Caveat Implementor! Key Recovery Attacks on MEGA

MEGA is a large-scale cloud storage and communication platform that aims to provide end-to-end encryption for stored data. A recent analysis by Backendal, Haller and Paterson (IEEE S&P 2023) invalidated these security claims by presenting practical attacks against MEGA that could be mounted by the MEGA service provider. In response, the MEGA developers added lightweight sanity checks on the user RSA private keys used in MEGA, sufficient to prevent the previous attacks. We analyse these new sanity checks and show how they themselves can be exploited to mount novel attacks on MEGA that recover a target user’s RSA private key with only slightly higher attack complexity than the original attacks. We identify the presence of an ECB encryption oracle under a target user’s master key in the MEGA system; this oracle provides our adversary with the ability to partially overwrite a target user’s RSA private key with chosen data, a powerful capability that we use in our attacks. We then present two distinct types of attack, each type exploiting different error conditions arising in the sanity checks and in subsequent cryptographic processing during MEGA’s user authentication procedure. The first type appears to be novel and exploits the manner in which the MEGA code handles modular inversion when recomputing u = q−1 mod p. The second can be viewed as a small subgroup attack (van Oorschot and Wiener, EUROCRYPT 1996, Lim and Lee, CRYPTO 1998). We prototype the attacks and show that they work in practice. As a side contribution, we show how to improve the RSA key recovery attack of Backendal-Haller-Paterson against the unpatched version of MEGA to require only 2 logins instead of the original 512. We conclude by discussing wider lessons about secure implementation of cryptography that our work surfaces.ISSN:0302-9743ISSN:1611-334

Uwagi o rzeźbie greckiej i nowych kierunkach jej badań

In the paper concerning the new approaches in the study of Greek sculptural production at first the author considers the problem of putting the ancient artefacts with the modern works of art on the same level and the need for the new conceptualisation of them. In the next step she outlines historiography of the Greek sculpture with the particular reference to the study on its stylistic development. Further on the author presents selected, new approaches in the study on Greek sculpture, the ones which are breaking the long tradition of research on them, rooted in the Enlightenment and Hegelian thought and historicism. She focusses on the results of these research which shift the interpretative emphasis from the relation between the image/sculpture and its model to that of the image and its viewer

MEGA: Malleable Encryption Goes Awry

MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure. We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway. Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models

Caveat Implementor! Key Recovery Attacks on MEGA

MEGA is a large-scale cloud storage and communication platform that aims to provide end-to-end encryption for stored data. A recent analysis by Backendal, Haller and Paterson (IEEE S&P 2023) invalidated these security claims by presenting practical attacks against MEGA that could be mounted by the MEGA service provider. In response, the MEGA developers added lightweight sanity checks on the user RSA private keys used in MEGA, sufficient to prevent the previous attacks. We analyse these new sanity checks and show how they themselves can be exploited to mount novel attacks on MEGA that recover a target user\u27s RSA private key with only slightly higher attack complexity than the original attacks. We identify the presence of an ECB encryption oracle under a target user\u27s master key in the MEGA system; this oracle provides our adversary with the ability to partially overwrite a target user\u27s RSA private key with chosen data, a powerful capability that we use in our attacks. We then present two distinct types of attack, each type exploiting different error conditions arising in the sanity checks and in subsequent cryptographic processing during MEGA\u27s user authentication procedure. The first type appears to be novel and exploits the manner in which the MEGA code handles modular inversion when recomputing $u = q^{-1} \bmod p$. The second can be viewed as a small subgroup attack (van Oorschot and Wiener, EUROCRYPT 1996, Lim and Lee, CRYPTO 1998). We prototype the attacks and show that they work in practice. As a side contribution, we show how to improve the RSA key recovery attack of Backendal-Haller-Paterson against the unpatched version of MEGA to require only 2 logins instead of the original 512. We conclude by discussing wider lessons about secure implementation of cryptography that our work surfaces

Cloud Storage Systems: From Bad Practice to Practical Attacks

Cloud storage security gained significant importance in the last decades due to the vast amount of outsourced sensitive information. Increased privacy awareness has led more and more cloud operators to adopt end-to-end encryption, removing the necessity for customers to trust the providers for data confidentiality. We analyze the cryptographic design of Mega, a cloud storage provider storing over 1000 petabytes of data for more than 243 million users. This thesis contributes four severe attacks allowing a malicious service provider or man-in-the-middle adversary who compromises the TLS connection to break the confidentiality and integrity of user keys and files. We exploit the lack of ciphertext integrity of the encrypted and outsourced RSA private key and characteristics of RSA-CRT to perform a binary search for one prime factor of the RSA-2048 modulus and recover the secret key – with lattice-based optimizations – in 512 user login attempts. During a single login attempt, the second attack decrypts any key ciphertext and exploits key reuse and knowledge of the RSA key. Furthermore, the third attack allows an attacker to frame users by inserting new files indistinguishable from genuinely uploaded ones. Finally, the fourth attack contributes a new variant of Bleichenbacher’s attack on PKCS#1 v1.5 adapted for Mega’s custom padding scheme, which tolerates small unknown prefix values through a new guess-and-purge strategy. We discuss significant challenges introduced by Mega’s massive scale for a fundamental redesign of their architecture and suggest short-term and long-term countermeasures. We generalize our findings, examine the reasons for flawed cryptography in large-scale applications, and advocate for a cloud storage standard to improve the security and transparency of cloud providers in practice