Tweet
Tweet

Slide 1

Slide 1 text

About Mega Technical Crypto @ Mega Demo You do it . . . Security and Privacy in Cloud Computing Beta-Testing the New Mega Web Client Guy Kloss [email protected] Lead Software Developer Mega Limited Guy Kloss | Security and Privacy in Cloud Computing 1/26

Slide 2

Slide 2 text

About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 2/26

Slide 3

Slide 3 text

About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 3/26

Slide 4

Slide 4 text

About Mega Technical Crypto @ Mega Demo You do it . . . Our Business: “The Privacy Company” SaaS Cloud Software Guy Kloss | Security and Privacy in Cloud Computing 4/26

Slide 5

Slide 5 text

About Mega Technical Crypto @ Mega Demo You do it . . . Facts Guy Kloss | Security and Privacy in Cloud Computing 5/26

Slide 6

Slide 6 text

About Mega Technical Crypto @ Mega Demo You do it . . . Products File Storage (now) Chat/Messenger (next) Email (later) Guy Kloss | Security and Privacy in Cloud Computing 6/26

Slide 7

Slide 7 text

About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 7/26

Slide 8

Slide 8 text

About Mega Technical Crypto @ Mega Demo You do it . . . File Storage Servers File storage servers (many many . . . ) Meta-data servers (file attributes, user attributes, thumb nails, . . . ) API servers DB servers Servers helping with managing concurrency Guy Kloss | Security and Privacy in Cloud Computing 8/26

Slide 9

Slide 9 text

About Mega Technical Crypto @ Mega Demo You do it . . . Messenger Servers Cluster of messaging servers for XMPP (using ejabberd) For scalability and load balancing For reliability STUN/TURN servers → Overcome problem through private IP networks (NAT) Load balancers, HAproxy, redirectors Note: Voice/video normally connects browser’s WebRTC containers directly Guy Kloss | Security and Privacy in Cloud Computing 9/26

Slide 10

Slide 10 text

About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 10/26

Slide 11

Slide 11 text

About Mega Technical Crypto @ Mega Demo You do it . . . Concept: Everything is End-to-End Encrypted! Guy Kloss | Security and Privacy in Cloud Computing 11/26

Slide 12

Slide 12 text

About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection Keys Involved Master Key Everything private is protected by a master key The master key itself is password protected: PBKDF RSA Key Pair Used for sharing access to files Stored as user attributes Private key is protected with master key Public key is “world readable” Guy Kloss | Security and Privacy in Cloud Computing 12/26

Slide 13

Slide 13 text

About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection File Protection File content (segmented into blocks) encrypted with session key (AES-128 CTR mode) Session key is encrypted with the master key All file attributes (incl. file name) encrypted with the session key Access information to shared files encrypted with recipient’s RSA public key Shared folders use a folder’s share key to protect file data and attributes Share keys are protected by own master key or by RSA public key Guy Kloss | Security and Privacy in Cloud Computing 13/26

Slide 14

Slide 14 text

About Mega Technical Crypto @ Mega Demo You do it . . . File and Attribute Protection User Attributes Private attributes are encrypted with master key Public attributes are “world readable” Guy Kloss | Security and Privacy in Cloud Computing 14/26

Slide 15

Slide 15 text

About Mega Technical Crypto @ Mega Demo You do it . . . Keys and Authentication Every user has an additional signing key pair (Ed25519) Own RSA public key is signed with it All public keys are “tracked” (fingerprints of RSA and signing keys) Signing keys can be authenticated (comparison of fingerprints) → “Grounding” of authentication on one single identity key → Prevention of man-in-the-middle attacks → Prevention of impostors Guy Kloss | Security and Privacy in Cloud Computing 15/26

Slide 16

Slide 16 text

About Mega Technical Crypto @ Mega Demo You do it . . . Chat Text Messaging Encrypted via a new group encryption protocol: mpENC Inspired by OTR – Properties: Confidentiality (AES-128 CTR encrypted) Full chat partner authenticity (digital signatures) Plausible deniability (ephemeral signing keys) Multi-party capability (Group Diffie-Hellman for shared key agreement) Reveal as little meta-data as possible (Exponential message padding) Based on elliptic curve cryptography (Curve25519 and Ed25519) → Not compromised by the NSA! lorem ipsum ... Guy Kloss | Security and Privacy in Cloud Computing 16/26

Slide 17

Slide 17 text

About Mega Technical Crypto @ Mega Demo You do it . . . Chat Voice & Video Voice/video is also end-to-end encrypted Using SRTP between WebRTC containers Usually directly connecting peers Guy Kloss | Security and Privacy in Cloud Computing 17/26

Slide 18

Slide 18 text

About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 18/26

Slide 19

Slide 19 text

About Mega Technical Crypto @ Mega Demo You do it . . . Where/How to get it . . . https://beta.mega.nz Exclude search engins and other externals: Simple Web server authentication Best to use a current/stable Google Chrome or Mozilla Firefox Guy Kloss | Security and Privacy in Cloud Computing 19/26

Slide 20

Slide 20 text

About Mega Technical Crypto @ Mega Demo You do it . . . Accounts/Contacts Create an account (if you don’t have one, yet) Add your contacts (for now bilaterally) Guy Kloss | Security and Privacy in Cloud Computing 20/26

Slide 21

Slide 21 text

About Mega Technical Crypto @ Mega Demo You do it . . . File Storage Store files Share files Share folders Guy Kloss | Security and Privacy in Cloud Computing 21/26

Slide 22

Slide 22 text

About Mega Technical Crypto @ Mega Demo You do it . . . Chat Text chatting Voice/video chat Transfer files (via cloud or direct) Guy Kloss | Security and Privacy in Cloud Computing 22/26

Slide 23

Slide 23 text

About Mega Technical Crypto @ Mega Demo You do it . . . Early Adopters Guy Kloss | Security and Privacy in Cloud Computing 23/26

Slide 24

Slide 24 text

About Mega Technical Crypto @ Mega Demo You do it . . . Outline 1 About Mega 2 Technical (GeekFood) 3 Crypto @ Mega (GeekFood++) 4 Demo Web Client and Chat 5 You do it . . . Guy Kloss | Security and Privacy in Cloud Computing 24/26

Slide 25

Slide 25 text

About Mega Technical Crypto @ Mega Demo You do it . . . Provide Feedback Feedback to [email protected] Report bugs → Information to provide Operating system Browser and version Steps to reproduce the problem (if applicable) Maybe a screen shot Possibly exceptions or internal information (see browser debug console) Make suggestions Guy Kloss | Security and Privacy in Cloud Computing 25/26

Slide 26

Slide 26 text

About Mega Technical Crypto @ Mega Demo You do it . . . Questions? Be Safe! Guy Kloss [email protected] Shane Te Pou [email protected] Guy Kloss | Security and Privacy in Cloud Computing 26/26