DOCSLIB.ORG

Whatsapp End-To-End Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Whatsapp End-To-End Encryption – WhatsApp End-to-End Encryption Signal, X3DH, Double Ratchet Algorithm & XEdDSA/VXEdDSA Michael Bolli, Patrick Kofmel 1.1, January 17, 2017 Module: BTI 7311 Computer Science Seminar Term: Autumn Term 2016/2017 Supervisor: Prof. Dr. Rolf Haenni Bern University of Applied Sciences Engineering and Information Technology Computer Science Abstract Right when the court fight between Apple and the FBI was at its highest point, WhatsApp came along, stating that they were turning on end-to-end encryption for their over 1 billion users. With this step, WhatsApp gained a lot of points with privacy advocates, but painted a pretty big target on its back for the US government. In this seminar paper, I will explain how the technology behind WhatsApp end-to-end encryption works. First, a few crypto primitives are illustrated, to provide some context or to serve as a reference. The emphasis though lies on the Signal Protocol, developed by Open Whisper Systems. The main topics there are the X3DH key exchange protocol, the Double Ratchet algorithm and the XEdDSA signature scheme. Berner Fachhochschule | Haute école spécialisée bernoise | Bern University of Applied Sciences 2 Table of contents 1 Introduction 4 2 Key concepts 4 3 Used crypto primitives and characteristics 5 3.1 Asymmetric/Public key crypto 5 3.2 Forward secrecy 5 3.3 Cryptographic deniability 5 3.4 Digital signatures 5 3.5 One-way hash function 5 3.6 Message authentication code 6 3.7 Diffie-Hellman key agreement protocol 6 3.8 HMAC based key derivation function HKDF 6 3.9 Authenticated Encryption with Associated Data AEAD 7 4 The Signal Protocol 8 4.1 Extended triple Diffie-Hellman key agreement protocol (X3DH) 8 4.1.1 Used keys and functions 8 4.1.2 The three phases 8 4.1.3 Setting overview 10 4.2 The Double Ratchet Algorithm 10 4.2.1 KDF Chains 11 4.2.2 Symmetric-key ratchet 12 4.2.3 Diffie-Hellman ratchet 12 4.2.4 Double Ratchet 13 4.3 The (V)XEdDSA Signature Scheme 14 4.3.1 XEdDSA 15 5 References 16 6 Versions 17 Berner Fachhochschule | Haute école spécialisée bernoise | Bern University of Applied Sciences 3 1 Introduction Since 2012, when messages sent by messaging apps overtook SMS texts for the first time (Bell, 2013), WhatsApp and other services got more and more under fire for their security issues. The NSA scandal didn’t help; encrypted messaging services like Threema and Telegram got popular quickly. WhatsApp silently introduced a “commercially reasonable” encryption in the middle of 2012, only for iOS and Android, though and without specifying the cryptographic methods, which brought more security analysts to the scene. Quickly it was deducted that this current encryption was not secure at all ([email protected], 2012; Kennell, 2012). From 2012 to 2014 even more vulnerabilities were found, e.g. the “WhatsApp Message Handler Vulnerability” which crashed the app when receiving a certain 2 KB message, or the “Photo Privacy Bug” after the introduction of WhatsApp Web (Khandelwal, 2014). It was high time then for WhatsApp to invest in reliable security. At the end of 2014 the partnership of WhatsApp and Open Whisper Systems was made official (Marlinspike, Open Whisper Systems partners with WhatsApp to provide end-to-end encryption, 2014). OWS developed the encrypted messaging app and same-named protocol TextSecure. Together they announced proper end-to-end encryption using TextSecure, which was soon renamed to Signal. In April of 2016 the companies announced availability of end-to-end encryption on all architectures and that users could verify each other’s keys. In this seminar paper, I will introduce the Signal Protocol, which is now also used by Facebook Messenger and Google Allo. As a reference, I will first describe some crypto terms for better understanding the protocol itself. 2 Key concepts Concept Description Crypto techniques Confidentiality Information is kept secret from all but (A)Symmetric Key Crypto authorized parties. Integrity Messages have not been modified in transit. Hash, HMAC, Signature Authentication The sender of a message is authentic. HMAC, Asymmetric Key Crypto, Signature Non-repudiation The sender of a message cannot deny the Asymmetric Key Crypto, creation of the message. Signature Freshness Messages cannot be replayed. Nonce, Perfect Forward Secrecy Trust Receiver can believe that the sender is who Certificates he says he is. Berner Fachhochschule | Haute école spécialisée bernoise | Bern University of Applied Sciences 4 3 Used crypto primitives and characteristics 3.1 Asymmetric/Public key crypto Two keys are used: A public key to be distributed, and a private key which must be kept private. If somebody wants to send me e.g. an encrypted e-mail, he uses my public key to encrypt it, and I use my private key to decrypt it. For this to be secure, it must be difficult to calculate a private key from its public key. In comparison to symmetric crypto, the key exchange doesn’t need to happen on a secure channel. In many cases, asymmetric crypto is used as a convenient way to securely transfer a session key for a subsequent symmetric encryption, which is much more efficient. This is called a hybrid cryptosystem. Public key algorithms are used in many known standards like TLS, S/MIME, PGP and GPG. With key distribution algorithms like Diffie-Hellman and signatures like DSA, public key crypto is fundamental for today’s crypto world. 