26
About Mega Technical Crypto @ Mega Demo You do it ... Security and Privacy in Cloud Computing Beta-Testing the New Mega Web Client Guy Kloss [email protected] Lead Software Developer Mega Limited Guy Kloss | Security and Privacy in Cloud Computing 1/26

Security and Privacy in Cloud Computing with Mega

Embed Size (px)

DESCRIPTION

Seminar talk given at the Service & Cloud Computing Research Lab of Auckland University of Technology (AUT) on 2014-10-17.

Citation preview

Page 1: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Security and Privacy in Cloud ComputingBeta-Testing the New Mega Web Client

Guy Kloss

[email protected] Software Developer

Mega Limited

Guy Kloss | Security and Privacy in Cloud Computing 1/26

Page 2: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Outline

1 About Mega

2 Technical (GeekFood)

3 Crypto @ Mega (GeekFood++)

4 Demo Web Client and Chat

5 You do it . . .

Guy Kloss | Security and Privacy in Cloud Computing 2/26

Page 3: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Outline

1 About Mega

2 Technical (GeekFood)

3 Crypto @ Mega (GeekFood++)

4 Demo Web Client and Chat

5 You do it . . .

Guy Kloss | Security and Privacy in Cloud Computing 3/26

Page 4: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Our Business:“The Privacy Company”

SaaS Cloud Software

Guy Kloss | Security and Privacy in Cloud Computing 4/26

Page 5: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Facts

Guy Kloss | Security and Privacy in Cloud Computing 5/26

Page 6: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Products

File Storage (now)Chat/Messenger (next)Email (later)

Guy Kloss | Security and Privacy in Cloud Computing 6/26

Page 7: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Outline

1 About Mega

2 Technical (GeekFood)

3 Crypto @ Mega (GeekFood++)

4 Demo Web Client and Chat

5 You do it . . .

Guy Kloss | Security and Privacy in Cloud Computing 7/26

Page 8: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

File Storage Servers

File storage servers (many many . . . )Meta-data servers(file attributes, user attributes, thumb nails, . . . )API serversDB serversServers helping with managing concurrency

Guy Kloss | Security and Privacy in Cloud Computing 8/26

Page 9: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Messenger Servers

Cluster of messaging servers for XMPP (using ejabberd)For scalability and load balancingFor reliability

STUN/TURN servers→ Overcome problem through private IP networks (NAT)

Load balancers, HAproxy, redirectors

Note: Voice/video normally connects browser’sWebRTC containers directly

Guy Kloss | Security and Privacy in Cloud Computing 9/26

Page 10: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Outline

1 About Mega

2 Technical (GeekFood)

3 Crypto @ Mega (GeekFood++)

4 Demo Web Client and Chat

5 You do it . . .

Guy Kloss | Security and Privacy in Cloud Computing 10/26

Page 11: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Concept:Everything is End-to-End Encrypted!

Guy Kloss | Security and Privacy in Cloud Computing 11/26

Page 12: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

File and Attribute ProtectionKeys Involved

Master KeyEverything private is protected by a master keyThe master key itself is password protected: PBKDF

RSA Key PairUsed for sharing access to filesStored as user attributesPrivate key is protected with master keyPublic key is “world readable”

Guy Kloss | Security and Privacy in Cloud Computing 12/26

Page 13: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

File and Attribute ProtectionFile Protection

File content (segmented into blocks)encrypted with session key (AES-128 CTR mode)Session key is encrypted with the master keyAll file attributes (incl. file name)encrypted with the session keyAccess information to shared filesencrypted with recipient’s RSA public keyShared folders use a folder’s share keyto protect file data and attributesShare keys are protected by own master keyor by RSA public key

Guy Kloss | Security and Privacy in Cloud Computing 13/26

Page 14: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

File and Attribute ProtectionUser Attributes

Private attributes are encrypted with master keyPublic attributes are “world readable”

Guy Kloss | Security and Privacy in Cloud Computing 14/26

Page 15: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Keys and Authentication

Every user has an additional signing key pair (Ed25519)Own RSA public key is signed with itAll public keys are “tracked”(fingerprints of RSA and signing keys)Signing keys can be authenticated(comparison of fingerprints)

→ “Grounding” of authentication on one single identity key→ Prevention of man-in-the-middle attacks→ Prevention of impostors

Guy Kloss | Security and Privacy in Cloud Computing 15/26

Page 16: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

ChatText Messaging

Encrypted via a new group encryption protocol: mpENCInspired by OTR – Properties:

Confidentiality (AES-128 CTR encrypted)Full chat partner authenticity (digital signatures)Plausible deniability (ephemeral signing keys)Multi-party capability(Group Diffie-Hellman for shared key agreement)Reveal as little meta-data as possible(Exponential message padding)

Based on elliptic curve cryptography(Curve25519 and Ed25519)

→ Not compromised by the NSA!

lorem ipsum ...

Guy Kloss | Security and Privacy in Cloud Computing 16/26

Page 17: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

ChatVoice & Video

Voice/video is also end-to-end encryptedUsing SRTP between WebRTC containersUsually directly connecting peers

Guy Kloss | Security and Privacy in Cloud Computing 17/26

Page 18: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Outline

1 About Mega

2 Technical (GeekFood)

3 Crypto @ Mega (GeekFood++)

4 Demo Web Client and Chat

5 You do it . . .

Guy Kloss | Security and Privacy in Cloud Computing 18/26

Page 19: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Where/How to get it . . .

https://beta.mega.nz

Exclude search engins and other externals:Simple Web server authenticationBest to use a current/stableGoogle Chrome or Mozilla Firefox

Guy Kloss | Security and Privacy in Cloud Computing 19/26

Page 20: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Accounts/Contacts

Create an account (if you don’t have one, yet)Add your contacts (for now bilaterally)

Guy Kloss | Security and Privacy in Cloud Computing 20/26

Page 21: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

File Storage

Store filesShare filesShare folders

Guy Kloss | Security and Privacy in Cloud Computing 21/26

Page 22: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Chat

Text chattingVoice/video chatTransfer files(via cloud or direct)

Guy Kloss | Security and Privacy in Cloud Computing 22/26

Page 23: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Early Adopters

Guy Kloss | Security and Privacy in Cloud Computing 23/26

Page 24: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Outline

1 About Mega

2 Technical (GeekFood)

3 Crypto @ Mega (GeekFood++)

4 Demo Web Client and Chat

5 You do it . . .

Guy Kloss | Security and Privacy in Cloud Computing 24/26

Page 25: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Provide Feedback

Feedback [email protected]

Report bugs→ Information to provide

Operating systemBrowser and versionSteps to reproduce the problem (if applicable)Maybe a screen shotPossibly exceptions or internal information(see browser debug console)

Make suggestions

Guy Kloss | Security and Privacy in Cloud Computing 25/26

Page 26: Security and Privacy in Cloud Computing with Mega

About Mega Technical Crypto @ Mega Demo You do it . . .

Questions?

Be Safe!

Guy [email protected]

Shane Te [email protected]

Guy Kloss | Security and Privacy in Cloud Computing 26/26