encryption - Mega 的加密如何用于共享？

Question

我有一些关于找到一种方法来实现可以与多个收件人共享的任意数据的加密的问题。 Mega似乎正是这样做的。据我所知，它会在将数据上传到 Web 服务器之前对其进行加密。仍然可以与他人共享该文件。加密是如何完成的？

想象以下场景:

用户 Alice 上传一个文件到服务器，它正在被加密

Alice 想与 Bob 和 Dave 共享该文件。 Bob 和 Dave 如何访问该文件并查看其原始内容(已解密)？

Answer 1

How is that done with the encryption?

答案是 symmetric-key algorithm 。 Mega 利用 HTML5 提供的浏览器内对称 key 加密。请参阅问题“MEGA 内部使用哪些加密算法？”以下。
正如 onemouth 所说，您的数据 glob 是使用主 key 加密的。

Every user also has a public/private key pair. And every file isencrypted under different session key. Session keys are encryptedunder user's master key.

要了解这一切是如何工作的，意味着查看所有组件并了解它们如何互操作。 Mega 在其网站上解释了加密对称/共享 key 的过程:
(我添加的引用文本中的嵌入链接和强调文本)

What encryption algorithms does MEGA use internally?

For bulk transfers, AES-128 (we believe that the higher CPUutilization of AES-192 and AES-256 outweighs the theoretical securitybenefit, at least until the advent of quantum computers).Post-download integrity checking is done through a chunked variationof CCM, which is less efficient than OCB, but not encumbered bypatents.

For establishing shared secrets between users and droppingfiles into your inbox, RSA-2048 (the key length was chosen as middlegrounds between "too insecure" and "too slow"). All encryption,decryption and key generation is implemented in JavaScript, whichlimits throughput to a few MB/s and causes significant CPU load. Weare looking forward to the implementation of the proposed HTML5WebCrypto API in all major browsers, which will eliminate thisbottleneck. JavaScript's built-in random number generator is enhancedthrough a mouse/keyboard timing-driven RC4 entropy pool as well ascrypto.* randomness where available (Chrome and Firefox only at themoment - keys generated by Internet Explorer and Safari are lesssecure than they could be).

How does folder sharing work?

You can share any subtree of your cloud drive with friends, family orcoworkers. Invitation is by e-mail address. Invitees who do not havean account yet will receive an e-mail notification with a signup link.Alternatively, you can create a public link to any of your folders andexport the folder-specific crypto key, making it accessible without aMEGA account. It is then your responsibility to securely transmit thefolder key to the recipient(s).

To establish, modify or delete a share, simply right click on a folderin your file manager and select Sharing. There are three accesslevels: Read-only, read/write (files can be added, but not deleted),and full (files can be added and deleted). If you added an e-mailaddress that did not have an account yet, you need to be online atleast once after the recipient completes the signup process so thatyou can encrypt the share secret to his newly created public key.

Is data that I put in shared folders as secure my other data?Shared folders, by nature, are only as secure as their least securemember.

您现在拥有的不是只有一个主 key ，而是您已委托(delegate)给 X 人的另一个 key 。您的安全与您对这些 X 人的信任一样重要。
Mega 上的每个文件都有一个唯一的 ID。因此，如果凭据是:

fileId=Abc123Ab
shareKey=abcdefghijklmnopqrstuvwxyz0123456789ZYXWVUT
https://mega.co.nz/#!fileId!shareKey

正在尝试下载

https://mega.co.nz/#!fileId

将导致下载加密文件。除非用户拥有共享的解密 key ，否则无法解密该文件。如何将“shareKey”发送给某人取决于您。但是任何有权访问该 shareKey 的人都可以解密下载的文件，因此通过电子邮件或其他未加密的媒体发送完整的 URL 是一个坏主意。一旦生成了 shareKey(通过 webapi 中的“获取链接”)，它就无法更改。
此外，

However, a compromise of our core server infrastructure posesan additional risk: Public keys could be manipulated, and key requestscould be forged.

