Qingbing Ji,Zhihong Rao,Lvlin Ni,Wei Zhao and Jing Fu

1School of Cybersecurity,Northwestern Polytechnical University,Xi’an,710072,China

2No.30 Institute of CETC,Chengdu,610041,China

3Eberly College of Science,Pennsylvania State University-University Park,PA,16802,USA

Abstract:MEGA is an end-to-end encrypted cloud storage platform controlled by users.Moreover,the communication between MEGA client and server is carried out under the protection of Transport Layer Security(TLS)encryption,it is difficult to intercept the key data packets in the process of MEGA registration,login,file data upload,and download.These characteristics of MEGA have brought great difficulties to its forensics.This paper presents a method to attack MEGA to provide an effective method for MEGA’s forensics.By debugging the open-source code of MEGA and analyzing the security white paper published,this paper first clarifies the encryption mechanism of MEGA,including the detailed process of registration,login,and file encryption,studies the encryption mechanism of MEGA from the perspective of protocol analysis,and finds out the vulnerability of MEGA encryption mechanism.On this basis,a method to attack MEGA is proposed,and the secret data stored in the MEGA server can be accessed or downloaded;Finally,the efficiency of the attack method is analyzed,and some suggestions to resist this attack method are put forward.

Keywords:TLS;advanced encryption standard;forensics;protocol analysis;vulnerability

1 Introduction

MEGA is a cloud storage service launched by MEGA limited company.The content data stored on MEGA,such as files,messages,audio and video,are encrypted on the user’s client.After encryption,the user uploads the encrypted data to the MEGA platform,but the encryption key of the data will not be directly saved on the platform.Therefore,the access to the data stored on Mega is controlled by the user,not the platform.Even the platform cannot access the data.If other users want to access the data,the user must transmit the encryption key encrypted with the recipient’s public key to the recipient.

All encryption related to the security of the user’s data is performed only on the user’s device.MEGA has released the source code of all client applications[1,2].Interested third parties can independently verify whether MEGA has the security advertised in the white paper and has no backdoors or accidental vulnerabilities.MEGA supports browser access,which not only lowers barriers to entry but also facilitates the use of other encryption technologies.As of August 20,2021,the site had 236 million registered users and uploaded more than 107 billion files.

Encryption is a general double-edged sword,on the one hand,it protects the privacy of users,on the other hand,it is used by a small number of users as a tool to engage in illegal activities.As mentioned,MEGA has very good security and its security mechanism,and all communication between the client and the server is protected by TLS encryption from the time it is installed.In 2019,TLS1.2 was revealed that there were some vulnerabilities.Related attacks can be carried out based on man-in-the-middle attacks.With TLS1.3,these attack methods have failed.So far,no fatal defects have been found in the Advanced Encryption Standard(AES)and other algorithms used by MEGA[3,4].As you can imagine,MEGA’s forensics were very difficult.There are very few articles or information about MEGA’s encryption protocol analysis,almost none.Here,we analyze MEGA’s encryption mechanism,find its vulnerabilities,that is,its public links are encrypted only by password.Because people’s brain memory is limited and can only remember 5-7 passwords,most of the passwords set by the same person are similar[5-7].Based on this,we present a method to attack MEGA that can access or download encrypted data stored on MEGA’s server,thus bolstering MEGA’s forensics.According to the principle and efficiency of this attack method,we also put forward some protection suggestions,which can resist the attack to a certain extent or reduce the success rate of this attack.

The paper is arranged in 6 sections as follows:In Section 2,by debugging the open-source code of MEGA and analyzing the security white paper published[8],we clarify MEGA’s encryption mechanism,including MEGA’s registration,login,and file and folder encryption details.In Section 3,we analyze MEGA’s security,point out that MEGA is not invulnerable,and propose a method or idea of attack.Section 4 analyzes the security mechanism of file or folder’s secure public links in detail,and proposes an attack method against the public links protected by password.Section 5 analyzes the efficiency of the attack and gives some suggestions to resist this attack.Finally,the paper is summarized in Section 6.

