Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its “privacy by design” and user-controlled encryption keys to claim that data stored on Mega’s servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.
The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users’ files.
The paper [PDF], titled “Mega: Malleable Encryption Goes Awry,” by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies “significant shortcomings in Mega’s cryptographic architecture” that allow Mega, or those able to mount a TLS MITM attack on Mega’s client software, to access user files.
The findings, detailed on a separate website, proved sufficiently severe that Kim Dotcom, no longer affiliated with the file storage company, advised potential users of the service to stay away.
Mega downplays study
Mega chief architect Mathias Ortmann meanwhile published a blog post announcing a client software update addressing three of the five flaws identified by the researchers, promising further mitigations, and thanked the ETH Zurich boffins for responsibly reporting their findings.
“The first two attacks exploit the lack of integrity protection of ciphertexts containing keys (henceforth referred to as key ciphertexts), and allow full compromise of all user keys encrypted with the master key, leading to a complete break of data confidentiality in the MEGA system,” the paper explains. “The next two attacks breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into users’ cloud storage. The last attack is a Bleichenbacher-style attack against MEGA’s RSA encryption mechanism.”
The major issue here is that Mega’s method for deriving the various cryptographic keys used to authenticate and encrypt files fails to check for key integrity. So a malicious server can tamper with the RSA private key and make it leak information.
The first issue is an RSA Key Recovery Attack. It allows an attacker controlling the Mega API or able to mount a TLS MiTM attack on the client, to abuse the authentication protocol to extract the user’s private key. This is done by constructing an oracle – a mathematical data leak – to gather one bit of information per login attempt about a factor of the RSA modulus – an integer that’s the product of two primes used to generate the cryptographic key pair.
This attack takes at least 512 login attempts to carry out. Mega in its post cites this figure to suggest the attack is difficult to carry out but the ETH researchers note that it’s possible to further manipulate Mega’s software to force the client to log in repeatedly, allowing the attack to fully reveal a key within a few minutes.
And the rest
The second is a Plaintext Recovery Attack. “Building on the previous vulnerability, the malicious service provider can recover any plaintext encrypted with AES-ECB under a user’s master key,” the paper explains.
“This includes all node keys used for encrypting files and folders (including unshared ones not affected by the previous attack), as well as the private Ed25519 signature and Curve25519 chat key. As a consequence, the confidentiality of all user data protected by these keys, such as files and chat messages, is lost.”
Attacks three and four allow a malicious service provider to “break the integrity of the file encryption scheme and insert arbitrary files into the user’s file storage which pass the authenticity checks during decryption. This enables framing of the user by inserting controversial, illegal, or compromising material into their file storage.”
While this may sound outlandish, framing political opponents with fabricated evidence has been documented and represents a real threat.
The fifth attack is described as “a new Guess-and-Purge variant of Bleichenbacher’s attack.” It relies on a lot of guesses (2^17) to decrypt node and chat keys.
Proof-of-concept code for these attacks has been published on GitHub.
Ortmann said Mega intends to release a client fix for attack number four and to remove the legacy code that allows attack number five.
Paterson, via Twitter said Mega has taken some steps to address these attacks but expressed disappointment that the company hasn’t committed to a thorough overhaul of its approach because its cryptography is “pretty fragile.”
“On the other hand, to fix everything thoroughly, all of [Mega’s] customers would have to download all their files, re-encrypt them, and upload them again,” he said. “With 1000 Petabytes of data to deal with, that’s going to hurt.”
Paterson and his colleagues argue that companies should work to standardize secure cloud storage to avoid repeated ad hoc implementations that repeat the same errors.
“We believe that this would be the easiest path to avoid attacks stemming from the lack of expert knowledge among developers, and that it would enable users to finally have confidence that their data remains just that – theirs,” the paper concludes. ®