Paper 2020/1439
Cryptographic Vulnerabilities and Other Shortcomings of the Nextcloud Server Side Encryption as implemented by the Default Encryption Module
Abstract
Nextcloud provides a server side encryption feature that is implemented by the Default Encryption Module. This paper presents cryptographic vulnerabilities that existed within the Default Encryption Module as well as other shortcomings that still need to be addressed. The vulnerabilities allowed an attacker to break the provided confidentiality and integrity protection guarantees. There is a high risk that ownCloud also contains some of the issues presented in this paper as it still has cryptographic code in common with Nextcloud.
Note: The vulnerabilities presented in this paper have led to CVE-2020-8133, CVE-2020-8150, CVE-2020-8152 and CVE-2020-8259.
Metadata
- Available format(s)
-
PDF
- Category
- Applications
- Publication info
- Preprint.
- Keywords
- NextcloudownCloudserver side encryptiondefault encryption moduleMAC collisionsrelated block cipher modesCVE
- Contact author(s)
- kevin @ niehage name
- History
- 2023-08-06: last of 3 revisions
- 2020-11-15: received
- See all versions
- Short URL
- https://ia.cr/2020/1439
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2020/1439,
author = {Kevin "Kenny" Niehage},
title = {Cryptographic Vulnerabilities and Other Shortcomings of the Nextcloud Server Side Encryption as implemented by the Default Encryption Module},
howpublished = {Cryptology {ePrint} Archive, Paper 2020/1439},
year = {2020},
url = {https://eprint.iacr.org/2020/1439}
}
