Cloud Storage Systems: From Bad Practice to Practical Attacks

3 minute read

Published:

For my Master’s thesis, I analyzed cloud storage systems at the Applied Cryptography Group at ETH Zurich. During this project, we analyzed MEGA, the biggest cloud provider that offers end-to-end encryption at the time, and found serious flaws in their cryptographic design. We submitted this work to IEEE S&P 2023.

Short Summary

Cloud storage security gained significant importance in the last decades due to the vast amount of outsourced sensitive information.

The following table shows different cloud storage services, their user base, and whether or not they have End-to-End Encryption (E2EE). The sources for the information in this table can be found in the thesis.

NamePopularity [10⁶ users]E2EE
BoxCryptor0.5Yes
DropBox700No
Google Drive1000No
Icedrive0.15Yes
iCloud850No
Keybase0.1Yes
MEGA250Yes
Nextcloud20Yes
OneDrive500 - 1000No
pCloud12Yes
Seafile1Yes
Sync1.7Yes
Syncthing0.067No
Tresorit0.025Yes

We notice that MEGA is the largest cloud provider which is designed to provide E2EE.

This thesis contributes four severe attacks allowing a malicious service provider or man-in-the-middle adversary who compromises the TLS connection to break the confidentiality and integrity of user keys and files in MEGA.

We exploit the lack of ciphertext integrity of the encrypted and outsourced RSA private key and characteristics of RSA-CRT to perform a binary search for one prime factor of the RSA-2048 modulus and recover the secret key—with lattice-based optimizations—in 512 user login attempts.

The second attack decrypts sign, chat, share, and file keys by exploiting key reuse and knowledge of the RSA private key. It is practical and only requires a single login attempt of the victim to decrypt a file key.

The third attack allows an adversary to frame users by inserting new files indistinguishable from genuinely uploaded ones. Finally, the fourth attack contributes a new variant of Bleichenbacher’s attack on PKCS#1 v1.5 adapted for MEGA’s custom padding scheme, which tolerates small unknown prefix values through a new guess-and-purge strategy.

We discuss the significant challenges, introduced by MEGA’s massive scale, to a fundamental redesign of MEGA’s architecture and suggest short-term and long-term countermeasures.

We generalize our findings, examine the reasons for flawed cryptography in large-scale applications, and advocate for a cloud storage standard to improve the security and transparency of cloud providers in practice.

The complete thesis is available in the Research Collection of ETH Zurich.

MEGA: Malleable Encryption Goes Awry

This thesis led to a paper published at IEEE S&P 2023 with the title MEGA: Malleable Encryption Goes Awry.

The source code of a proof of concept implementation of the attacks are published here. Furthermore, the website for our attacks provides an accessible outline of them.

Acknowledgement

I would like to thank my supervisers Prof. Dr. Kenny Paterson and Matilda Backendal for their amazing support during this project. Our meetings were always an enthusiastic and insightful exchange of ideas.

Overall, this outstanding research experience reassured me in my decision to pursue a Ph.D. after finishing my Master’s degree.