3.2 Forward secrecy A cryptographic protocol has (perfect) forward secrecy if the compromise of long-term keys does not allow an attacker to obtain past session keys (Paar & Pelzl, 2010, p. 341). A system therefore needs to generate a new set of key agreement parameters for each session. These parameters can never be re-used and should never be stored. Now, an attacker managing to compromise a shared session secret would only compromise that particular session. 3.3 Cryptographic deniability It might be necessary for a sender of a message to deny sending that message, even if he was forced to give up the encryption key. Cryptographic deniability makes it impossible to prove the existence of the plaintext message without the right encryption key. This can be done by encrypting a message in such a way that using key 퐾퐴 to decrypt the cipher text results in another message than by using key 퐾퐵. 3.4 Digital signatures To prevent forgery or tampering with messages, digital signatures can be used to provide integrity, authentication, and non-repudiation. Digital signatures employ asymmetric cryptography and consist of the following three parts: Key generation, signing and verifying. The key generation algorithm outputs the private key and a corresponding public key. The signing algorithm takes a message and the private key to produce a signature. The verifying algorithm verifies the authenticity of the message using the public key and the signature. 3.5 One-way hash function A hash function calculates from an input message of any length, an output string of a fixed length. This means it needs to be deterministic, so the same message always results in the same hash. It is called a one-way function because the design makes it easy to compute the output from the input message, but very hard to generate an input message from its hash value. Another property is the so-called avalanche effect, which describes that even a minimal change to the message drastically changes the output hash. Hashes are used in many applications, these being digital signatures, message authentication codes (see below), fingerprinting and data integrity. Berner Fachhochschule | Haute école spécialisée bernoise | Bern University of Applied Sciences 5 3.6 Message authentication code A MAC consists of key generation, signing and verifying algorithms. MACs share some properties with digital signatures, as they also provide message integrity and authentication (but not non- repudiation). Due to the use of block ciphers or hash functions (which would be a HMAC) instead of asymmetric crypto, they are much more performant though. A MAC takes a secret key and a message as input, and calculates a MAC output. This enables a recipient/verifier to detect any changes to the message content by running the message through the same MAC function with the same key and finally comparing the resulting MACs. 3.7 Diffie-Hellman key agreement protocol The Diffie-Hellman key exchange enables two parties to calculate a common secret key by communicating over an insecure channel. Apart from Signal, it’s also used in many major ∗ protocols like SSH, TLS and IPsec. Its basic idea is that exponentiation in ℤ푝, 푝 prime, is a one- way function and that exponentiation is commutative (Paar & Pelzl, 2010, p. 206): 푘 = (훼푥)푦 ≡ (훼푦)푥 mod 푝 Using this idea, the protocol looks like this: Figure 1: Diffie-Hellman key agreement protocol (Schneider, 2016) Alice wants to establish a secret key with Bob through an insecure channel. In the set-up protocol the public parameters ∈ {2, 3, … , 푝 − 2} and a large prime 푝 are generated and published. Alice can then choose her private key 푎 ∈ {2, 3, … , 푝 − 2}, and calculate her public key 퐴 = 푎 mod 푝. Alice sends the public key to Bob, which after his calculations does the same. With this public key, they can now each generate a joint secret key: 퐾 ≡ (퐵)푎 mod 푝 ≡ 푏푎 mod 푝 ≡ (퐴)푏 mod 푝 ≡ 푎푏 mod 푝 This key K can now be used for further communications e.g. with a symmetric key cipher like AES or 3DES. 3.8 HMAC based key derivation function HKDF A key derivation function (KDF) is a basic and essential component of cryptosystems.
