Feeds

Dotcom's Mega smacks back: Our crypto's not crap

'The '90s called... they want their password security back'

High performance access to file storage

Kim Dotcom's comeback cloud storage service, Mega, has responded to criticism about its approach to cryptography and password security after security researcher Steve Thomas (@Sc00bz) released his MegaCracker tool, which cracks hashes embedded in emailed password confirmation links.

In a blog post designed to reassure users, Mega said that it uses mouse movements and keystroke timings in its key-generation process to improve randomness. It added that its deduplication feature (which eliminates duplicates of the same file being uploaded to the service) is only ever done on the already-encrypted data, reiterating its assurances that Mega has no access to raw user content. Lastly, in response to criticisms of its password security, it notes that many approaches to password-hashing are vulnerable to dictionary-based attacks. Users need to look after themselves by choosing a decent password, it said. Mega added that MegaCracker serves as "an excellent reminder not to use guessable/dictionary passwords".

Mega added that it was in the process of implementing a password change feature that would "re-encrypt the master key with your new password," as well as implement a password reset mechanism. The lack of account recovery in the first place has already been the subject of a few barbs from members of the information security community, such as Chris Boyd of GFI Security, who tweeted:

"Mega will soon let you change your password" The '90s just called. No really, I have Bart Simpson and the entire cast of TMNT on the line.

The digital storage locker service launched on Sunday on the first anniversary of a takedown against Megaupload. Kim Dotcom and his associates were arrested by New Zealand police last January in response to a request by US authorities, who alleged that Megaupload facilitated copyright violation and piracy on a grand scale. In between fighting against extradition and going to court to obtain access to frozen assets, Dotcom and his associates reinvented his business under the brand name Mega.

Cloud locker

Mega differs from Megaupload primarily through the more extensive use of encryption. Everything a user uploads is encrypted before it leaves their browser, using a master key that can be unlocked by a password only known to users. The master key unlocks the file/folder/share/private keys. When content is downloaded, it's decrypted using the same key used to encrypt it (symmetric encryption).

The approach has allowed Mega to claim that it doesn't know the content of uploaded content and to position itself as an "awesome cloud storage service that will help protect your privacy" rather than as a file-sharing service - the primary use of Megaupload. Content can still be shared through shared folders on Mega but only in cases where users share a folder-specific key.

The whole process runs through a JavaScript app running on a user's browser and doesn't require the installation of special software.

Securo-boffins: What's wrong with it

Security experts and critics quickly raised concerns about how the service was established, which broadly fall into four categories.

The first concern was over the "private" key generated in users' browsers when they first use Mega. Researchers said that its reliance on JavaScript's Math.random() function was sketchy. Software random number generators are risky because if you can guess the starting seed, it's then much easier to break the security of the crypto-system.

The second line of concern arises from Mega's terms of service. These explain that the service "may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service". Such deduplication ought to be impossible if Mega truly didn't know the contents of uploaded content, according to critics.

The third issue raised was over the confirmation email sent to users containing an AES-based hash of their master key when they sign up to Mega. This creates the possibility of an offline dictionary attack, such as the one launched by MegaCracker..

Additional lines of criticism against Mega have included its lack of account recovery options. Losing their password would leave users not only unable to log into the service but also unable to recover and decrypt any stored files.

Responding to Mega's blog post, Paul Ducklin, Sophos's head of technology for Asia Pacific, said Mega was on shaky ground with some of its assertions. "Mouse and keyboard movements aren't very good additional sources of randomness", Ducklin points out, so the random number generation issue remains a live concern. And on the deduplication issue: "Knowing that two files are the same, even without knowing the content, nevertheless leaks information about the data".

The "controversy about Mega and its perceived security" is unlikely to die off any time soon, Ducklin concludes.

Heavyweight cryptographers also appear unimpressed by Mega's early efforts.

"Mega is either artfully feigning sincerity in their inept crypto as a brilliant copyright dodge, or they truly believe it and are just inept," said Moxie Marlinspike, the creator of Convergence SSL authenticity system.

Kim Dotcom appears to relishing the attention on his new website's security, even if much of it remains negative. "We welcome the ongoing ‪#Mega‬ security debate & will offer a cash prize encryption challenge soon. Let's see what you got ;-)," he wrote on Wednesday, after earlier claiming that Mega was already catching up with Dropbox in daily usage. ®

High performance access to file storage

More from The Register

next story
Seagate brings out 6TB HDD, did not need NO STEENKIN' SHINGLES
Or helium filling either, according to reports
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
USA opposes 'Schengen cloud' Eurocentric routing plan
All routes should transit America, apparently
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.