrypted form. After the storage quota has been reached, all files are synchronized only P2P and not stored in the cloud (only metadata is stored in the datacenter). In the future, Live Mesh will allow users to selectively choose which files or Live Mesh Folders they want to synchronize with the cloud. If you choose to synchronize your data/files between your devices only, Live Mesh will not store your files in the cloud and will only store metadata that lets the service to operate.

Some of Live Mesh services were later integrated into Microsoft’s OneDrive, so this information may or may not be up to date with regard of current OneDrive/SkyDrive. Read it as a historical post if you wish 🙂



7 responses to Microsoft Live Mesh (aka OneDrive) Security in a Nutshell


    “Live Mesh security is rooted at the authentication provider (Windows Live ID, aka Microsoft Passport, is our provider today) which is used for initial user and device authentication.”

    Have you considered OpenID? Seems that for this level of interaction a more open protocol would be more appropriate.



    Yes, we have considered other auth providers. They may be used in the future if there is a need for a more federated user authentication…


    This sort of information should be more visible, if it’s not already available, on Microsoft’s website! The consumers would feel so much more informed, less dumbed-down, and (for those who understand it) more confident in the live desktop security.
    I, for one, have use live mesh extensively since the beta, and love the excellent service and near instant sync’ing for my laptop and desktop =)


    Another source of technical information about Live Mesh is our team’s blog. It has articles about different parts of Live Mesh.


    Are there any plans to have the data stored in live mesh desktop encrypted? In my application, I use live mesh for backup, and I simply sync one large truecrypt file containing all my data. Very cumbersome, and hard on my bandwidth, but it’s free :).

    However, I think it’d be much better if the live mesh client application encrypted all files before they’re stored in the cloud. Otherwise, who’s to say Microsoft couldn’t ever be coerced into giving third parties our data (i.e. via subpoena from some government authority).


    To Ac23:
    automatic file encryption of files stored in the cloud (and done by the client) is certainly possible and can be added to Live Mesh. I’ll follow on this. You can also add your feature requests in this support forum if you want to.

    Right now, you can choose to sync your files only P2P and never store them in the cloud if you are concerned about privacy (not good for your backup app though). In this case, Live Mesh will just help connecting your devices and sync your data, but your files will stay only on your devices.

Trackbacks and Pingbacks:

  1. mutui - October 5, 2011


    […]Live Mesh Security in a Nutshell « My Random List[…]…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s