Load more

Recommended publications
  • CS 255: Intro to Cryptography 1 Introduction 2 End-To-End
    Programming Assignment 2 Winter 2021 CS 255: Intro to Cryptography Prof. Dan Boneh Due Monday, March 1st, 11:59pm 1 Introduction In this assignment, you are tasked with implementing a secure and efficient end-to-end encrypted chat client using the Double Ratchet Algorithm, a popular session setup protocol that powers real- world chat systems such as Signal and WhatsApp. As an additional challenge, assume you live in a country with government surveillance. Thereby, all messages sent are required to include the session key encrypted with a fixed public key issued by the government. In your implementation, you will make use of various cryptographic primitives we have discussed in class—notably, key exchange, public key encryption, digital signatures, and authenticated encryption. Because it is ill-advised to implement your own primitives in cryptography, you should use an established library: in this case, the Stanford Javascript Crypto Library (SJCL). We will provide starter code that contains a basic template, which you will be able to fill in to satisfy the functionality and security properties described below. 2 End-to-end Encrypted Chat Client 2.1 Implementation Details Your chat client will use the Double Ratchet Algorithm to provide end-to-end encrypted commu- nications with other clients. To evaluate your messaging client, we will check that two or more instances of your implementation it can communicate with each other properly. We feel that it is best to understand the Double Ratchet Algorithm straight from the source, so we ask that you read Sections 1, 2, and 3 of Signal’s published specification here: https://signal.
    [Show full text]
  • The Double Ratchet Algorithm
    The Double Ratchet Algorithm Trevor Perrin (editor) Moxie Marlinspike Revision 1, 2016-11-20 Contents 1. Introduction 3 2. Overview 3 2.1. KDF chains . 3 2.2. Symmetric-key ratchet . 5 2.3. Diffie-Hellman ratchet . 6 2.4. Double Ratchet . 13 2.6. Out-of-order messages . 17 3. Double Ratchet 18 3.1. External functions . 18 3.2. State variables . 19 3.3. Initialization . 19 3.4. Encrypting messages . 20 3.5. Decrypting messages . 20 4. Double Ratchet with header encryption 22 4.1. Overview . 22 4.2. External functions . 26 4.3. State variables . 26 4.4. Initialization . 26 4.5. Encrypting messages . 27 4.6. Decrypting messages . 28 5. Implementation considerations 29 5.1. Integration with X3DH . 29 5.2. Recommended cryptographic algorithms . 30 6. Security considerations 31 6.1. Secure deletion . 31 6.2. Recovery from compromise . 31 6.3. Cryptanalysis and ratchet public keys . 31 1 6.4. Deletion of skipped message keys . 32 6.5. Deferring new ratchet key generation . 32 6.6. Truncating authentication tags . 32 6.7. Implementation fingerprinting . 32 7. IPR 33 8. Acknowledgements 33 9. References 33 2 1. Introduction The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. Typically the parties will use some key agreement protocol (such as X3DH [1]) to agree on the shared secret key. Following this, the parties will use the Double Ratchet to send and receive encrypted messages. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones.
