The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user.įor every account, this key material includes a set of asymmetric keys consisting of an RSA key pair (for sharing data with other users), a Curve25519 key pair (for exchanging chat keys for MEGA’s chat functionality), and a Ed25519 key pair (for signing the other keys).įurthermore, for every file or folder uploaded by the user, a new symmetric encryption key called a node key is generated. The authentication key is used to identify users to MEGA. Key HierarchyĪt the root of a MEGA client’s key hierarchy, illustrated in the figure below, is the password chosen by the user.įrom this password, the MEGA client derives an authentication key and an encryption key.
We challenge these security claims and show that an adversarial service provider, or anyone controlling MEGA’s core infrastructure, can break the confidentiality and integrity of user data. MEGA advertise themselves as the privacy company and promise User- Controlled end-to-end Encryption (UCE). What sets them apart from their competitors such as DropBox, Google Drive, iCloud and Microsoft OneDrive is the claimed security guarantees: With over 250 million registered users, 10 million daily active users and 1000 PB of stored data, MEGA is a significant player in the consumer domain. MEGA is a cloud storage and collaboration platform founded in 2013 offering secure storage and communication services.
0 kommentar(er)
