

Screenshots of upcoming Mega site: key generator, registration, and file manager - mtgx
http://thenextweb.com/insider/2012/12/07/kim-dotcom-posts-screenshots-of-upcoming-mega-site-key-generator-registration-and-file-manager/

======
phpnode
I think most of the responses here regarding the crypto are missing the point.
It doesn't matter if the key is not totally random. It just has to be good
enough so that they can plausibly deny that they know anything about the file
contents. It is their attempt to absolve themselves of responsibility for the
copyright issues concerning the content. It is not about making your files
more secure.

~~~
res0nat0r
How is this new service supposed to be viable like the last MU? If the point
of this "encryption" is supposed to provide plausible deniability, then the
whole point of distributing warez via this site "legally" will have to be that
the decryption keys are kept secret or underground.

But for this site to be popular enough to allow for downloads supported by ad
revenue, then the file links and decryption keys will have to be widely
distributed to drive traffic. If someone files a takedown notice with a file
and decryption key that proves the data contained therein is copyrighted then
won't MU be in the same boat they were in previously?

~~~
phpnode
they could be doing something as crazy as putting the key in the "share this"
URL. If they put it after the fragment then it doesn't get sent to the server
and they can continue to deny having the ability to read file contents.
Someone did a "Show HN" with a site that did something similar a month or two
back.

Presumably mega then don't offer a site search but instead rely on google to
index warez forums with links to the site that include the decryption key. I
don't know.

Edit: found the site that did this:
<http://news.ycombinator.com/item?id=3852649>

~~~
samwillis
Yep, that was me. I strongly suspect that this may be what he is up to. It
occurred to me at the time that there may be a way of doing it with files.

Ultimately I shut down the site as it got very little traction.

------
anonymous
That key generator seems to imply javascript-based encryption. The only
possible use I can see, is encrypting a file on upload, so MEGA's servers
can't look inside. In which case I'd very much insist on having an open-source
desktop client, instead of entrusting encryption to some javascript code which
can be hijacked.

~~~
nwh
Even if the encryption is using a known-good algorithm, there's absolutely no
way for the JavaScript client to generate anything close to a
cryptographically secure random string for the key.

Unless they use random numbers supplied by Mega itself, I just don't see how
that would work. If they are using entropy supplied by Mega, then they might
as well not bother with the whole encryption thing.

ED: The screenshot does mention that they gather entropy via keystrokes and
mouse movements (like modern OS do), but I'm still not sure that would provide
anywhere near the randomness needed.

~~~
onli
Why? The screenshot mentions RSA-2048. At which point of that algorithm is
random input so important that it breaks the encryption if you don't have
access to a true random number generator?

I know that you choose p and q by random. And it is obvious that you want to
choose numbers that an attacker can't easily guess. But not having access to a
hardware number generator doesn't automatically imply you have a real useable
vulnerability here, or does it?

~~~
daeken
Not generating good random numbers is not a huge concern for something like
AES, where there's just such a large search space. But with RSA, generating a
"bad prime" is the difference between something taking until the death of the
sun to break, and taking days.

Edit: To clarify, primes for RSA keys are generated probabilistically -- we
don't really _know_ that they're prime, we just have a fair amount of
confidence to that effect. It's entirely possible to generate bad 'primes'
that really aren't prime at all, which makes factoring the keys trivial.

~~~
onli
Thanks for the answer. But I don't understand that. For generating the prime-
numbers used, you basically guess a number and use the miller-rabin-test or
something like that to test if prim. Maybe you have a better approach, but
generally, that should be equally possible using JS as any other language.

You never want to implement something like this yourself for a real product,
of course, but i don't see that specific issue. They even could build upon
something like jsbn[1]

I thought that this is about a missing random number generator.

[1]<http://www-cs-students.stanford.edu/~tjw/jsbn/>

~~~
daeken
I am not a crytographer (by any means!), but my understanding from
conversations with folks in that space is that it's very possible for a bad
PRNG to generate primes that pass the standard tests but are still very
breakable. I really don't have any more information than that; I should read
up more there.

Either way, that's by no means the biggest issue here -- some browsers already
have CSPRNGs -- but rather that the code is coming from their server and is
considered to be compromised by default. Browser-side crypto without very
strict security boundaries on key generation and access is just bad news.

------
kapnobatairza
Can someone explain to me the difference between the new Mega and something
like SpiderOak?

~~~
schabernakk
Judging from the past I would guess that Mega will be quite popular in the
web-warez scene as a hoster.

------
buro9
Who holds the private key?

Do you trust them?

~~~
wmf
_Who holds the private key?_

You do. (Or in reality, the whole world since the point of Mega is to share
files.)

 _Do you trust them?_

Depends.

~~~
ericbb
> You do. (Or in reality, the whole world since the point of Mega is to share
> files.)

That implication makes no sense to me. Why would you ever share a private key?

The trust question is more about public keys. Do you trust that the key you
think is your friends public key really is? And that's what key-signings are
for.

The screenshot shows in-browser key generation but there's no reason I can
think of that they should not accept keys generated by GPG or similar.
Generate your keypair as securely as you can and however you like--and then
only submit your public key to the Mega site.

~~~
wmf
It's not clear why they're using public key crypto in the first place. But
since the whole point of Mega is _sharing_ files, people will definitely be
sharing the decryption keys.

Do you trust that that copy of _The Dark Knight Rises_ is really from who you
think? Who cares?