    [Show full text]
  • Security Analysis of the Signal Protocol Student: Bc
    ASSIGNMENT OF MASTER’S THESIS Title: Security Analysis of the Signal Protocol Student: Bc. Jan Rubín Supervisor: Ing. Josef Kokeš Study Programme: Informatics Study Branch: Computer Security Department: Department of Computer Systems Validity: Until the end of summer semester 2018/19 Instructions 1) Research the current instant messaging protocols, describe their properties, with a particular focus on security. 2) Describe the Signal protocol in detail, its usage, structure, and functionality. 3) Select parts of the protocol with a potential for security vulnerabilities. 4) Analyze these parts, particularly the adherence of their code to their documentation. 5) Discuss your findings. Formulate recommendations for the users. References Will be provided by the supervisor. prof. Ing. Róbert Lórencz, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. Head of Department Dean Prague January 27, 2018 Czech Technical University in Prague Faculty of Information Technology Department of Computer Systems Master’s thesis Security Analysis of the Signal Protocol Bc. Jan Rub´ın Supervisor: Ing. Josef Kokeˇs 1st May 2018 Acknowledgements First and foremost, I would like to express my sincere gratitude to my thesis supervisor, Ing. Josef Kokeˇs,for his guidance, engagement, extensive know- ledge, and willingness to meet at our countless consultations. I would also like to thank my brother, Tom´aˇsRub´ın,for proofreading my thesis. I cannot express enough gratitude towards my parents, Lenka and Jaroslav Rub´ınovi, who supported me both morally and financially through my whole studies. Last but not least, this thesis would not be possible without Anna who re- lentlessly supported me when I needed it most. Declaration I hereby declare that the presented thesis is my own work and that I have cited all sources of information in accordance with the Guideline for adhering to ethical principles when elaborating an academic final thesis.
    [Show full text]
  • Analysis and Implementation of the Messaging Layer Security Protocol
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by AMS Tesi di Laurea Alma Mater Studiorum · Universita` di Bologna CAMPUS DI CESENA Dipartimento di Informatica - Scienza e Ingegneria Corso di Laurea Magistrale in Ingegneria e Scienze Informatiche Analysis and Implementation of the Messaging Layer Security Protocol Tesi in Sicurezza delle Reti Relatore: Presentata da: Gabriele D'Angelo Nicola Giancecchi Anno Accademico 2018/2019 Parole chiave Network Security Messaging MLS Protocol Ratchet Trees \Oh me, oh vita! Domande come queste mi perseguitano. Infiniti cortei d'infedeli, citt`agremite di stolti, che v'`edi nuovo in tutto questo, oh me, oh vita! Risposta: Che tu sei qui, che la vita esiste e l’identit`a. Che il potente spettacolo continua, e che tu puoi contribuire con un verso." - Walt Whitman Alla mia famiglia. Introduzione L'utilizzo di servizi di messaggistica su smartphone `eincrementato in maniera considerevole negli ultimi anni, complice la sempre maggiore disponi- bilit`adi dispositivi mobile e l'evoluzione delle tecnologie di comunicazione via Internet, fattori che hanno di fatto soppiantato l'uso dei classici SMS. Tale incremento ha riguardato anche l'utilizzo in ambito business, un contesto dove `epi`ufrequente lo scambio di informazioni confidenziali e quindi la necessit`adi proteggere la comunicazione tra due o pi`upersone. Ci`onon solo per un punto di vista di sicurezza, ma anche di privacy personale. I maggiori player mondiali hanno risposto implementando misure di sicurezza all'interno dei propri servizi, quali ad esempio la crittografia end-to-end e regole sempre pi`ustringenti sul trattamento dei dati personali.
    [Show full text]
  • Signal E2E-Crypto Why Can’T I Hold All These Ratchets
    Signal E2E-Crypto Why Can’t I Hold All These Ratchets oxzi 23.03.2021 In the next 30 minutes there will be I a rough introduction in end-to-end encrypted instant messaging, I an overview of how Signal handles those E2E encryption, I and finally a demo based on a WeeChat plugin. Historical Background I Signal has not reinvented the wheel - and this is a good thing! I Goes back to Off-the-Record Communication (OTR)1. OTR Features I Perfect forward secrecy I Deniable authentication 1Borisov, Goldberg, and Brewer. “Off-the-record communication, or, why not to use PGP”, 2004 Influence and Evolution I OTR influenced the Signal Protocol, Double Ratchet. I Double Ratchet influence OMEMO; supports many-to-many communication. I Also influenced Olm, E2E encryption of the Matrix protocol. I OTR itself was influenced by this, version four was introduced in 2018. Double Ratchet The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. The Double Ratchet algorithm2 is essential in Signal’s E2E crypto. But first, some basics. 2Perrin, and Marlinspike. “The Double Ratchet Algorithm”, 2016 Cryptographic Ratchet A ratchet is a cryptographic function that only moves forward. In other words, one cannot easily reverse its output. Triple Ratchet, I guess.3 3By Salvatore Capalbi, https://www.flickr.com/photos/sheldonpax/411551322/, CC BY-SA 2.5 Symmetric-Key Ratchet Symmetric-Key Ratchet In everyday life, Keyed-Hash Message Authentication Code (HMAC) or HMAC-based KDFs (HKDF) are used. func ratchet(ckIn[]byte)(ckOut, mk[]byte){ kdf := hmac.New(sha256.New, ckIn) kdf.Write(c) // publicly known constant c out := kdf.Sum(nil) return out[:32], out[32:] } ck0 :=[]byte{0x23, 0x42, ...} // some initial shared secret ck1, mk1 := ratchet(ck0) ck2, mk2 := ratchet(ck1) Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Originally, DH uses primitive residue classes modulo n.
    [Show full text]
  • Message-Layer Encryption in Ricochet
    Message-Layer Encryption in Ricochet by Liam Kirsh Computer Science Department College of Engineering California Polytechnic State University 2017 Date submitted: 06/07/17 Advisor: Dr. Bruce DeBruhl Table of Contents Background.........................................................................................3 Project Goals.......................................................................................6 Stronger cryptography................................................................................................6 Support for relay nodes..............................................................................................6 Implementation...................................................................................7 Choice of cryptographic protocol...............................................................................7 GPGME cryptographic library...................................................................................8 Modifications to the Ricochet client........................................................................10 Future Improvements........................................................................10 Use of the Signal Protocol in Ricochet....................................................................10 Use of Off-the-Record Messaging in Ricochet........................................................11 Ephemerality in D-H................................................................................................11 Ricochet Relays........................................................................................................11
    [Show full text]
  • Platform-Agnostic End-To-End Encryption for Modern Instant Messaging Platforms
    Platform-Agnostic End-to-End Encryption for Modern Instant Messaging Platforms Mikko Ilmonen [email protected] BSc (Hons), Computer Science, University of Aberdeen, 2020 A dissertation submitted in partial fulfilment of the requirements for the degree of Bachelor of Science (Honours) of the University of Aberdeen. Department of Computing Science 2020 Declaration No portion of the work contained in this document has been submitted in support of an application for a degree or qualification of this or any other university or other institution of learning. All verbatim extracts have been distinguished by quotation marks, and all sources of information have been specifically acknowledged. Signed: Date: 2020 Word Count: 17488 Abstract This dissertation investigates whether it is possible to perform end-to-end encryption over an ar- bitrary Instant Messaging Platform (IM-P), placing no implicit trust in such platform itself. In the current state of the world, people are fragmented across multiple different messaging platforms, alarmingly few of which are completely transparent about the data they collect and the security features they provide. Regardless of whether users trust their platform or not, they can be forced to use them for the simple reason of trying to reach someone they know. The dissertation proposes this implicit trust should not be required in the first place, and users can use additional software to communicate securely with a set of recipients, even if they do not trust the platform they communicate on. While this has already been done in the past with PGP encrypted e-mails transmitted over an unsecure medium, it has never been widely successful either due to the difficulty of setup, decline of e-mail as a messaging platform, or more likely a combination of the two.
    [Show full text]
  • Data Acquisition Systems), Section 1
    INST 260 (Data Acquisition systems), section 1 Lab Data acquisition and transport over Ethernet: Question 91, completed objectives due by the end of day 6, section 3 Exam Day 6 of section 3 – only a simple calculator may be used! Complete mastery of these objectives due by the next exam date Specific objectives for the “mastery” exam: Electricity Review: Calculate and annotate voltages and currents in a DC series-parallel resistor circuit • given source and resistor values Sketch proper wire connections for a data acquisition unit to measure an analog sensor signal • Convert between different numeration systems (decimal, binary, hexadecimal, octal) • Calculate ADC (analog-digital converter) input and output values given calibrated ranges • Solve for a specified variable in an algebraic formula • Determine the possibility of suggested faults in a simple circuit given measured values (voltage, current), • a schematic diagram, and reported symptoms Motor/relay/3phase/PLC Review: Determine status of a relay logic circuit given a schematic diagram • and switch stimulus conditions INST241 Review: Identify (American) wire colors for different thermocouple types • INST250 Review: Convert between different pressure units (PSI, ”W.C., bar, etc.) showing proper • mathematical cancellation of units (i.e. the “unity fraction” technique) Recommended daily schedule Day 1 Theory session topic: Signal coupling, shielding, and wiring practices Questions 1 through 20; answer questions 1-9 in preparation for discussion (remainder for practice) Day 2 Theory session
    [Show full text]
  • Optimal Channel Security Against Fine-Grained State Compromise: the Safety of Messaging
    A preliminary version of this paper appears in CRYPTO 2018. This is the full, fixed version. Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging Joseph Jaeger1 Igors Stepanovs2 August 2018 Abstract We aim to understand the best possible security of a (bidirectional) cryptographic channel against an adversary that may arbitrarily and repeatedly learn the secret state of either com- municating party. We give a formal security definition and a proven-secure construction. This construction provides better security against state compromise than the Signal Double Ratchet Algorithm or any other known channel construction. To facilitate this we define and construct new forms of public-key encryption and digital signatures that update their keys over time. 1 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: [email protected]. URL: https://cseweb.ucsd.edu/~jsjaeger/. Supported in part by NSF grants CNS-1717640 and CNS-1526801. 2 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: [email protected]. URL: https://cseweb.ucsd.edu/~istepano/. Supported in part by NSF grants CNS-1717640 and CNS-1526801. Contents 1 Introduction 2 2 Preliminaries 5 3 New asymmetric primitives 7 3.1 Key-updatable digital signature schemes . 7 3.2 Key-updatable public-key encryption schemes . 10 4 Bidirectional cryptographic channels 11 5 Security notion for channels 14 5.1 Channel interface game . 14 5.2 Optimal security of a channel . 17 5.3 Informal description of our security definition .
    [Show full text]
  • The Signal Protocol for Non-Cryptographers
    The Signal Protocol for non-Cryptographers An Explanation of the Signal Protocol and its Security Properties Master’s thesis in Computer Science - algorithms, languages and logic Lamiya Yagublu Department of Computer Science and Engineering CHALMERS UNIVERSITY OF TECHNOLOGY Gothenburg, Sweden 2018 Master’s thesis 2018 The Signal Protocol for non-Cryptographers An Explanation of the Signal Protocol and its Security Properties Lamiya Yagublu Department of Computer Science and Engineering Chalmers University of Technology Gothenburg, Sweden 2018 The Signal Protocol for non-Cryptographers An Explanation of the Signal Protocol and its Security Properties Lamiya Yagublu © Lamiya Yagublu, 2018. Supervisor: Gerardo Schneider, Department of Computer Science and Engineering Advisor: Elena Pagnin, Carlo Brunetta, Chalmers University of Technology Examiner: Andrei Sabelfeld, Department of Computer Science and Engineering Master’s Thesis 2018 Department of Computer Science and Engineering Chalmers University of Technology SE-412 96 Gothenburg Telephone +46 31 772 1000 Typeset in LATEX Gothenburg, Sweden 2018 ——————————————————— ——————————————————– 4 Investigating the Security of the Signal Protocol An Explanation of the Signal Protocol and the its Security Properties Lamiya Yagublu Department of Computer Science and Engineering Chalmers University of Technology Abstract People tend to socialize and today many people use messaging applications to communicate. While people communicate, they share personal information between each other and they do not want others to observe or access their information and use it against them. Therefore, it is important to keep this information private. The Signal protocol is a communication protocol used to provide security guarantees and keep the users’ information private while they communicate. Since many messaging applications, including WhatsApp and Facebook messenger, uses the Signal protocol and a lot of people use these applications, any flaw in the Signal protocol might affect a large number of users’ private communication.
    [Show full text]
  • Clone Detection in Secure Messaging: Improving Post-Compromise Security in Practice
    Clone Detection in Secure Messaging: Improving Post-Compromise Security in Practice Cas Cremers Jaiden Fairoze CISPA Helmholtz Center for Information Security CISPA Helmholtz Center for Information Security Saarbrücken, Germany Saarbrücken, Germany [email protected] [email protected] Benjamin Kiesl Aurora Naska CISPA Helmholtz Center for Information Security CISPA Helmholtz Center for Information Security Saarbrücken, Germany Saarbrücken, Germany [email protected] [email protected] ABSTRACT Practice . In Proceedings of the 2020 ACM SIGSAC Conference on Computer and We investigate whether modern messaging apps achieve the strong Communications Security (CCS ’20), November 9–13, 2020, Virtual Event, USA. post-compromise security guarantees offered by their underlying ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3372297.3423354 protocols. In particular, we perform a black-box experiment in which a user becomes the victim of a clone attack; in this attack, the user’s full state (including identity keys) is compromised by 1 INTRODUCTION an attacker who clones their device and then later attempts to The advent of modern secure messaging, and the widespread de- impersonate them, using the app through its user interface. ployment of the Signal protocol library in particular, has brought Our attack should be prevented by protocols that offer post- modern security mechanisms to millions of users. Specifically, this compromise security, and thus, by all apps that are based on Signal’s includes the double-ratchet algorithm [23] and the security prop- double-ratchet algorithm (for instance, the Signal app, WhatsApp, erties it can provide, such as post-compromise security [6], which and Facebook Secret Conversations).
    [Show full text]
  • Advanced Cryptographic Engineering
    Chapter 20 Advanced Cryptographic Engineering Give me a rock on which to stand, and I will move the world. – Archimedes Whoever thinks his problem can be solved using cryptography, doesn’t understand his problem and doesn’t understand cryptography – Attributed by Roger Needham and Butler Lampson to each other 20.1 Introduction Cryptography is often used to build a trustworthy component on which more complex designs can rely. Such designs come from three rather di↵erent back- grounds. The first is the government systems world we described in Chapter 9, where the philosophy is to minimise the trusted computing base using mech- anisms like data diodes and multilevel secure encryption devices. The second is the world of banking described in Chapter 12 where smartcards are used as authentication tokens while HSMs are used to protect PINs and keys. The third is the world of cryptography research in the 1980s and 1990s where people dreamed of solving social problems using mathematics: of creating anonymous communications so that oppressed groups could evade state surveillance, lead- ing to censorship-resistant publishing, untraceable digital cash and electronic elections that would be impossible to rig. In all these cases, real life turned out to be somewhat messier than we anticipated. There are even more complex cryptographic components that we use as platforms. But the engineering isn’t just about reducing the attack surface, or simplifying our fault tree analysis. In most cases there’s a significant interaction with policy, liability and other complicating factors. In this chapter I’m going to discuss six examples of cryptographic engineering 587 20.2.
    [Show full text]