Dotcom's Mega smacks back: Our crypto's not crap
'The '90s called... they want their password security back'
Kim Dotcom's comeback cloud storage service, Mega, has responded to criticism about its approach to cryptography and password security after security researcher Steve Thomas (@Sc00bz) released his MegaCracker tool, which cracks hashes embedded in emailed password confirmation links.
In a blog post designed to reassure users, Mega said that it uses mouse movements and keystroke timings in its key-generation process to improve randomness. It added that its deduplication feature (which eliminates duplicates of the same file being uploaded to the service) is only ever done on the already-encrypted data, reiterating its assurances that Mega has no access to raw user content. Lastly, in response to criticisms of its password security, it notes that many approaches to password-hashing are vulnerable to dictionary-based attacks. Users need to look after themselves by choosing a decent password, it said. Mega added that MegaCracker serves as "an excellent reminder not to use guessable/dictionary passwords".
Mega added that it was in the process of implementing a password change feature that would "re-encrypt the master key with your new password," as well as implement a password reset mechanism. The lack of account recovery in the first place has already been the subject of a few barbs from members of the information security community, such as Chris Boyd of GFI Security, who tweeted:
"Mega will soon let you change your password" The '90s just called. No really, I have Bart Simpson and the entire cast of TMNT on the line.
The digital storage locker service launched on Sunday on the first anniversary of a takedown against Megaupload. Kim Dotcom and his associates were arrested by New Zealand police last January in response to a request by US authorities, who alleged that Megaupload facilitated copyright violation and piracy on a grand scale. In between fighting against extradition and going to court to obtain access to frozen assets, Dotcom and his associates reinvented his business under the brand name Mega.
Mega differs from Megaupload primarily through the more extensive use of encryption. Everything a user uploads is encrypted before it leaves their browser, using a master key that can be unlocked by a password only known to users. The master key unlocks the file/folder/share/private keys. When content is downloaded, it's decrypted using the same key used to encrypt it (symmetric encryption).
The approach has allowed Mega to claim that it doesn't know the content of uploaded content and to position itself as an "awesome cloud storage service that will help protect your privacy" rather than as a file-sharing service - the primary use of Megaupload. Content can still be shared through shared folders on Mega but only in cases where users share a folder-specific key.
Securo-boffins: What's wrong with it
Security experts and critics quickly raised concerns about how the service was established, which broadly fall into four categories.
The second line of concern arises from Mega's terms of service. These explain that the service "may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service". Such deduplication ought to be impossible if Mega truly didn't know the contents of uploaded content, according to critics.
The third issue raised was over the confirmation email sent to users containing an AES-based hash of their master key when they sign up to Mega. This creates the possibility of an offline dictionary attack, such as the one launched by MegaCracker..
Additional lines of criticism against Mega have included its lack of account recovery options. Losing their password would leave users not only unable to log into the service but also unable to recover and decrypt any stored files.
Responding to Mega's blog post, Paul Ducklin, Sophos's head of technology for Asia Pacific, said Mega was on shaky ground with some of its assertions. "Mouse and keyboard movements aren't very good additional sources of randomness", Ducklin points out, so the random number generation issue remains a live concern. And on the deduplication issue: "Knowing that two files are the same, even without knowing the content, nevertheless leaks information about the data".
The "controversy about Mega and its perceived security" is unlikely to die off any time soon, Ducklin concludes.
Heavyweight cryptographers also appear unimpressed by Mega's early efforts.
"Mega is either artfully feigning sincerity in their inept crypto as a brilliant copyright dodge, or they truly believe it and are just inept," said Moxie Marlinspike, the creator of Convergence SSL authenticity system.
Kim Dotcom appears to relishing the attention on his new website's security, even if much of it remains negative. "We welcome the ongoing #Mega security debate & will offer a cash prize encryption challenge soon. Let's see what you got ;-)," he wrote on Wednesday, after earlier claiming that Mega was already catching up with Dropbox in daily usage. ®
Re: @Steve dedupe
A chunk has just as much chance of being all zeroes or ones as it has being any other combination :-)
However, I'm not convinced dedupe works on such random data (which in effect it will be). The key for reconstituting the deduped data would end up being the same size as the original data to begin with.
I've recently deduped 3TB of storage down to 2 bits, just a 1 and a 0. Reindexing it all is going to be a bit of a chore though...
I don't get it, how do you dedupe encrypted files when they're encrypted with different keys?
So you trust Dropbox not to read your stuff because... they're just not an obnoxious wide-boy?