Mega's unbreakable encryption proves to be anything but

2022-06-22 20:58

The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "Significant shortcomings in Mega's cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

"The first two attacks exploit the lack of integrity protection of ciphertexts containing keys, and allow full compromise of all user keys encrypted with the master key, leading to a complete break of data confidentiality in the MEGA system," the paper explains.

"The next two attacks breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into users' cloud storage. The last attack is a Bleichenbacher-style attack against MEGA's RSA encryption mechanism."

Mega in its post cites this figure to suggest the attack is difficult to carry out but the ETH researchers note that it's possible to further manipulate Mega's software to force the client to log in repeatedly, allowing the attack to fully reveal a key within a few minutes.

Ortmann said Mega intends to release a client fix for attack number four and to remove the legacy code that allows attack number five.

Paterson, via Twitter said Mega has taken some steps to address these attacks but expressed disappointment that the company hasn't committed to a thorough overhaul of its approach because its cryptography is "Pretty fragile."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/22/megas_encryption_broken/

#encryption