eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2020/1439

Cryptographic Vulnerabilities and Other Shortcomings of the Nextcloud Server Side Encryption as implemented by the Default Encryption Module

Kevin "Kenny" Niehage
Abstract

Nextcloud provides a server side encryption feature that is implemented by the Default Encryption Module. This paper presents cryptographic vulnerabilities that existed within the Default Encryption Module as well as other shortcomings that still need to be addressed. The vulnerabilities allowed an attacker to break the provided confidentiality and integrity protection guarantees. There is a high risk that ownCloud also contains some of the issues presented in this paper as it still has cryptographic code in common with Nextcloud.

Note: The vulnerabilities presented in this paper have led to CVE-2020-8133, CVE-2020-8150, CVE-2020-8152 and CVE-2020-8259.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
NextcloudownCloudserver side encryptiondefault encryption moduleMAC collisionsrelated block cipher modesCVE
Contact author(s)
kevin @ niehage name
History
2023-08-06: last of 3 revisions
2020-11-15: received
See all versions
Short URL
https://ia.cr/2020/1439
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/1439,
      author = {Kevin "Kenny" Niehage},
      title = {Cryptographic Vulnerabilities and Other Shortcomings of the Nextcloud Server Side Encryption as implemented by the Default Encryption Module},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1439},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/1439}},
      url = {https://eprint.iacr.org/2020/1439}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.