2 The Encryption Mechanism of MEGA

We clarify MEGA’s encryption mechanism as follows by debugging the open-source code of MEGA and analyzing the security white paper published.

2.1 Registration and Login

2.1.1 The Process to Register MEGA

The process to register MEGA is as follows:

Step6.The client will send the information described in Tab.1 to register an account.

Table 1:User registration information

2.1.2 The Process to Register MEGA

The process to register MEGA is as follows:

2.2 The Upload Encryption of File and Folder

The keys of each file or folder are different.Since the folder does not contain data,the folder is not encrypted,and only the folder attribute(that is,the folder name)is encrypted.

To encrypt the file,theFile Key(FK)consists of 128 random bits and 64 random bitsnone.The file is split into chunks,and each chunk is encrypted using Advanced Encryption Standard-Counter with Cipher lock chaining Message Authentication Code mode(AES-CCM).Thenoncein each encrypted block is incremented.

After all chunks are encrypted,aCondensed Message Authentication Code (MAC)will be calculated according to the following steps:Firstly,A 128-bits array is initialized to zero.Secondly,the array is XORed with a block MAC,and the result is encrypted with Advanced Encryption Standard-Electronic Codebook Mode(AES-ECB).Again,each subsequent MAC block is processed according to this method.The final encryption result is the final MAC.

TheFKis uploaded to the API after processed as follows:

3 MEGA Security Analysis

All communication between MEGA client and server is protected by TLS encryption from the time it is installed,and intercepting key packets during registration and login from traffic is not feasible unless the TLS encryption mechanism can be broken.Is MEGA unbreakable?Not necessarily.While MEGA offers end-to-end encryption,it does not use two-factor authentication for logins,so an attacker can log into each account using only login credentials and grab the name of the file in the account.Many users use Email Address as a user name and use the same user name and password for multiple sites.According to Troy Hunt[9],administrator of the website “Have I Been Pwned”,a massive file leak on MEGA in 2019 contained over 12,000 individual files and 87GB of data.It contained nearly 773 million email addresses and 22 million passwords.

Meanwhile,while communication between MEGA client and server is protected by TLS encryption,anyone other than MEGA’s uploader who wants to access or download the uploader’s material needs the uploader to give him a public link to share the file or folder.When the downloader is an unregistered MEGA user,the uploader can only send it through insecure channels.In this case,if an attacker obtains a public link to a file or folder,he may access and download encrypted file data stored on the MEGA server to which the link points,as detailed in the next section for analysis and attack implementation.

4 Cracking the Password Protected Public Links

Anyone other than the MEGA uploader who wants to access or download the uploader’s profile needs the uploader to give him a public link to share the file or folder.Public links are classified into plaintext public links and password protected public links.

4.1 Analysis of the Plaintext Public Link

The plaintext public file links are as follows:

https://mega.nz/file/Base64(Handle)#Base64(Key).

The plaintext public folder links are as follows:

https://mega.nz/folder/Base64(Handle)#Base64(Key).

In the above links,“Handle”is the Handle of a file or folder,similar to ID or index.“Key”is theOFKfor public file links and theShare Keyfor public folder links.

The generic format of the plaintext public link is shown in Tab.2.

Table 2:Generic format of plaintext public link

4.2 Analysis of the Password Protected Public Links

The password protected public file or folder links are as follows:

https://mega.nz/#P!Base64(data).

The generic format of password protected public link is shown in Tab.3.

The difference in the format of MEGA File and Folder’s password protected public links is the length of the data section.The length of the data in password protected public folder links is equal to 118,and the length of the data in password protected public file links is equal to 139.

Table 3:Generic format of password protected public link

The procedure for constructing a password protected link is as follows:

In the above format,the meaning of each field identification is shown in Tab.4.

Table 4:The meaning of each field identification

Step3.Constructing protected links.

