Developer Data Modeling Mistakes: From Postgres to NoSQL
Security and Privacy in Cloud Computing with Mega
1. About Mega Technical Crypto @ Mega Demo You do it . . .
Security and Privacy in Cloud Computing
Beta-Testing the New Mega Web Client
Guy Kloss
gk@mega.co.nz
Lead Software Developer
Mega Limited
Guy Kloss | Security and Privacy in Cloud Computing 1/26
2. About Mega Technical Crypto @ Mega Demo You do it . . . Outline
1 About Mega
2 Technical (GeekFood)
3 Crypto @ Mega (GeekFood++)
4 Demo Web Client and Chat
5 You do it . . .
Guy Kloss | Security and Privacy in Cloud Computing 2/26
3. About Mega Technical Crypto @ Mega Demo You do it . . . Outline
1 About Mega
2 Technical (GeekFood)
3 Crypto @ Mega (GeekFood++)
4 Demo Web Client and Chat
5 You do it . . .
Guy Kloss | Security and Privacy in Cloud Computing 3/26
4. About Mega Technical Crypto @ Mega Demo You do it . . .
Our Business:
“The Privacy Company”
SaaS Cloud Software
Guy Kloss | Security and Privacy in Cloud Computing 4/26
5. About Mega Technical Crypto @ Mega Demo You do it . . .
Facts
Guy Kloss | Security and Privacy in Cloud Computing 5/26
6. About Mega Technical Crypto @ Mega Demo You do it . . . Products
File Storage (now)
Chat/Messenger (next)
Email (later)
Guy Kloss | Security and Privacy in Cloud Computing 6/26
7. About Mega Technical Crypto @ Mega Demo You do it . . . Outline
1 About Mega
2 Technical (GeekFood)
3 Crypto @ Mega (GeekFood++)
4 Demo Web Client and Chat
5 You do it . . .
Guy Kloss | Security and Privacy in Cloud Computing 7/26
8. About Mega Technical Crypto @ Mega Demo You do it . . . File Storage Servers
File storage servers (many many . . . )
Meta-data servers
(file attributes, user attributes, thumb nails, . . . )
API servers
DB servers
Servers helping with managing concurrency
Guy Kloss | Security and Privacy in Cloud Computing 8/26
9. About Mega Technical Crypto @ Mega Demo You do it . . . Messenger Servers
Cluster of messaging servers for XMPP (using ejabberd)
For scalability and load balancing
For reliability
STUN/TURN servers
! Overcome problem through private IP networks (NAT)
Load balancers, HAproxy, redirectors
Note: Voice/video normally connects browser’s
WebRTC containers directly
Guy Kloss | Security and Privacy in Cloud Computing 9/26
10. About Mega Technical Crypto @ Mega Demo You do it . . . Outline
1 About Mega
2 Technical (GeekFood)
3 Crypto @ Mega (GeekFood++)
4 Demo Web Client and Chat
5 You do it . . .
Guy Kloss | Security and Privacy in Cloud Computing 10/26
11. About Mega Technical Crypto @ Mega Demo You do it . . .
Concept:
Everything is End-to-End Encrypted!
