Mega's first crypto faux pas
Posted on: 01/23/2013 05:42 PM
[
Comments
]
Kim "Kimble" Dotcom's Mega cloud storage service uses a clever concept to load its own code. According to the fail0verflow blog, however, the crypto features that are designed to ensure the integrity of this code are unsuitable for the task and can easily be bypassed. This blunder doesn't bode well for the rest of the service's crypto infrastructure.
The Mega server's main HTML file contains the names of a whole range of java script files such as "base64_0.js" and "crypto_0.js" that are loaded from a Content Distribution Network's (CDN) external servers. The current URL, https://eu.static.mega.co.nz/, points to servers that are listed with registries such as AfriNIC in Mauritius. To ensure the integrity of the externally retrieved code, the control file contains a kind of checksum for each file that will be verified before the code is executed.
Instead of well-establish hashing techniques such as SHA256, Mega uses the CBC-MAC crypto algorithm with a key (111111, 222222, 333333, 444444) that is hard-coded into the java script code. However, even the Wikipedia description of CBC-MAC explicitly states that these Message Authentication Codes can easily be forged if the appropriate key is known. In practice, this means that anyone who controls one of these CDN servers or can to get the server operator to cooperate could easily manipulate the retrieved code without triggering an alert. This would allow potential attackers to compromise Mega's entire infrastructure and spy on arbitrary users. In its Megafail analysis, fail0verflow provides a simple demonstration that enables users to generate valid java script files that produce the specific CBC-MAC of a previously uploaded Mega file.
Such beginner's crypto implementation mistakes cast a poor light on the promise that users' data is protected locally using encryption features in the browser.
The Mega server's main HTML file contains the names of a whole range of java script files such as "base64_0.js" and "crypto_0.js" that are loaded from a Content Distribution Network's (CDN) external servers. The current URL, https://eu.static.mega.co.nz/, points to servers that are listed with registries such as AfriNIC in Mauritius. To ensure the integrity of the externally retrieved code, the control file contains a kind of checksum for each file that will be verified before the code is executed.
Instead of well-establish hashing techniques such as SHA256, Mega uses the CBC-MAC crypto algorithm with a key (111111, 222222, 333333, 444444) that is hard-coded into the java script code. However, even the Wikipedia description of CBC-MAC explicitly states that these Message Authentication Codes can easily be forged if the appropriate key is known. In practice, this means that anyone who controls one of these CDN servers or can to get the server operator to cooperate could easily manipulate the retrieved code without triggering an alert. This would allow potential attackers to compromise Mega's entire infrastructure and spy on arbitrary users. In its Megafail analysis, fail0verflow provides a simple demonstration that enables users to generate valid java script files that produce the specific CBC-MAC of a previously uploaded Mega file.
Such beginner's crypto implementation mistakes cast a poor light on the promise that users' data is protected locally using encryption features in the browser.
Comments
