Paper 2024/546

Share with Care: Breaking E2EE in Nextcloud

Martin R. Albrecht, King’s College London
Matilda Backendal, ETH Zurich
Daniele Coppola, ETH Zurich
Kenneth G. Paterson, ETH Zurich
Abstract

Nextcloud is a leading cloud storage platform with more than 20 million users. Nextcloud offers an end-to-end encryption (E2EE) feature that is claimed to be able “to keep extremely sensitive data fully secure even in case of a full server breach”. They also claim that the Nextcloud server “has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form”. This is achieved by having encryption and decryption operations that are done using file keys that are only available to Nextcloud clients, with those file keys being protected by a key hierarchy that ultimately relies on long passphrases known exclusively to the users. We provide the first detailed documentation and security analysis of Nextcloud's E2EE feature. Nextcloud's strong security claims motivate conducting the analysis in the setting where the server itself is considered malicious. We present three distinct attacks against the E2EE security guarantees in this setting. Each one enables the confidentiality and integrity of all user files to be compromised. All three attacks are fully practical and we have built proof-of-concept implementations for each. The vulnerabilities make it trivial for a malicious Nextcloud server to access and manipulate users' data. We have responsibly disclosed the three vulnerabilities to Nextcloud. The second and third vulnerabilities have been remediated. The first was addressed by temporarily disabling file sharing from the E2EE feature until a redesign of the feature can be made. We reflect on broader lessons that can be learned for designers of E2EE systems.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. 9th IEEE European Symposium on Security and Privacy, Euro S&P 2024
Keywords
Real-world cryptographyEnd-to-end encryptionAttacksCloud storageNextcloud
Contact author(s)
martinralbrecht @ googlemail com
mbackendal @ inf ethz ch
daniele coppola @ inf ethz ch
kenny paterson @ inf ethz ch
History
2024-04-10: approved
2024-04-08: received
See all versions
Short URL
https://ia.cr/2024/546
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/546,
      author = {Martin R. Albrecht and Matilda Backendal and Daniele Coppola and Kenneth G. Paterson},
      title = {Share with Care: Breaking E2EE in Nextcloud},
      howpublished = {Cryptology ePrint Archive, Paper 2024/546},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/546}},
      url = {https://eprint.iacr.org/2024/546}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.