Security Analysis of Chain-FS service

TL;DR

This paper audits Chain-FS's claim of a trustless, end-to-end secure storage service. It demonstrates concrete cryptographic weaknesses, showing that a server with control can recover or render plaintext for properly encrypted files when using short passwords, and that the file sharing flow leaks decryption credentials to the server, eroding trustless guarantees. The authors propose concrete fixes, including unpredictable IVs and password-derived keys via PBKDF2/Argon2, and better password practices, to restore strong end-to-end security. They also highlight additional concerns, such as questionable blockchain usage and unresolved disclosure efforts, underscoring the broader risk of relying on security claims without rigorous verification.

Abstract

We examine the security of a cloud storage service that makes very strong claims about the ``trustless'' nature of its security. We find that, although stored files are end-to-end encrypted, the encryption method allows for effective dictionary attacks by a malicious server when passwords only just meet the minimum length required. Furthermore, the file sharing function simply sends the decryption passwords to the server with no protection other than TLS.

Figures (9)

• Figure 1: The main landing page of chain-fs.com, as at 31 Mar 2025. Claims that even administrators cannot read the data feature prominently.
• Figure 2: Store File Window, before our notification to Chain-FS. Minimum password length is 6.
• Figure 3: Store File Process, more than 90 days after our notification to Chain-FS. The minimum password length has been increased to 8.
• Figure 4: Store File Process.
• Figure 5: Download File Process.