Paper 2022/959
MEGA: Malleable Encryption Goes Awry
Abstract
MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure. We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway. Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. 44rd IEEE Symposium on Security and Privacy, S&P 2023
- Keywords
- Cryptanalysis Cloud storage RSA-CRT Bleichenbacher ECB mode Key compromise Plaintext recovery MEGA
- Contact author(s)
-
mbackendal @ inf ethz ch
miro haller @ alumni ethz ch
kenny paterson @ inf ethz ch - History
- 2022-07-28: approved
- 2022-07-25: received
- See all versions
- Short URL
- https://ia.cr/2022/959
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/959, author = {Matilda Backendal and Miro Haller and Kenneth G. Paterson}, title = {{MEGA}: Malleable Encryption Goes Awry}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/959}, year = {2022}, url = {https://eprint.iacr.org/2022/959} }