Advertisment

Encryption In The Cloud: How It Works

author-image
PCQ Bureau
New Update

Bangalore,India: MEGA, the latest free cloud storage offering, has offered encryption on user data where “you control the encryption, you hold the keys,

and you decide who you grant or deny access to your files”. Using symmetric and asymmetric encryption, MEGA claims that an unprecedented amount of security

for your online data. We find out how it's possible, while exploring the technical details.

Advertisment









Symmetric Encryption







Symmetric encryption means that the key used to encrypt and decrypt the data is the same. A popular example of this is the AES-128 encryption, which is a

block cipher that uses a key of 128 bits to convert data into ciphertext. When the data is received by the user and needs to be deciphered, the same key is

applied in reverse to decrypt the data. In the context of MEGA, “For bulk transfers, AES-128 (we believe that the higher CPU utilization of AES-192 and

AES-256 outweighs the theoretical security benefit, at least until the advent of quantum computers).” However, while Mega claims that only the user has

power over the encryption key used to encrypt their data, how will it be possible to access your files from a different system if the key is stored locally

somewhere? Actually, there's the catch. Mega does store your AES-128 key(which is generated pseudo-randomly), but stores it encrypted using your password

itself! This means that the user needs to input their password to decode the key, which is then used in turn to decrypt the content! However, there is

still some confusion over whether a hash of the password is used to decrypt the key, or whether the password itself is used. Either way, the bad news is

that the password is something that the user needs to hold on to tight, because Mega does not provide any recovery tools for a lost password. This also

means that this technique is far from foolproof, as malware installed on the client end can intercept the password entered by the user, which can

compromise the user's data entirely!









Asymmetric Encryption







Advertisment

This kind of encryption implies that different keys are used for encryption and decryption. Commonly known as “public-key cryptography”, there are two keys

used, one called the private key and one called public key. While the private key is secret to a user, his public key is available to everyone. Anyone

sending him data can encrypt it with his public key, and only the holder of the private key will be able to decrypt the message. This is powerful

encryption used to share data between two parties without interception. RSA is commonly used for asymmetric encryption, and Mega uses RSA with 2048

bit-keys as public-private key pairs. According to Mega, “For establishing shared secrets between users and dropping files into your inbox, RSA-2048 (the

key length was chosen as middle grounds between "too insecure" and "too slow")”. Keys generated by the computer are not truly random, as they only produce

pseudo-random numbers. However, using something called entropy, which uses truly random events such as mouse movements, hardware timings and so on, the

randomness of the keys can be increased. Mega also claims to use entropy to generate a random RSA key for sharing files between users. Using Javascript

code to run the entire application in your browser ensures that all of the key generation and encryption happens on the client's end before it is

transmitted to Mega servers. However, there are skeptics who doubt the randomness of Mega's password generation, with developer of chat application

CryptoCat Nadim Kobeissi tweeting that “Analysis: Mega can selectively disable crypto for targeted users without them noticing. Crypto also uses

insufficient sources of randomness”. UPDATE: Mega has posted a long reply to security concerns raised by multiple sources. Please read at: https://mega.co.nz/#blog_3









The essential question: Are You Safe?







While Mega's use of both symmetric and asymmetric encryption is powerful, there are always loopholes in such systems. Mainly, the password of a user is the

master key to unlocking all their content! If a hacker manages to install a keylogger on your system, and can filter the password you are using, then all

the additional security is moot! Even according to the Mega website, accounts can be compromised through “Spyware on your computer”, “Shoulder surfing”,

“Phishing” and “Password brute-forcing”. If you decide to set up an account on Mega, remember to ensure that your password is hard to guess, and consists

of lowercase and uppercase alphabets, as well as numbers. And do not forget your password! Also, make sure to set up strong anti-malware software on your

systems and do regular scans, and this should greatly decrease the risk factor of your password being traced.









Are there any other encryption techniques commonly used? Will you feel safe using Mega?

Advertisment