他们所说的是，由于个人私钥泄露的个人威胁，在不启用共享的情况下出现的安全问题会增加。

Is my stored data absolutely secure? All security is relative. Thefollowing attack vectors exist - they are not specific to MEGA, but wewant you to know about the risks: Individual accounts are jeopardizedby:

• Spyware on your computer. A simple keylogger is enough, but session credentials and keys could also be extracted from memory or thefilesystem.
• Shoulder surfing. Do not type your password while someone could watch your keystrokes.
• Password brute-forcing. Use strong passwords.
• Phishing. Always confirm the security status of your connection (https://) and the correct domain name (mega.co.nz) before enteringyour password. Large-scale attacks could be mounted through:
• A "man in the middle" attack. Requires issuing a valid duplicate SSL certificate in combination with DNS forging and/or attacks on our BGProutes (a DigiNotar-style scenario).
• Gaining access to the webservers hosting https://mega.co.nz/index.html and replacing that file with a forgedversion (this would not affect access through the installed app base).Note that manipulating content on our distributed static content CDNdoes not pose a security risk, as all active content loaded fromindex.html is subject to verification with a cryptographic hash (thinkof it as some kind of "secure boot" for websites). This type of attackrequires sending malicious code to the client and is thereforedetectable.
• Gaining access to our core server infrastructure and creating forged key requests on existing shares. This type of attack only affects datain accounts with shared folders and is detectable on the client sideas well.

此外，并非所有数据都是私密的，并且大多数用户身份信息都未加密存储。

Is all of my personal information subject to encryption? No. Only filedata and file/folder names are encrypted. Information that we needoperational access to, such as your e-mail address, IP address, folderstructure, file ownership and payment credentials, are stored andprocessed unencrypted. Please see our privacy policy for details.

更多细节可以在 https://mega.co.nz/#doc 的 API 文档中找到

12.2 Cryptography

All symmetric cryptographic operations are based on AES-128. It operates in cipher block chaining mode for the file andfolder attribute blocks and in counter mode for the actual file data.Each file and each folder node uses its own randomly generated 128 bitkey. File nodes use the same key for the attribute block and the filedata, plus a 64 bit random counter start value and a 64 bit meta MACto verify the file's integrity. Each user account uses a symmetricmaster key to ECB-encrypt all keys of the nodes it keeps in its owntrees. This master key is stored on MEGA's servers, encrypted with ahash derived from the user's login password. File integrity isverified using chunked CBC-MAC. Chunk sizes start at 128 KB andincrease to 1 MB, which is a reasonable balance between space requiredto store the chunk MACs and the average overhead forintegrity-checking partial reads. In addition to the symmetric key,each user account has a 2048 bit RSA key pair to securely receive datasuch as share keys or file/folder keys. Its private component isstored encrypted with the user's symmetric master key.

12.3 Shared folders

The owner of the folder is solely responsible for managing access; shares are non-transitive (shares cannot be createdon folders in incoming shares). All participants in a shared foldergain cryptographic access through a common share-specific key, whichis passed from the owner (theoretically, from anyone participating inthe share, but this would create a significant security risk in theevent of a compromise of the core infrastructure) to new participantsthrough RSA. All keys of the nodes in a shared folder, including itsroot node, are encrypted to this share key. The party adding a newnode to a shared folder is responsible for supplying the appropriatenode/share-specific key. Missing node/share-specific keys can only besupplied by the share owner.

12.4 Unauthenticated delivery

MEGA supports secure unauthenticated data delivery. Any fullyregistered user can receive files or folders in their inbox throughtheir RSA public key.

最终，您信任他们的 javascript 代码，该代码已通过 HTTPS 验证为真实的。然后，您相信您的 javascript 引擎(网络浏览器)能够正确处理交易。最后，您相信您的操作系统不允许其他正在运行的进程嗅出 RAM 中未加密的私钥(请参阅 https://nzkoz.github.io/MegaPWN/ )。
在此过程中肯定需要采取预防措施，但它是目前可用的最佳选择之一。您始终可以在使用 GPG 上传到 Mega 之前加密您的文件，以缓解上述一些问题。