Security and Privacy in Cloud Computing with Mega

  • Published on
    05-Dec-2014

  • View
    211

  • Download
    1

Embed Size (px)

DESCRIPTION

Seminar talk given at the Service & Cloud Computing Research Lab of Auckland University of Technology (AUT) on 2014-10-17.

Transcript

  • 1. About Mega Technical Crypto @ Mega Demo You do it . . . Security and Privacy in Cloud Computing Beta-Testing the New Mega Web Client Guy Kloss gk@mega.co.nz Lead Software Developer Mega Limited Guy Kloss | Security and Privacy in Cloud Computing 1/26
  • 2. About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 2/26
  • 3. About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 3/26
  • 4. About Mega Technical Crypto @ Mega Demo You do it . . . Our Business: The Privacy Company SaaS Cloud Software Guy Kloss | Security and Privacy in Cloud Computing 4/26
  • 5. About Mega Technical Crypto @ Mega Demo You do it . . . Facts Guy Kloss | Security and Privacy in Cloud Computing 5/26
  • 6. About Mega Technical Crypto @ Mega Demo You do it . . . Products File Storage (now) Chat/Messenger (next) Email (later) Guy Kloss | Security and Privacy in Cloud Computing 6/26
  • 7. About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 7/26
  • 8. About Mega Technical Crypto @ Mega Demo You do it . . . File Storage Servers File storage servers (many many . . . ) Meta-data servers (file attributes, user attributes, thumb nails, . . . ) API servers DB servers Servers helping with managing concurrency Guy Kloss | Security and Privacy in Cloud Computing 8/26
  • 9. About Mega Technical Crypto @ Mega Demo You do it . . . Messenger Servers Cluster of messaging servers for XMPP (using ejabberd) For scalability and load balancing For reliability STUN/TURN servers ! Overcome problem through private IP networks (NAT) Load balancers, HAproxy, redirectors Note: Voice/video normally connects browsers WebRTC containers directly Guy Kloss | Security and Privacy in Cloud Computing 9/26
  • 10. About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 10/26
  • 11. About Mega Technical Crypto @ Mega Demo You do it . . . Concept: Everything is End-to-End Encrypted! Guy Kloss | Security and Privacy in Cloud Computing 11/26
  • 12. About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection Keys Involved Master Key Everything private is protected by a master key The master key itself is password protected: PBKDF RSA Key Pair Used for sharing access to files Stored as user attributes Private key is protected with master key Public key is world readable Guy Kloss | Security and Privacy in Cloud Computing 12/26
  • 13. About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection File Protection File content (segmented into blocks) encrypted with session key (AES-128 CTR mode) Session key is encrypted with the master key All file attributes (incl. file name) encrypted with the session key Access information to shared files encrypted with recipients RSA public key Shared folders use a folders share key to protect file data and attributes Share keys are protected by own master key or by RSA public key Guy Kloss | Security and Privacy in Cloud Computing 13/26
  • 14. About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection User Attributes Private attributes are encrypted with master key Public attributes are world readable Guy Kloss | Security and Privacy in Cloud Computing 14/26
  • 15. About Mega Technical Crypto @ Mega Demo You do it . . . Keys and Authentication Every user has an additional signing key pair (Ed25519) Own RSA public key is signed with it All public keys are tracked (fingerprints of RSA and signing keys) Signing keys can be authenticated (comparison of fingerprints) ! Grounding of authentication on one single identity key ! Prevention of man-in-the-middle attacks ! Prevention of impostors Guy Kloss | Security and Privacy in Cloud Computing 15/26
  • 16. About Mega Technical Crypto @ Mega Demo You do it . . . Chat Text Messaging Encrypted via a new group encryption protocol: mpENC Inspired by OTR Properties: Confidentiality (AES-128 CTR encrypted) Full chat partner authenticity (digital signatures) Plausible deniability (ephemeral signing keys) Multi-party capability (Group Diffie-Hellman for shared key agreement) Reveal as little meta-data as possible (Exponential message padding) Based on elliptic curve cryptography (Curve25519 and Ed25519) ! Not compromised by the NSA! lorem ipsum ... Guy Kloss | Security and Privacy in Cloud Computing 16/26
  • 17. About Mega Technical Crypto @ Mega Demo You do it . . . Chat Voice & Video Voice/video is also end-to-end encrypted Using SRTP between WebRTC containers Usually directly connecting peers Guy Kloss | Security and Privacy in Cloud Computing 17/26
  • 18. About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 18/26
  • 19. About Mega Technical Crypto @ Mega Demo You do it . . . Where/How to get it . . . https://beta.mega.nz Exclude search engins and other externals: Simple Web server authentication Best to use a current/stable Google Chrome or Mozilla Firefox Guy Kloss | Security and Privacy in Cloud Computing 19/26
  • 20. About Mega Technical Crypto @ Mega Demo You do it . . . Accounts/Contacts Create an account (if you dont have one, yet) Add your contacts (for now bilaterally) Guy Kloss | Security and Privacy in Cloud Computing 20/26
  • 21. About Mega Technical Crypto @ Mega Demo You do it . . . File Storage Store files Share files Share folders Guy Kloss | Security and Privacy in Cloud Computing 21/26
  • 22. About Mega Technical Crypto @ Mega Demo You do it . . . Chat Text chatting Voice/video chat Transfer files (via cloud or direct) Guy Kloss | Security and Privacy in Cloud Computing 22/26
  • 23. About Mega Technical Crypto @ Mega Demo You do it . . . Early Adopters Guy Kloss | Security and Privacy in Cloud Computing 23/26
  • 24. About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 24/26
  • 25. About Mega Technical Crypto @ Mega Demo You do it . . . Provide Feedback Feedback to beta@mega.co.nz Report bugs ! Information to provide Operating system Browser and version Steps to reproduce the problem (if applicable) Maybe a screen shot Possibly exceptions or internal information (see browser debug console) Make suggestions Guy Kloss | Security and Privacy in Cloud Computing 25/26
  • 26. About Mega Technical Crypto @ Mega Demo You do it . . . Questions? Be Safe! Guy Kloss gk@mega.co.nz Shane Te Pou stp@mega.co.nz Guy Kloss | Security and Privacy in Cloud Computing 26/26