) encrypted AES so the user password will be saved as plain text on the client or server can be used to decode their data? In particular, the user password will act as the key to decrypt the user data (files, folders. Shared links are probably generated out of random data, it does not need to be decoded or decrypted, just very difficult to guess. ) and encrypt messages.ĪES to encrypt information. Check out their documentation.Īs far as I "understand", they use AES to encrypt most of the data, RSA just to create shared links (to people, emails. This is called zero-knowledge encryption and is incredibly rare and tricky to implement correctly Boxcryptor and Spideroak aim to do exactly this and as far as I understand have got the right concepts in place. * It is possible to have the system built in such a way that they are physically unable to decrypt your files simply because they do not have enough key material to do so. Also notice that you would be dealing with multiple AES keys, not just one Using asymmetric cryptography you are able to pull in the encrypted AES key and decrypted with key material that only you possess (calculated at the time of registration). * It is possible that they hold copies of encryption keys in such a way that they can't be used to decrypt your files. * They almost certainly do not hold a cleartext version of your password. Moreover it is also unlikely (and unnecessary) that they would hold this key in plain text * It is possible that the service sends you AES keys for handling your files, although I find this simplistic and unlikely. And I am not aware of the implementation details of mega, so I may be off the mark here. I think they store the encrypted password or the key to decrypt the password as plain text or vice versa to check if the user information is entered correctly or not? And I noticed that every time I log in successfully, the server sends me the same decryption key, if both the password and the decryption key are encrypted on the server, how do they send the decrypt key has been decoded for me? If you don't always have to enter your password, that's because you're caching this authentication token. Something akin to sending the password for them to compare the hash, except the hash would have been calculated on the client side (this is not accurate, just a simplified example). As far as I understood from the documentation, when you login, a string is calculated from your password that is sent to the server as form of authentication token to be matched on their side. When you create your account, you send information to the server that can be re-calculated using your password. How do they verify that the user enters the email / password correctly? While login information is sent to the server only email address. Have a look at this, it's actually quite descriptive: Īlso mind you the link you mentioned is over 7 years old, things will have changed since then.
I want to apologize in advance if my question is silly or confusing and my ability to use English is also not good.Īny of your answers that help me understand the problem would be appreciated. User password will be saved as plain text on the client or serverĬan be used to decode their data? If user passwords are used toĭecrypt their data, what is the key to decrypt their passwords?Ĭreated when? Where to be stored? And is it encrypted? In particular, the user password will act as the key toĭecrypt the user data (files, folders. RSA just to create shared links (to people, emails. As far as I "understand", they use AES to encrypt most of the data,.The server, how do they send the decrypt key has been decoded for Key, if both the password and the decryption key are encrypted on Time I log in successfully, the server sends me the same decryption
Information is entered correctly or not? And I noticed that every Password as plain text or vice versa to check if the user
I read this article: How can mega store my login details and still be secure?īut I still don't understand a few issues: Does MEGA store my password or decryption key? How do they check if the login information I enter is correct while only my email address is sent to the server?
0 kommentar(er)
