Everybody seems to be talking about Kim Dotcom’s new Mega file-sharing service. What arouse my interest is the use of cryptography. I did not look into it in details but from what I read (for example here) it should work as follows:
- at the moment of creating an account, the users chooses a password which is not sent to the server, instead from the password the browser derives an authentication token which is shared with the server; the server cannot recover the password from the authentication token;
- the browser generates an encryption key with which all data sent and received by the server is encrypted and decrypted by the browser itself: the server hosts only encrypted data and has no access to it since it does not know the encryption key;
- for user convenience, the encryption key is stored also on the server but encrypted with the password, in this way the server has no access to the encryption key but the user can retrieve it when he needs it.
So what is the point of all of this? Well, the first thing that comes to my mind (and to other bloggers’ mind) is that the primary purpose of all of this is not to protect the users and the users’ data, but to allow Kim Dotcom to discharge any legal responsibility on the contents hosted on his servers. Since users’ data is encrypted by the browser on the users’ PC and the server has no access in clear to the encryption keys, then all the responsibility on the data hosted on his servers is of the users.
I am curious to see how this will develop.
UPDATE: there are already search engines to find illegal material to download from Mega…