You are looking at a specific version 20201115:232615 of this paper. See the latest version.

Paper 2020/1439

Cryptographic Vulnerabilities and Other Shortcomings of the Nextcloud Server Side Encryption as implemented by the Default Encryption Module

Kevin "Kenny" Niehage

Abstract

Nextcloud provides a server side encryption feature that is implemented by the Default Encryption Module. This paper presents cryptographic vulnerabilities that existed within the Default Encryption Module as well as other shortcomings that still need to be addressed. The vulnerabilities allowed an attacker to break the provided confidentiality and integrity protection guarantees. There is a high risk that ownCloud also contains some of the issues presented in this paper as it still has cryptographic code in common with Nextcloud.

Note: The vulnerabilities presented in this paper have led to CVE-2020-8133, CVE-2020-8150, CVE-2020-8152 and CVE-2020-8259.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
NextcloudownCloudserver side encryptiondefault encryption modulemessage authentication code collisionsrelated block cipher mode keystreamsknown-plaintext attackinsufficient key management
Contact author(s)
kevin @ niehage name
History
2023-08-06: last of 3 revisions
2020-11-15: received
See all versions
Short URL
https://ia.cr/2020/1439
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.