Bangalore,India: MEGA, the latest free cloud storage offering, has offered encryption on user data where “you control the encryption, you hold the keys,
and you decide who you grant or deny access to your files”. Using symmetric and asymmetric encryption, MEGA claims that an unprecedented amount of security
for your online data. We find out how it's possible, while exploring the technical details.
Symmetric Encryption
Symmetric encryption means that the key used to encrypt and decrypt the data is the same. A popular example of this is the AES-128 encryption, which is a
block cipher that uses a key of 128 bits to convert data into ciphertext. When the data is received by the user and needs to be deciphered, the same key is
applied in reverse to decrypt the data. In the context of MEGA, “For bulk transfers, AES-128 (we believe that the higher CPU utilization of AES-192 and
AES-256 outweighs the theoretical security benefit, at least until the advent of quantum computers).” However, while Mega claims that only the user has
power over the encryption key used to encrypt their data, how will it be possible to access your files from a different system if the key is stored locally
somewhere? Actually, there's the catch. Mega does store your AES-128 key(which is generated pseudo-randomly), but stores it encrypted using your password
itself! This means that the user needs to input their password to decode the key, which is then used in turn to decrypt the content! However, there is
still some confusion over whether a hash of the password is used to decrypt the key, or whether the password itself is used. Either way, the bad news is
that the password is something that the user needs to hold on to tight, because Mega does not provide any recovery tools for a lost password. This also
means that this technique is far from foolproof, as malware installed on the client end can intercept the password entered by the user, which can
compromise the user's data entirely!
Asymmetric Encryption
This kind of encryption implies that different keys are used for encryption and decryption. Commonly known as “public-key cryptography”, there are two keys
used, one called the private key and one called public key. While the private key is secret to a user, his public key is available to everyone. Anyone
sending him data can encrypt it with his public key, and only the holder of the private key will be able to decrypt the message. This is powerful
encryption used to share data between two parties without interception. RSA is commonly used for asymmetric encryption, and Mega uses RSA with 2048
bit-keys as public-private key pairs. According to Mega, “For establishing shared secrets between users and dropping files into your inbox, RSA-2048 (the
key length was chosen as middle grounds between "too insecure" and "too slow")”. Keys generated by the computer are not truly random, as they only produce
pseudo-random numbers. However, using something called entropy, which uses truly random events such as mouse movements, hardware timings and so on, the
randomness of the keys can be increased. Mega also claims to use entropy to generate a random RSA key for sharing files between users. Using Javascript
code to run the entire application in your browser ensures that all of the key generation and encryption happens on the client's end before it is
transmitted to Mega servers. However, there are skeptics who doubt the randomness of Mega's password generation, with developer of chat application
CryptoCat Nadim Kobeissi tweeting that “Analysis: Mega can selectively disable crypto for targeted users without them noticing. Crypto also uses
insufficient sources of randomness”. UPDATE: Mega has posted a long reply to security concerns raised by multiple sources. Please read at: https://mega.co.nz/#blog_3
The essential question: Are You Safe?
While Mega's use of both symmetric and asymmetric encryption is powerful, there are always loopholes in such systems. Mainly, the password of a user is the
master key to unlocking all their content! If a hacker manages to install a keylogger on your system, and can filter the password you are using, then all
the additional security is moot! Even according to the Mega website, accounts can be compromised through “Spyware on your computer”, “Shoulder surfing”,
“Phishing” and “Password brute-forcing”. If you decide to set up an account on Mega, remember to ensure that your password is hard to guess, and consists
of lowercase and uppercase alphabets, as well as numbers. And do not forget your password! Also, make sure to set up strong anti-malware software on your
systems and do regular scans, and this should greatly decrease the risk factor of your password being traced.
Are there any other encryption techniques commonly used? Will you feel safe using Mega?