■A MAC Tag of 32 bytes is computed by

MAC Tag=HMAC-SHA-256(MAC Key,(Algorithm||Type||Public Handle||Salt||Encrypted Key)).

■The format of protected link data is constructed by Algorithm||Type||Public Handle||Salt||Encrypted Key||MAC Tag.

According to Tab.3,we firstly Base64 encode the link data,then substitute incompatible characters,and finally get a password protected link,for example,https://mega.nz/#P!WWWT5WcTsZ7Z_ghxV0FTJXKOQZs_3a...

4.3 Cracking Algorithm of the Password Protected Public Links

When the downloader is an unregistered MEGA user,the uploader can only send it through insecure channels.In this case,the attacker has a chance to obtain a public link to a file or folder.If the public link is not password protected,the attacker can use the link to access and download encrypted file data stored on the MEGA server to which the link points.If the link is password-protected,the attacker needs to crack it first.

As you can see from the construction process of the password protected public links,its security depends on the password entered by the user.Although MEGA excludes passwords that it considers weak by forcing users to input passwords with a length greater than 8 and using different types of characters,to facilitate memory,users are usually far from meeting the requirements of random construction when constructing passwords[10-14].Generally,people choose passwords that are easy to remember for themselves,resulting in the centralized distribution of a large number of passwords in the whole password range,which greatly improves the success rate of the attacker to crack passwords[15-19].Next,we give the cracking algorithm of the password protected links based on password guessing.

The cracking process of the password protected links is as follows:

4.4 Examples of Cracking

4.4.1 Cracking the Password Protected Public Folder Links

4.4.2 Cracking the Password Protected Public File Links

5 Efficiency Analysis and Suggestions

Our attack method mainly depends on password guessing,so the efficiency of our attack method is equal to that of password guessing.The efficiency of password guessing generally depends on the rate of password guessing,password guessing algorithm,the complexity of the guessed password,and the size of the password training set.Since it is difficult to collect the data of MEGA’s password protected public links,we will use the public data to analyze the efficiency of the password guessing method,as shown in Tabs.5 and 6[20].

Table 5:Intra-site password cracking

Table 5:Continued

Table 6:Intra-site password cracking

It can be seen from Tabs.1 and 2 that when the password space is 1.4×109,the success rate of probabilistic context-free grammars (PCFG) in intra-site password cracking is more than 40%,and the success rate is greater with the increase of the password training set.If it is cross-site password cracking and the training set is homologous,the average success rate of PCFG is more than 30%.As far as the guessing algorithm is concerned,the success rate of semantic based password cracking algorithm(Sem+)[21]is about 7%higher than that of PCFG.

According to the above analysis of password guessing efficiency,to improve the security of MEGA’s password protected public links,our suggestions are as follows:

1.Increase the complexity of password setting,such as requiring at least 12 bits,including upper case letters,lower case letters,numbers,special characters,etc.

2.The number of iterations of generatingDKin Section 4.2 is increased to more than 400000.

The combination of the above two measures will greatly reduce the efficiency of password guessing,effectively resist password attacks and enhance the security of MEGA’s password protected public links.

6 Conclusion

MEGA is an end-to-end encrypted cloud storage platform controlled by users.The content data stored on MEGA are encrypted on the user’s client before the user uploads them to the MEGA platform.The encryption key of the data will not be directly saved on the platform.Therefore,the access to the data stored on Mega is controlled by the user,not the platform.Even the platform cannot access the data.MEGA not only has a good security mechanism of its own but all communication between the client and the server is protected by TLS encryption.So,MEGA’s forensics were very difficult.This paper clarifies the encryption mechanism of MEGA and finds out the vulnerability of the MEGA encryption mechanism.A method to attack MEGA is presented,and the secret data stored in the MEGA server can be accessed or downloaded.Finally,two examples are given to verify the correctness of the method.Therefore,the result of this paper provides an effective method for MEGA’s forensics.

Funding Statement:This work was supported by the Key Laboratory of confidential communication Fund Project(No.6142103190308).

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.