Cloud Storage Systems: From Bad Practice to Practical Attacks
Published:
We show that the cryptographic design of the cloud storage system MEGA does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files.
Paper: “MEGA: Malleable Encryption Goes Awry”
MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data, which aims to achieve user-controlled end-to-end encryption. We show that MEGA’s system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability.
Website
On https://mega-awry.io, we provide an accessible overview of our attacks. The website includes videos of our proof-of-concept implementations of the attacks and links to related information as well as the attack source code.
The source code of a proof of concept implementation of the attacks are published here.
Paper
We provide an in-depth technical discussion in our paper that was published at IEEE S&P 2023 with the title MEGA: Malleable Encryption Goes Awry. This paper won the distinguished paper award at IEEE S&P.
Master’s thesis
This paper was the reslut of my master’s thesis at ETH Zurich. Originally, I looked at implementing and evaluating puncturable key wrapping for cloud storage systems at the Applied Cryptography Group. But then we got on a (fruitful) tangent and analyzed MEGA, the biggest cloud provider that offers end-to-end encryption at the time, and found serious flaws in their cryptographic design.
Cloud Storage Systems
Cloud storage security gained significant importance in the last decades due to the vast amount of outsourced sensitive information.
The following table shows different cloud storage services, their user base, and whether or not they have End-to-End Encryption (E2EE). The sources for the information in this table can be found in the thesis.
| Name | Popularity [10⁶ users] | E2EE |
|---|---|---|
| BoxCryptor | 0.5 | Yes |
| DropBox | 700 | No |
| Google Drive | 1000 | No |
| Icedrive | 0.15 | Yes |
| iCloud | 850 | No |
| Keybase | 0.1 | Yes |
| MEGA | 250 | Yes |
| Nextcloud | 20 | Yes |
| OneDrive | 500 - 1000 | No |
| pCloud | 12 | Yes |
| Seafile | 1 | Yes |
| Sync | 1.7 | Yes |
| Syncthing | 0.067 | No |
| Tresorit | 0.025 | Yes |
We notice that MEGA is the largest cloud provider which is designed to provide E2EE.
This thesis contributes four severe attacks allowing a malicious service provider or man-in-the-middle adversary who compromises the TLS connection to break the confidentiality and integrity of user keys and files in MEGA.
We exploit the lack of ciphertext integrity of the encrypted and outsourced RSA private key and characteristics of RSA-CRT to perform a binary search for one prime factor of the RSA-2048 modulus and recover the secret key—with lattice-based optimizations—in 512 user login attempts.
The second attack decrypts sign, chat, share, and file keys by exploiting key reuse and knowledge of the RSA private key. It is practical and only requires a single login attempt of the victim to decrypt a file key.
The third attack allows an adversary to frame users by inserting new files indistinguishable from genuinely uploaded ones. Finally, the fourth attack contributes a new variant of Bleichenbacher’s attack on PKCS#1 v1.5 adapted for MEGA’s custom padding scheme, which tolerates small unknown prefix values through a new guess-and-purge strategy.
We discuss the significant challenges, introduced by MEGA’s massive scale, to a fundamental redesign of MEGA’s architecture and suggest short-term and long-term countermeasures.
We generalize our findings, examine the reasons for flawed cryptography in large-scale applications, and advocate for a cloud storage standard to improve the security and transparency of cloud providers in practice.
The complete thesis is available in the Research Collection of ETH Zurich.
Acknowledgement
I would like to thank my supervisers Prof. Dr. Kenny Paterson and Matilda Backendal for their amazing support during this project. Our meetings were always an enthusiastic and insightful exchange of ideas.
Overall, this outstanding research experience reassured me in my decision to pursue a Ph.D. after finishing my Master’s degree.