MEGA: Malleable Encryption Goes Awry
METADATA ONLY
Loading...
Author / Producer
Date
2023
Publication Type
Conference Paper
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure.
We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway.
Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models.
Permanent link
Publication status
published
External links
Editor
Book title
2023 IEEE Symposium on Security and Privacy (SP)
Journal / series
Volume
Pages / Article No.
146 - 163
Publisher
IEEE
Event
44th IEEE Symposium on Security and Privacy (SP 2023)
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Cryptography; Cryptanalysis; Cloud-storage; Key-compromise; Plaintext-recovery; ECB-mode; RSA-CRT; Bleichenbacher
Organisational unit
09653 - Paterson, Kenneth / Paterson, Kenneth