Cloud Storage Systems: From Bad Practice to Practical Attacks

Abstract

Cloud storage security gained significant importance in the last decades due to the vast amount of outsourced sensitive information. Increased privacy awareness has led more and more cloud operators to adopt end-to-end encryption, removing the necessity for customers to trust the providers for data confidentiality. We analyze the cryptographic design of Mega, a cloud storage provider storing over 1000 petabytes of data for more than 243 million users. This thesis contributes four severe attacks allowing a malicious service provider or man-in-the-middle adversary who compromises the TLS connection to break the confidentiality and integrity of user keys and files. We exploit the lack of ciphertext integrity of the encrypted and outsourced RSA private key and characteristics of RSA-CRT to perform a binary search for one prime factor of the RSA-2048 modulus and recover the secret key – with lattice-based optimizations – in 512 user login attempts. During a single login attempt, the second attack decrypts any key ciphertext and exploits key reuse and knowledge of the RSA key. Furthermore, the third attack allows an attacker to frame users by inserting new files indistinguishable from genuinely uploaded ones. Finally, the fourth attack contributes a new variant of Bleichenbacher’s attack on PKCS#1 v1.5 adapted for Mega’s custom padding scheme, which tolerates small unknown prefix values through a new guess-and-purge strategy. We discuss significant challenges introduced by Mega’s massive scale for a fundamental redesign of their architecture and suggest short-term and long-term countermeasures. We generalize our findings, examine the reasons for flawed cryptography in large-scale applications, and advocate for a cloud storage standard to improve the security and transparency of cloud providers in practice.