A method to break the file encryption of the major cloud storage service 'MEGA' is discovered

The cloud storage service '

MEGA ' claims that user-uploaded files are encrypted end-to-end and cannot be decrypted even if someone seizes the entire infrastructure. However, according to research results released by a research team at the Swiss Institute of Technology Zurich, MEGA has a vulnerability that allows it to decrypt encrypted files and upload malicious files without permission. ... apparently ...

MEGA: Malleable Encryption Goes Awry

Mega says it can't decrypt your files. New POC exploit shows otherwise | Ars Technica

MEGA claims that it provides end-to-end encryption for files, so even MEGA employees cannot access the contents of the files, enabling secure data management and communication. .. However, a research team at the ETH Zurich discovered a fundamental flaw in MEGA's cryptographic architecture that could allow a malicious attacker to crack files or upload malicious files. ..

The research team has discovered five attack scenarios, the most important of which is the 'RSA Key Recovery Attack,' which recovers the encrypted RSA private key. MEGA users have a public RSA key that encrypts the data and a private RSA key that decrypts the data, and the private RSA key is stored in the MEGA server in encrypted form. However, by exploiting the lack of key integrity protection on MEGA's servers, it is possible for a malicious person to recover the user's private RSA key.

The key to RSA key recovery attacks is that MEGA's servers do not reject invalid keys entered during login attempts, but rather interact with the server. At this time, the session ID that can be intercepted by an attacker who controls the API backend of MEGA or executes a TLS man-in-the-middle attack can provide information on whether the sent prime number is larger or smaller than the legitimate value. Can be done. This information serves as a clue to factorization, which is the key to RSA encryption, and by accumulating a small amount of information obtained for each login attempt, the private RSA key can be decrypted after 1023 login attempts. Also, if you are using lattice-based cryptography , you can reduce the number of login attempts required to 512.

By using the private RSA key decrypted in this way, a malicious attacker can decrypt all the related encryption keys. The research team states that the attack method was proof-of-concepted using fake certificates to prevent compromise of MEGA's infrastructure and servers.

The research team also claims that it is possible to launch the following attacks on the premise of an RSA key recovery attack.

◆ Plain text recovery attack
Due to the lack of key separation in MEGA's encryption architecture, it is possible to decrypt other encryption keys based on the information obtained in the RSA key recovery attack. This makes it possible to read MEGA encrypted files and folders, plain text such as chats, etc.

◆ Framing attack
Using the keys obtained in RSA key recovery attacks and plaintext recovery attacks, malicious attackers can upload forged data to cloud storage. Files encrypted in the right way are indistinguishable from files uploaded by real users.

◆ Integrity attack
In this attack, the file can be forged in the same way as the framing attack by manipulating the encrypted node key so that the decrypted key consists of all 0 bytes. However, this attack is easier to expose than a framing attack and can be spotted by observing users.

◆ GaP-Bleichenbacher attack
The research team explains that it is possible to decrypt the RSA ciphertext and obtain a private RSA key etc. by exploiting the chat function of MEGA. This attack does not assume an RSA key recovery attack, but it requires an average of 217 login attempts, making it a fairly challenging attack method.

The research team privately notified MEGA of these vulnerabilities in March 2022, and on June 21, MEGA began rolling out updates to prevent attacks. However, the research team points out that the update is a 'makeshift' to thwart RSA key recovery attacks. Preventing RSA key recovery attacks makes plaintext recovery attacks and framing attacks that presuppose this impossible, but systematic issues related to encryption architecture and integrity have not been fixed in the first place. Insist.

In an email to tech media Ars Technica, the research team said, 'Updates that only address RSA key recovery attacks could still exploit the vulnerability if other prerequisites were met in some different way. So we don't support this patch, but MEGA's system is no longer vulnerable to the chain of attacks we have proposed. '

The research team believes that the MEGA update is now only for RSA key recovery attacks because the MEGA platforms are interrelated and difficult to fix in their entirety. For example, in order for MEGA to move to a different cryptographic architecture, all users would have to download and re-upload data, as MEGA already stores more than 1000 PB ( petabytes ) of data. It will take more than half a year to migrate everything. Therefore, MEGA has the advantage of adopting a short-term approach rather than a time-consuming and costly long-term approach.

In the official statement regarding this vulnerability and upload, MEGA requires at least 512 login attempts to execute the RSA key recovery attack, but in MEGA, 'Resume existing session' is the login. He points out that the hurdle to try 512 logins while an attacker is intercepting a communication is very high. He added that this update uses a practical method, as it is difficult and burdensome for users to fix flaws in cloud-based encryption systems.

MEGA Security Update --Mega Blog

in Web Service,   Security, Posted by log1h_ik