[jiggy2011]

The hashing is done by the client before upload. So if all clients use the same hash algo they will generate the same hash for the same file. So it is encrypted with a key that you know because you have the original file.

[beala]

Deriving the key from the plaintext + the ciphertext is called a known-plaintext attack [1]. AES isn't vulnerable to this.

[1] http://en.wikipedia.org/wiki/Known-plaintext_attack#Present_...

[jiggy2011]

It is if you know that the key is derived directly and deterministically from the plaintext itself.

Of course this will only give you the key to that one particular file, not any other files that you do not have yourself.

[beala]

Ah I see this was in reference to your convergent encryption post above. Point taken.

Assuming that it works this way, it would allow Mega to figure out if you own a known "bad" file. Just take something like "New_Jay-Z_Album.zip," hash it, and try the hash against your encrypted files. It seems like Kim is trying to avoid this problem.