CryptoDB
Why E2EE Cloud Storage is hard - Challenges, Attacks and Best Practices
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | As privacy-awareness rises, demand for end-to-end encrypted (E2EE) services is increasing. However, not all systems live up to their advertised security guarantees. MEGA—the largest provider of E2EE cloud storage with over 260 million users—failed to protect the confidentiality and integrity of their customers’ data, as our recent paper “MEGA: Malleable Encryption Goes Awry” showed. In this talk, we take a step back and discuss why it is surprisingly challenging to design a privacy-preserving cloud storage protocol that is secure even when the cloud provider is actively malicious. Recent academic effort focused on building file sharing systems which hide metadata. However, systems in practice still face much more fundamental challenges including key management, asynchronously coalescing updates stemming from collaboration on shared E2EE files, and cryptographic agility. We briefly discuss the approach of MEGA and how it was susceptible to a key recovery attack that allowed a malicious cloud provider to decrypt user files, among other vulnerabilities. Based on the attacks on MEGA, we suggest best practices for designing secure E2EE cloud storage systems. Unfortunately, it is infeasible for MEGA to completely redesign their system due to scale and backward compatibility. Even if a redesign was possible, the security they currently aim to provide still falls short of offering desirable properties like post-compromise security, forward security, and key rotation. With this in mind, we point out open questions for future work and advocate for a standardization process for a cloud storage design. |
| Video: | https://youtu.be/9uIpmz2GAew?t=1933 |
BibTeX
@misc{rwc-2023-35446,
title={Why E2EE Cloud Storage is hard - Challenges, Attacks and Best Practices},
note={Video at \url{https://youtu.be/9uIpmz2GAew?t=1933}},
howpublished={Talk given at RWC 2023},
author={Matilda Backendal and Miro Haller and Kenny Paterson},
year=2023
}