Guy Kloss | Security and Privacy in Cloud Computing 11/26
12. About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection
Keys Involved
Master Key
Everything private is protected by a master key
The master key itself is password protected: PBKDF
RSA Key Pair
Used for sharing access to files
Stored as user attributes
Private key is protected with master key
Public key is “world readable”
Guy Kloss | Security and Privacy in Cloud Computing 12/26
13. About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection
File Protection
File content (segmented into blocks)
encrypted with session key (AES-128 CTR mode)
Session key is encrypted with the master key
All file attributes (incl. file name)
encrypted with the session key
Access information to shared files
encrypted with recipient’s RSA public key
Shared folders use a folder’s share key
to protect file data and attributes
Share keys are protected by own master key
or by RSA public key
Guy Kloss | Security and Privacy in Cloud Computing 13/26
14. About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection
User Attributes
Private attributes are encrypted with master key
Public attributes are “world readable”
Guy Kloss | Security and Privacy in Cloud Computing 14/26
15. About Mega Technical Crypto @ Mega Demo You do it . . . Keys and Authentication
Every user has an additional signing key pair (Ed25519)
Own RSA public key is signed with it
All public keys are “tracked”
(fingerprints of RSA and signing keys)
Signing keys can be authenticated
(comparison of fingerprints)
! “Grounding” of authentication on one single identity key
! Prevention of man-in-the-middle attacks
! Prevention of impostors
Guy Kloss | Security and Privacy in Cloud Computing 15/26
16. About Mega Technical Crypto @ Mega Demo You do it . . . Chat
Text Messaging
Encrypted via a new group encryption protocol: mpENC
Inspired by OTR – Properties:
Confidentiality (AES-128 CTR encrypted)
Full chat partner authenticity (digital signatures)
Plausible deniability (ephemeral signing keys)
Multi-party capability
(Group Diffie-Hellman for shared key agreement)
Reveal as little meta-data as possible
(Exponential message padding)
Based on elliptic curve cryptography
(Curve25519 and Ed25519)
! Not compromised by the NSA!
lorem ipsum ...
Guy Kloss | Security and Privacy in Cloud Computing 16/26
17. About Mega Technical Crypto @ Mega Demo You do it . . . Chat
Voice & Video
Voice/video is also end-to-end encrypted
Using SRTP between WebRTC containers
Usually directly connecting peers
Guy Kloss | Security and Privacy in Cloud Computing 17/26
18. About Mega Technical Crypto @ Mega Demo You do it . . . Outline
1 About Mega
2 Technical (GeekFood)
3 Crypto @ Mega (GeekFood++)
4 Demo Web Client and Chat
5 You do it . . .
Guy Kloss | Security and Privacy in Cloud Computing 18/26
19. About Mega Technical Crypto @ Mega Demo You do it . . . Where/How to get it . . .
https://beta.mega.nz
Exclude search engins and other externals:
Simple Web server authentication
Best to use a current/stable
Google Chrome or Mozilla Firefox
Guy Kloss | Security and Privacy in Cloud Computing 19/26
20. About Mega Technical Crypto @ Mega Demo You do it . . . Accounts/Contacts
Create an account (if you don’t have one, yet)
Add your contacts (for now bilaterally)
Guy Kloss | Security and Privacy in Cloud Computing 20/26
21. About Mega Technical Crypto @ Mega Demo You do it . . . File Storage
Store files
Share files
Share folders
Guy Kloss | Security and Privacy in Cloud Computing 21/26
22. About Mega Technical Crypto @ Mega Demo You do it . . . Chat
Text chatting
Voice/video chat
Transfer files
(via cloud or direct)
Guy Kloss | Security and Privacy in Cloud Computing 22/26
23. About Mega Technical Crypto @ Mega Demo You do it . . . Early Adopters
Guy Kloss | Security and Privacy in Cloud Computing 23/26
24. About Mega Technical Crypto @ Mega Demo You do it . . . Outline
1 About Mega
2 Technical (GeekFood)
3 Crypto @ Mega (GeekFood++)
4 Demo Web Client and Chat
5 You do it . . .
Guy Kloss | Security and Privacy in Cloud Computing 24/26
25. About Mega Technical Crypto @ Mega Demo You do it . . . Provide Feedback
Feedback to
beta@mega.co.nz
Report bugs
! Information to provide
Operating system
Browser and version
Steps to reproduce the problem (if applicable)
Maybe a screen shot
Possibly exceptions or internal information
(see browser debug console)
Make suggestions
Guy Kloss | Security and Privacy in Cloud Computing 25/26
26. About Mega Technical Crypto @ Mega Demo You do it . . . Questions?
Be Safe!
Guy Kloss
gk@mega.co.nz
Shane Te Pou
stp@mega.co.nz
Guy Kloss | Security and Privacy in Cloud Computing 26/26