Since all key material is protected with AES-ECB under the master key, an attacker exploiting this vulnerability can decrypt node keys, the victim’s Ed25519 signature key, its Curve25519 chat key, and, thus, also all exchanged chat keys. It then uses the SID returned by the client to recover the plaintext for the two target blocks. MEGA can overwrite part of the RSA private key ciphertext in the SID exchange with two target ciphertext blocks. The decryption oracle again arises during authentication, when the encrypted RSA private key and the session ID (SID), encrypted with the RSA public key, is sent from MEGA’s servers to the user. This attack exploits the lack of key separation for the master key and knowledge of the recovered RSA private key (e.g., from the RSA key recovery attack). With the sharing, chat, signing, and node keys of a user, the adversary can decrypt the victim’s data or impersonate them. This gives the attacker access to the aforementioned and highly sensitive key material encrypted in this way. In this specific attack, MEGA can decrypt AES-ECB ciphertexts created with a user’s master key. MEGA uses RSA encryption for sharing node keys between users, to exchange a session ID with the user at login and in a legacy key transfer for the MEGA chat.Įach user has a public RSA key \(pk_ \mod (p-1)(q-1)\).Īs shown in the key hierarchy MEGA clients encrypt the private keys for sharing, chat key transfer, and signing with the master key using AES-ECB.įurthermore, file and folder keys also use the same encryption.Ī plaintext recovery attack lets the adversary compute the plaintext from a given ciphertext. The private asymmetric keys and the node keys are encrypted by the client with the master key using AES-ECB and stored on MEGA’s servers to support access from multiple devices.Ī user on a new device can enter their password, authenticate to MEGA, fetch the encrypted key material, and decrypt it with the encryption key derived from the password. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user.įor every account, this key material includes a set of asymmetric keys consisting of an RSA key pair (for sharing data with other users), a Curve25519 key pair (for exchanging chat keys for MEGA’s chat functionality), and a Ed25519 key pair (for signing the other keys).įurthermore, for every file or folder uploaded by the user, a new symmetric encryption key called a node key is generated. The authentication key is used to identify users to MEGA. Key HierarchyĪt the root of a MEGA client’s key hierarchy, illustrated in the figure below, is the password chosen by the user.įrom this password, the MEGA client derives an authentication key and an encryption key. We challenge these security claims and show that an adversarial service provider, or anyone controlling MEGA’s core infrastructure, can break the confidentiality and integrity of user data. MEGA advertise themselves as the privacy company and promise User- Controlled end-to-end Encryption (UCE). What sets them apart from their competitors such as DropBox, Google Drive, iCloud and Microsoft OneDrive is the claimed security guarantees: With over 250 million registered users, 10 million daily active users and 1000 PB of stored data, MEGA is a significant player in the consumer domain. MEGA is a cloud storage and collaboration platform founded in 2013 offering secure storage and communication services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |