Circumventing Cryptographic Deniability with Remote Attestation

Total Page:16

File Type:pdf, Size:1020Kb

Circumventing Cryptographic Deniability with Remote Attestation Lachlan J. Gunn, Ricardo Vieitez Parra, and N. Asokan Circumventing Cryptographic Deniability with Remote Attestation Abstract: Deniable messaging protocols allow two par- themselves to the recipient without the possibility for ties to have ‘off-the-record’ conversations without leav- anyone else to reliably authenticate the source of the ing any record that can convince external verifiers message, even with the aid of the original intended recip- about what either of them said during the conversa- ient. Modern secure messaging protocols [11, 30] place tion. Recent events like the Podesta email dump under- great emphasis on supporting deniability. These have score the importance of deniable messaging to politi- become popular in the wake of the Snowden disclo- cians, whistleblowers, dissidents and many others. Con- sures [15], and in particular amongst politicians follow- sequently, messaging protocols like Signal and OTR are ing a number of well-known email dumps [19]. Thus it is designed with cryptographic mechanisms to ensure de- reasonable to expect that when someone wants to have niable communication, irrespective of whether the com- a conversation without leaving a verifiable audit trail— munications partner is trusted. such as when a whistleblower talks to a journalist—they Many commodity devices today support hardware- may choose to use a modern deniable messaging proto- assisted remote attestation which can be used to con- col like Signal, rather than a medium such as email. vince a remote verifier of some property locally observed Hardware-based Trusted Execution Environments on the device. ( tees) like ARM TrustZone and Intel SGX are widely We show how an adversary can use remote attesta- available in commodity devices. They can support re- tion to undetectably generate a non-repudiable tran- mote attestation: the ability to convince a remote veri- script from any deniable protocol (including messaging fier about properties observable locally on the device. protocols) providing sender authentication. We prove Deniability depends upon the ability of an adver- that our attack allows an adversary to convince skepti- sary to lie: cryptographic deniability means nothing if a cal verifiers. We describe a concrete implementation of verifier can trust your communications partner to truth- the attack against someone using the Signal messaging fully reveal what you said. Remote attestation allows protocol. We then show how to design protocols resis- even manifestly untrustworthy actors such as criminal tant to attestation-based attacks, and in particular how organizations or hostile intelligence agencies to reach attestation itself can be used to restore deniability by such a level of trustworthiness by piggybacking on a thwarting realistic classes of adversary. verifier’s trust in a hardware vendor; such an adversary can compromise your partner’s device, and use attes- tation to prove to a skeptical audience that the mes- sages you sent to that device were not fabricated. In 1 Introduction this paper, we show that an adversary can use remote attestation on a device (say Bob’s) to produce a publicly There is a growing trend towards the use of communi- verifiable, non-repudiable transcript of an otherwise de- cations dumps as political weapons. Transparent inser- niable protocol run, circumventing the deniability guar- tion of signatures by mail servers as an anti-spam mea- antees that the protocol provides to his communication sure [25] has made email dumps into potent weapons, partner (Alice). Worse still, Alice cannot detect her loss as they allow readers to verify the authenticity of emails of deniability. We provide a security argument to show leaked by unknown or untrusted parties [3]. that the transcript resulting from the attack can con- A deniable [24] but authenticated communications vince a skeptical verifier (e.g., a journalist who does not channel allows the sender of a message to authenticate trust Bob or some recording software on Bob’s device) of what Alice1 said during the conversation. Furthermore, the transcript is transferable: the attacker can publish Lachlan J. Gunn: Aalto University, Email: [email protected] Ricardo Vieitez Parra: Aalto University N. Asokan: Aalto University, Email: [email protected] 1 As identified by the long-term identity key that she uses to authenticate herself to peers in the deniable messaging protocol. Circumventing Cryptographic Deniability with Remote Attestation 2 the transcript, which can be verified by anyone capable – Positive uses: We show that the basic pattern used of verifying the attestation. This is at odds with the ex- in the attack has positive applications such as allow- pectations of users, who assume that a remote adversary ing a tee to ‘upgrade’ a shared-key based message cannot obtain verifiable transcripts of their messages by authenticator to a publicly verifiable signature [Sec- compromising their contacts’ devices. tion 5]. We have implemented a working prototype of the attack using Signal as the deniable messaging protocol, We also prove in Appendix A that (a) our attack results and Intel SGX for remote attestation. But the basic in a transcript that can convince skeptical, offline veri- approach can circumvent deniability guarantees of any fiers [Theorem 1], (b) that any authenticated messaging protocol that makes use of an authenticated channel. protocol that does not use a tee can be undetectably We discuss several such examples. rendered non-repudiable [Theorem 2], and (c) that it We show that remote attestation itself can be used is not possible to defend against a hardware-modifying to restore deniability for Alice by thwarting a realistic adversary without sacrificing sender authentication in class of adversaries which we call software-modifying the messaging protocol [Corollary 2]. adversary (who can install or manipulate software on Though we focus on deniable messaging, this ob- Bob’s device but cannot install new tees) from mount- servation applies to the more general zero-knowledge ing this attack. The intuition behind the defense is for setting; the use of remote attestation effectively turns Bob’s device to attest to Alice either that it will make interactive protocols into non-interactive ones, allowing no further attestations about the conversation, or that the verifier in a zero-knowledge protocol to prove to a the message authentication key(s) used in the session third party any property that it can locally verify. are present outside the tee, and thus any subsequent Today’s cryptographic deniability mechanisms are attested transcript from Bob’s device will not convince indeed secure with respect to their assumptions. But we skeptical verifiers about the origin of the messages Alice show that it is no longer valid to assume the adversary sends in the session. We show that the attack cannot be can lie to the verifier. We hope that our work will help defended against stronger adversaries (who can install protocol designers to be cognizant of how this change tees on Bob’s device) without foregoing sender authen- affects the deniability guarantees that their protocols tication in the messaging protocol. provide in real world systems. Finally, we show that the central idea of attesting confidentiality and behavior of secret keys can have pos- itive applications, too. One such application is to use a 2 Preliminaries tee to ‘upgrade’ a shared-key based message authen- tication code to a publicly verifiable signature which may be useful in scenarios where resource-constrained 2.1 Deniable protocols devices (e.g., automotive microcontroller units) need to produce publicly verifiable statements (e.g., for use in We consider the following setting for secure messaging accident investigation). protocols: two parties, Alice and Bob, each having long- Our contributions are as follows: term identity keys. The messaging scheme provides the – Removing deniability: We present a generic usual authenticity, integrity, and confidentiality guaran- method for stripping the deniability of messaging tees to Alice and Bob [36]. Suppose that one party (say protocols that provide sender authentication [Sec- Bob) has recording software (which we refer to as the tion 3.2] and a concrete implementation of it using prover) installed on his device (possibly by an exter- Intel SGX and the Signal messaging protocol [Sec- nal adversary without Bob’s knowledge). The goal of tion 3.3]. We discuss several other types of deni- the adversary is to use a protocol transcript recorded able protocols which can be similarly attacked [Sec- on Bob’s device to convince a skeptical third party ver- tion 3.4]. ifier (Valerie) that a certain message was definitely sent – Restoring deniability: We show how we can re- by Alice, the victim. Valerie is “skeptical” in the sense that store deniability (a) in the presence of adversaries she does not automatically believe the claims of provers who can only modify software, by using remote at- since provers may be dishonest. Valerie therefore expects testation itself [Section 4.1], and (b) in the presence that the claims are backed up by verifiable evidence in of stronger adversaries, by foregoing sender authen- the transcripts. tication [Section 4.2]. Circumventing Cryptographic Deniability with Remote Attestation 3 Informally, a deniable protocol prevents the prover enclave. Data belonging to the enclave are automati- from obtaining such evidence. This is not necessarily at cally protected when they leave the processor, ensuring odds with the requirement for authentication;
Recommended publications
  • Security & Privacy for Mobile Phones
    Security & Privacy FOR Mobile Phones Carybé, Lucas Helfstein July 4, 2017 Instituto DE Matemática E Estatística - USP What IS security? • That GRANTS THE INFORMATION YOU PROVIDE THE ASSURANCES above; • That ENSURES THAT EVERY INDIVIDUAL IN THIS SYSTEM KNOWS EACH other; • That TRIES TO KEEP THE ABOVE PROMISES forever. Security IS ... A System! • That ASSURES YOU THE INTEGRITY AND AUTHENTICITY OF AN INFORMATION AS WELL AS ITS authors; 1 • That ENSURES THAT EVERY INDIVIDUAL IN THIS SYSTEM KNOWS EACH other; • That TRIES TO KEEP THE ABOVE PROMISES forever. Security IS ... A System! • That ASSURES YOU THE INTEGRITY AND AUTHENTICITY OF AN INFORMATION AS WELL AS ITS authors; • That GRANTS THE INFORMATION YOU PROVIDE THE ASSURANCES above; 1 • That TRIES TO KEEP THE ABOVE PROMISES forever. Security IS ... A System! • That ASSURES YOU THE INTEGRITY AND AUTHENTICITY OF AN INFORMATION AS WELL AS ITS authors; • That GRANTS THE INFORMATION YOU PROVIDE THE ASSURANCES above; • That ENSURES THAT EVERY INDIVIDUAL IN THIS SYSTEM KNOWS EACH other; 1 Security IS ... A System! • That ASSURES YOU THE INTEGRITY AND AUTHENTICITY OF AN INFORMATION AS WELL AS ITS authors; • That GRANTS THE INFORMATION YOU PROVIDE THE ASSURANCES above; • That ENSURES THAT EVERY INDIVIDUAL IN THIS SYSTEM KNOWS EACH other; • That TRIES TO KEEP THE ABOVE PROMISES forever. 1 Security IS ... A System! Eve | | | Alice "Hi" <---------------> "Hi" Bob 2 Security IS ... Cryptography! Eve | | | Alice "Hi" <----"*****"------> "Hi" Bob 3 Security IS ... Impossible! The ONLY TRULY SECURE SYSTEM IS ONE THAT IS POWERED off, CAST IN A BLOCK OF CONCRETE AND SEALED IN A lead-lined ROOM WITH ARMED GUARDS - AND EVEN THEN I HAVE MY doubts.
    [Show full text]
  • Messaging Apps & Communication Platforms Comparative Analysis
    www.dka.global Messaging Apps & Communication Platforms Comparative Analysis February 2021 Table of Contents User concerns regarding privacy in messaging apps have spiked in recent years. Incidents of data breaches have alarmed many customers and forced them to reconsider their standard attitudes Introduction 3 towards messaging apps and the security of their personal information. Some situations and events have steadily Methodology of the Assessment 4 deteriorated public trust, resulting in many users wondering whether they have lost control over their own data. Messaging Apps: Score by Features 5 Users of messaging apps and platforms report concerns about Messaging Apps: Score by Security 7 businesses, advertisers and governments accessing and using their data. These growing privacy concerns have prompted Total Score 9 advocacy for tighter regulations. In addition, they have placed companies responsible for safeguarding personal data under greater scrutiny. Trade-offs between Features and Security 11 At the same time, developments in Information Technologies are Operating System, Hardware and Other Issues 13 bringing new, more sophisticated solutions for messaging and corporate communication. Corporate Communication Platforms 14 Deep Knowledge Analytics conducted its own independent analysis to identify and benchmark the most secure and Conclusions 16 convenient messaging apps.In this case study we are assessing convenience, security and accessibility of 18 popular messaging Disclaimer 17 apps. The study also features a short analysis of corporate communication platforms. Deep Knowledge Analytics 2 Introduction Messaging apps are essential for our daily activities, including business communication, personal communication, and other domains. For some specific spheres, such as journalism and protest activities, secure messaging is a central concern, of the utmost importance.
    [Show full text]
  • A Case Study Analysis: How Sweet Briar College Prevailed Over Institutional Closure
    A CASE STUDY ANALYSIS: HOW SWEET BRIAR COLLEGE PREVAILED OVER INSTITUTIONAL CLOSURE by Amanda Ray Ennis A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Fulfillment of The Requirements for the Degree of Master of Arts Interdisciplinary Studies Committee: __________________________________________ Director __________________________________________ __________________________________________ __________________________________________ Program Director __________________________________________ Dean, College of Humanities and Social Sciences Date: ____________________________________ Spring Semester 2018 George Mason University Fairfax, VA Running Head: How Sweet Briar College Prevailed Over Institutional Closure A Case Study Analysis: How Sweet Briar College Prevailed Over Institutional Closure A thesis submitted in partial fulfillment of the requirements for the degree of Master of Arts in Interdisciplinary Studies at George Mason University by Amanda Ray Ennis Bachelor of Science George Mason University, 2012 Director: Jan Arminio, Professor Department of Higher Education Spring Semester 2018 George Mason University Fairfax, VA DEDICATION This thesis is dedicated to Sweet Briar College’s Pink and Green Army: the students, staff, faculty and fierce alumnae who fought and successfully saved their school – you are a true testament that anything can be accomplished through passion and perseverance; and to the strong and powerful women around the world who create change, demand equality, and never give up in fighting for what they believe in. ii ACKNOWLEDGEMENTS I would like to thank my husband, John, for his encouragement, understanding and willingness to overlook my stress clutter. To my Mom, for always answering my late night calls and more importantly for instilling in me the significance and value of being an educated women. To my Dad, for helping me find humor in any situation.
    [Show full text]
  • Co-Ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols Harry Halpin, Ksenia Ermoshina, Francesca Musiani
    Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols Harry Halpin, Ksenia Ermoshina, Francesca Musiani To cite this version: Harry Halpin, Ksenia Ermoshina, Francesca Musiani. Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols. SSR 2018 - Security Standardisation Research Conference, Nov 2018, Darmstadt, Germany. hal-01966560 HAL Id: hal-01966560 https://hal.inria.fr/hal-01966560 Submitted on 28 Dec 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols Harry Halpin1, Ksenia Ermoshina2, and Francesca Musiani2 1 Inria 2 Rue Simone Iff [email protected] 2 Institute for Communication Sciences, CNRS 20 rue Berbier-du-Mets 75013 Paris, France Abstract. Due to the increased deployment of secure messaging pro- tocols, differences between what developers \believe" are the needs of their users and their actual needs can have real consequences. Based on 90 interviews with both high and low-risk users, as well as the developers of popular secure messaging applications, we mapped the design choices of the protocols made by developers to the relevance of these features to threat models of both high-risk and low-risk users.
    [Show full text]
  • View 2018-2019 Academic Catalog.Pdf
    Briar Cliff University Catalog Undergraduate & Graduate Studies 2018-2019 The university insignia, work of the Briar Cliff Department of Art, sums up the goals of Briar Cliff. The cross proclaims that we are a Catholic university, dedicated to the love that gave all. The most important part of the Briar Cliff philosophy is reverence and concern for each person. This emphasis on the dignity of the individual fosters a friendly, democratic spirit that rejects class lines and racial barriers. The wavy lines indicate the location of the university in Siouxland, with the Missouri River as the western boundary. In the impressionistic eagle, the sign of the Sioux tribes who were a part of this area, we see strength and reaching for the heights. Mater Gratiae, Mother of Grace, proclaims Mary, mother of the Savior, as patroness of Briar Cliff under her title of Lady of Grace. Caritas, love, is the Franciscan call to the two great commands: love God with all your power; love your neighbor as yourself. The star speaks of striving upward for knowledge and wisdom. Briar Cliff University Catalog 1 Correspondence Directory Street Address: Briar Cliff University 3303 Rebecca Street Sioux City, Iowa 51104 Telephone: 712-279-5321 or 1-800-662-3303 Prospective Students: Office of Admissions 712-279-5200 Financial Aid: Director of Financial Aid 712-279-5239 University Relations: Toll-free: 866-5-BC-ALUM (866-522-2586) Transcripts and Class Schedules: Registrar 712-279-5447 Athletic Program: Director of Athletics 712-279-1707 Every effort is made to ensure the accuracy of information in this catalog, but Briar Cliff University reserves the authority to make changes without prior notice.
    [Show full text]
  • Instant Messaging
    Click to edit Master title style •InstantClick to Messaging edit Master Security text styles and Privacy • Second level Chat and• Third more level while safeguarding your privacy • Fourth level • Fifth level Klaus Möller WP8-T1 Webinar, 24th of September 2020 Public www.geant.org 1 | www.geant.org 24/09/20 1 Instant Messaging (IM) Introduction • Other names: Mobile Messaging or simply Online Chat • Originally: Sending (small) text messages to other users – First: on the same computer, later: world wide – User (person) had to be online to receive message ● Some systems allow delivery from server later ● Or use Chat-Bots (workaround in the beginning) • Not limited to text anymore – Photos, Sounds, Video – File transfer between users • Additional feature of Voice-/Videoconferencing systems 2 | www.geant.org Google Talk (discontinued) Tlen.pl (discontinued) WhatsApp Kik Customized Cryptocat (uses modified prosody) Google Hangouts Instant Messaging Protocols Snapchat (?) nk.pl LiveJournal Talk Gizmo5 WP Spik (discontinued) Tipic IM XMPP ● Wide variety, some notable mentions IBM Lotus Sametime Bitmessage Customized ProtonMail ● AIM Gmail ICQ Gateway Email Outlook HTTP(s) OSCAR (discontinued) Bonjour Apple mail MobileMe Yahoo! mail – As part of WebRTC or REST APIs SIMPLE Yandex.mail Skype for Business HipChat Ring AQQ SIP – MSRP Google Wave Federation Protocol (discontinued) Discord, … Libon Jingle FaceTime IRC DCC Gadu-Gadu Facebook Messenger ● SIP (Telephony) MSNP14 (discontinued) YMSG (Yahoo! Messenger) IM MQTT LINE Steam Friends protocols
    [Show full text]
  • 990-Pf, Part Iv John S
    Return of Private Foundation OMB No. 1545-0052 Form 990-PF or Section 4947(a)(1) Trust Treated as Private Foundation Department of the Treasury | Do not enter social security numbers on this form as it may be made public. 2014 Internal Revenue Service | Information about Form 990-PF and its separate instructions is at www.irs.gov/form990pf. Open to Public Inspection For calendar year 2014 or tax year beginning , and ending Name of foundation A Employer identification number JOHN S. AND JAMES L. KNIGHT FOUNDATION 65-0464177 Number and street (or P.O. box number if mail is not delivered to street address) Room/suite B Telephone number 200 SOUTH BISCAYNE BLVD, #3300 305-908-2600 City or town, state or province, country, and ZIP or foreign postal code C If exemption application is pending, check here~| MIAMI, FL 33131-2349 G Check all that apply: Initial return Initial return of a former public charity D 1. Foreign organizations, check here ~~| Final return Amended return 2. Foreign organizations meeting the 85% test, Address change Name change check here and attach computation ~~~~| H Check type of organization: X Section 501(c)(3) exempt private foundation E If private foundation status was terminated Section 4947(a)(1) nonexempt charitable trust Other taxable private foundation under section 507(b)(1)(A), check here ~| I Fair market value of all assets at end of year J Accounting method: Cash X Accrual F If the foundation is in a 60-month termination (from Part II, col. (c), line 16) Other (specify) under section 507(b)(1)(B), check here ~| | $ 2,285,572,378.
    [Show full text]
  • OSINT Handbook September 2020
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 Aleksandra Bielska Noa Rebecca Kurz, Yves Baumgartner, Vytenis Benetis 2 Foreword I am delighted to share with you the 2020 edition of the OSINT Tools and Resources Handbook. Once again, the Handbook has been revised and updated to reflect the evolution of this discipline, and the many strategic, operational and technical challenges OSINT practitioners have to grapple with. Given the speed of change on the web, some might question the wisdom of pulling together such a resource. What’s wrong with the Top 10 tools, or the Top 100? There are only so many resources one can bookmark after all. Such arguments are not without merit. My fear, however, is that they are also shortsighted. I offer four reasons why. To begin, a shortlist betrays the widening spectrum of OSINT practice. Whereas OSINT was once the preserve of analysts working in national security, it now embraces a growing class of professionals in fields as diverse as journalism, cybersecurity, investment research, crisis management and human rights. A limited toolkit can never satisfy all of these constituencies. Second, a good OSINT practitioner is someone who is comfortable working with different tools, sources and collection strategies. The temptation toward narrow specialisation in OSINT is one that has to be resisted. Why? Because no research task is ever as tidy as the customer’s requirements are likely to suggest. Third, is the inevitable realisation that good tool awareness is equivalent to good source awareness. Indeed, the right tool can determine whether you harvest the right information.
    [Show full text]
  • On the Feasibility of Short-Lived Dynamic Onion Services
    2021 IEEE Symposium on Security and Privacy Workshops On the feasibility of short-lived dynamic onion services Tobias Holler,¨ Thomas Raab, Michael Roland, and Rene´ Mayrhofer Johannes Kepler University Linz Institute of Networks and Security Email: ftobias.hoeller, thomas.raab, michael.roland, [email protected] Abstract—Tor onion services utilize the Tor network to enable like Tor Messenger [2] or Ricochet [3] tried to establish incoming connections on a device without disclosing its network instant messaging with metadata-protection but did not manage location. Decentralized systems with extended privacy require- to capture significant public attention. Other projects like ments like metadata-avoiding messengers typically rely on onion services. However, a long-lived onion service address can itself be Briar [4] or cwtch [5] which follow the same approach are abused as identifying metadata. Replacing static onion services still actively developed. A renewed effort made by government with dynamic short-lived onion services may be a way to avoid officials to force organizations to grant law enforcement access such metadata leakage. This work evaluates the feasibility of to end-to-end encrypted information [6] has strengthened the short-lived dynamically generated onion services in decentralized argument for decentralized communication, because there is systems. We show, based on a detailed timing analysis of the onion service deployment process, that dynamic onion services no operator of a central server, who could be forced by law are already feasible for peer-to-peer communication in certain to compromise the confidentiality and privacy of all clients. scenarios. Especially users with increased privacy requirements against public entities like journalists, activists, or whistleblowers have I.
    [Show full text]
  • Dark Corners of the Internet a Survey of Tor Research [Archive.Org]
    The Hitchhiker’s Guide to Online Anonymity (Or “How I learned to start worrying and love privacy anonymity”) Version 1.0.4, September 2021 by AnonymousPlanet. This guide is still a work in progress. While I am working constantly to correct issues, improve the content, general structure, and readability, it will probably never be “finished”. Some parts might lack information or contain inaccuracies. Your experience may vary. Remember to check regularly for an updated version of this guide. This guide is a non-profit open-source initiative, licensed under Creative Commons Attribution-NonCommercial 4.0 International (cc-by-nc-4.0 [Archive.org]). See the license at the end of the document. • For mirrors see Appendix A6: Mirrors • For help in comparing versions see Appendix A7: Comparing versions Feel free to submit issues using GitHub Issues at: https://github.com/AnonymousPlanet/thgtoa/issues Feel free to come to discuss ideas at: • GitHub Discussions: https://github.com/AnonymousPlanet/thgtoa/discussions • Matrix/Element: ```#anonymity:matrix.org``` https://matrix.to/#/#anonymity:matrix.org Follow me on: • Twitter at https://twitter.com/AnonyPla [Nitter] (cannot guarantee this account will stay up for long tho) • Mastodon at https://mastodon.social/@anonypla. To contact me, see the updated information on the website or send an e-mail to [email protected] Please consider donating if you enjoy the project and want to support the hosting fees (for the Tor hosting and the Tor Exit node). There are several ways you could read this guide: • You want to understand the current state of online privacy and anonymity not necessarily get too technical about it: Just read the Introduction, Requirements, Understanding some basics of how some information can lead back to you and how to mitigate those, and A final editorial note sections.
    [Show full text]
  • Metadata Reduction for the Signal Protocol
    Humboldt-Universität zu Berlin Mathematisch-Naturwissenschaftliche Fakultät Institut für Informatik Metadata Reduction for the Signal Protocol Masterarbeit zur Erlangung des akademischen Grades Master of Science (M. Sc.) eingereicht von: Fabian Kaczmarczyck geboren am: 6.2.1992 geboren in: Berlin Gutachter/innen: Prof. Dr. Jens-Peter Redlich Prof. Dr. Björn Scheuermann eingereicht am: verteidigt am: The messenger Signal encrypts conversations, but the protocol leaks the social graph. This thesis proposes two modifications to hide all links between users. The first is a solution to the open problem of contact discovery. The current implementation needs its clients to upload their address books to a central server to determine who can privately talk with each other and users need to trust the server not to store this information. The second part hides the communication partners of conversations, using a pseudonymous authentication. No further user interaction is required by any of the new methods to maintain usability. 3 4 Contents 1 Introduction6 1.1 Motivation . .6 1.2 Contribution . .6 2 Background & Related Work8 2.1 Signal Protocol . .8 2.2 Private Information Retrieval . .8 2.3 Software Guard Extensions . .9 2.4 Anonymization Networks . .9 3 Design Goals 10 3.1 Goals . 10 3.2 Threat Model . 10 4 Contact Discovery 11 4.1 Blind Signatures . 11 4.2 Authentication . 11 4.3 IP Obfuscation . 13 4.4 Timing . 13 4.4.1 Discovery & Prekey Requests . 14 4.4.2 Registration . 15 4.4.3 Stamp Generation . 15 4.5 Bloom Filter . 16 5 Message Delivery 18 5.1 Statistical Attack . 19 5.2 Pseudonymous Authentication .
    [Show full text]
  • Standardising by Running Code'': the Signal Protocol and De Facto
    “Standardising by running code”: the Signal protocol and de facto standardisation in end-to-end encrypted messaging Ksenia Ermoshina, Francesca Musiani To cite this version: Ksenia Ermoshina, Francesca Musiani. “Standardising by running code”: the Signal protocol and de facto standardisation in end-to-end encrypted messaging. Internet histories, Taylor & Francis, 2019, pp.1-21. 10.1080/24701475.2019.1654697. halshs-02319701 HAL Id: halshs-02319701 https://halshs.archives-ouvertes.fr/halshs-02319701 Submitted on 18 Oct 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. “Standardizing by running code”: The Signal protocol and de facto standardization in end-to-end encrypted messaging Ksenia Ermoshina Francesca Musiani Center for Internet and Society, CNRS, Paris, France Centre Internet et Société (CIS-CNRS), 59-61 rue Pouchet, 75849 Paris cedex 17 Corresponding author email: [email protected] Ksenia Ermoshina (PhD, MINES ParisTech) is a postdoctoral researcher at the Center for Internet and Society (CIS) of the French National Centre for Scientific Research (CNRS), and is an Associate Researcher at the Citizen Lab, Munk School of Global Affairs, University of Toronto. Her research focuses on information operations within the Russian-Ukrainian armed conflict, including digital threats to journalists and civil society organizations, Internet censorship, and surveillance.
    [Show full text]