Feeds

Dotcom's Mega smacks back: Our crypto's not crap

'The '90s called... they want their password security back'

SANS - Survey on application security programs

Kim Dotcom's comeback cloud storage service, Mega, has responded to criticism about its approach to cryptography and password security after security researcher Steve Thomas (@Sc00bz) released his MegaCracker tool, which cracks hashes embedded in emailed password confirmation links.

In a blog post designed to reassure users, Mega said that it uses mouse movements and keystroke timings in its key-generation process to improve randomness. It added that its deduplication feature (which eliminates duplicates of the same file being uploaded to the service) is only ever done on the already-encrypted data, reiterating its assurances that Mega has no access to raw user content. Lastly, in response to criticisms of its password security, it notes that many approaches to password-hashing are vulnerable to dictionary-based attacks. Users need to look after themselves by choosing a decent password, it said. Mega added that MegaCracker serves as "an excellent reminder not to use guessable/dictionary passwords".

Mega added that it was in the process of implementing a password change feature that would "re-encrypt the master key with your new password," as well as implement a password reset mechanism. The lack of account recovery in the first place has already been the subject of a few barbs from members of the information security community, such as Chris Boyd of GFI Security, who tweeted:

"Mega will soon let you change your password" The '90s just called. No really, I have Bart Simpson and the entire cast of TMNT on the line.

The digital storage locker service launched on Sunday on the first anniversary of a takedown against Megaupload. Kim Dotcom and his associates were arrested by New Zealand police last January in response to a request by US authorities, who alleged that Megaupload facilitated copyright violation and piracy on a grand scale. In between fighting against extradition and going to court to obtain access to frozen assets, Dotcom and his associates reinvented his business under the brand name Mega.

Cloud locker

Mega differs from Megaupload primarily through the more extensive use of encryption. Everything a user uploads is encrypted before it leaves their browser, using a master key that can be unlocked by a password only known to users. The master key unlocks the file/folder/share/private keys. When content is downloaded, it's decrypted using the same key used to encrypt it (symmetric encryption).

The approach has allowed Mega to claim that it doesn't know the content of uploaded content and to position itself as an "awesome cloud storage service that will help protect your privacy" rather than as a file-sharing service - the primary use of Megaupload. Content can still be shared through shared folders on Mega but only in cases where users share a folder-specific key.

The whole process runs through a JavaScript app running on a user's browser and doesn't require the installation of special software.

Securo-boffins: What's wrong with it

Security experts and critics quickly raised concerns about how the service was established, which broadly fall into four categories.

The first concern was over the "private" key generated in users' browsers when they first use Mega. Researchers said that its reliance on JavaScript's Math.random() function was sketchy. Software random number generators are risky because if you can guess the starting seed, it's then much easier to break the security of the crypto-system.

The second line of concern arises from Mega's terms of service. These explain that the service "may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service". Such deduplication ought to be impossible if Mega truly didn't know the contents of uploaded content, according to critics.

The third issue raised was over the confirmation email sent to users containing an AES-based hash of their master key when they sign up to Mega. This creates the possibility of an offline dictionary attack, such as the one launched by MegaCracker..

Additional lines of criticism against Mega have included its lack of account recovery options. Losing their password would leave users not only unable to log into the service but also unable to recover and decrypt any stored files.

Responding to Mega's blog post, Paul Ducklin, Sophos's head of technology for Asia Pacific, said Mega was on shaky ground with some of its assertions. "Mouse and keyboard movements aren't very good additional sources of randomness", Ducklin points out, so the random number generation issue remains a live concern. And on the deduplication issue: "Knowing that two files are the same, even without knowing the content, nevertheless leaks information about the data".

The "controversy about Mega and its perceived security" is unlikely to die off any time soon, Ducklin concludes.

Heavyweight cryptographers also appear unimpressed by Mega's early efforts.

"Mega is either artfully feigning sincerity in their inept crypto as a brilliant copyright dodge, or they truly believe it and are just inept," said Moxie Marlinspike, the creator of Convergence SSL authenticity system.

Kim Dotcom appears to relishing the attention on his new website's security, even if much of it remains negative. "We welcome the ongoing ‪#Mega‬ security debate & will offer a cash prize encryption challenge soon. Let's see what you got ;-)," he wrote on Wednesday, after earlier claiming that Mega was already catching up with Dropbox in daily usage. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
IBM rides nightmarish hardware landscape on OpenPOWER Consortium raft
Google mulls 'third-generation of warehouse-scale computing' on Big Blue's open chips
It's GOOD to get RAIN on your upgrade parade: Crucial M550 1TB SSD
Performance tweaks and power savings – what's not to like?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.