Lachlan J. Gunn, Ricardo Vieitez Parra, and N. Asokan Circumventing Cryptographic Deniability with Remote Attestation Abstract: Deniable messaging protocols allow two par- themselves to the recipient without the possibility for ties to have ‘off-the-record’ conversations without leav- anyone else to reliably authenticate the source of the ing any record that can convince external verifiers message, even with the aid of the original intended recip- about what either of them said during the conversa- ient. Modern secure messaging protocols [11, 30] place tion. Recent events like the Podesta email dump under- great emphasis on supporting deniability. These have score the importance of deniable messaging to politi- become popular in the wake of the Snowden disclo- cians, whistleblowers, dissidents and many others. Con- sures [15], and in particular amongst politicians follow- sequently, messaging protocols like Signal and OTR are ing a number of well-known email dumps [19]. Thus it is designed with cryptographic mechanisms to ensure de- reasonable to expect that when someone wants to have niable communication, irrespective of whether the com- a conversation without leaving a verifiable audit trail— munications partner is trusted. such as when a whistleblower talks to a journalist—they Many commodity devices today support hardware- may choose to use a modern deniable messaging proto- assisted remote attestation which can be used to con- col like Signal, rather than a medium such as email. vince a remote verifier of some property locally observed Hardware-based Trusted Execution Environments on the device. ( tees) like ARM TrustZone and Intel SGX are widely We show how an adversary can use remote attesta- available in commodity devices. They can support re- tion to undetectably generate a non-repudiable tran- mote attestation: the ability to convince a remote veri- script from any deniable protocol (including messaging fier about properties observable locally on the device. protocols) providing sender authentication. We prove Deniability depends upon the ability of an adver- that our attack allows an adversary to convince skepti- sary to lie: cryptographic deniability means nothing if a cal verifiers. We describe a concrete implementation of verifier can trust your communications partner to truth- the attack against someone using the Signal messaging fully reveal what you said. Remote attestation allows protocol. We then show how to design protocols resis- even manifestly untrustworthy actors such as criminal tant to attestation-based attacks, and in particular how organizations or hostile intelligence agencies to reach attestation itself can be used to restore deniability by such a level of trustworthiness by piggybacking on a thwarting realistic classes of adversary. verifier’s trust in a hardware vendor; such an adversary can compromise your partner’s device, and use attes- tation to prove to a skeptical audience that the mes- sages you sent to that device were not fabricated. In 1 Introduction this paper, we show that an adversary can use remote attestation on a device (say Bob’s) to produce a publicly There is a growing trend towards the use of communi- verifiable, non-repudiable transcript of an otherwise de- cations dumps as political weapons. Transparent inser- niable protocol run, circumventing the deniability guar- tion of signatures by mail servers as an anti-spam mea- antees that the protocol provides to his communication sure [25] has made email dumps into potent weapons, partner (Alice). Worse still, Alice cannot detect her loss as they allow readers to verify the authenticity of emails of deniability. We provide a security argument to show leaked by unknown or untrusted parties [3]. that the transcript resulting from the attack can con- A deniable [24] but authenticated communications vince a skeptical verifier (e.g., a journalist who does not channel allows the sender of a message to authenticate trust Bob or some recording software on Bob’s device) of what Alice1 said during the conversation. Furthermore, the transcript is transferable: the attacker can publish Lachlan J. Gunn: Aalto University, Email: [email protected] Ricardo Vieitez Parra: Aalto University N. Asokan: Aalto University, Email: [email protected] 1 As identified by the long-term identity key that she uses to authenticate herself to peers in the deniable messaging protocol. Circumventing Cryptographic Deniability with Remote Attestation 2 the transcript, which can be verified by anyone capable – Positive uses: We show that the basic pattern used of verifying the attestation. This is at odds with the ex- in the attack has positive applications such as allow- pectations of users, who assume that a remote adversary ing a tee to ‘upgrade’ a shared-key based message cannot obtain verifiable transcripts of their messages by authenticator to a publicly verifiable signature [Sec- compromising their contacts’ devices. tion 5]. We have implemented a working prototype of the attack using Signal as the deniable messaging protocol, We also prove in Appendix A that (a) our attack results and Intel SGX for remote attestation. But the basic in a transcript that can convince skeptical, offline veri- approach can circumvent deniability guarantees of any fiers [Theorem 1], (b) that any authenticated messaging protocol that makes use of an authenticated channel. protocol that does not use a tee can be undetectably We discuss several such examples. rendered non-repudiable [Theorem 2], and (c) that it We show that remote attestation itself can be used is not possible to defend against a hardware-modifying to restore deniability for Alice by thwarting a realistic adversary without sacrificing sender authentication in class of adversaries which we call software-modifying the messaging protocol [Corollary 2]. adversary (who can install or manipulate software on Though we focus on deniable messaging, this ob- Bob’s device but cannot install new tees) from mount- servation applies to the more general zero-knowledge ing this attack. The intuition behind the defense is for setting; the use of remote attestation effectively turns Bob’s device to attest to Alice either that it will make interactive protocols into non-interactive ones, allowing no further attestations about the conversation, or that the verifier in a zero-knowledge protocol to prove to a the message authentication key(s) used in the session third party any property that it can locally verify. are present outside the tee, and thus any subsequent Today’s cryptographic deniability mechanisms are attested transcript from Bob’s device will not convince indeed secure with respect to their assumptions. But we skeptical verifiers about the origin of the messages Alice show that it is no longer valid to assume the adversary sends in the session. We show that the attack cannot be can lie to the verifier. We hope that our work will help defended against stronger adversaries (who can install protocol designers to be cognizant of how this change tees on Bob’s device) without foregoing sender authen- affects the deniability guarantees that their protocols tication in the messaging protocol. provide in real world systems. Finally, we show that the central idea of attesting confidentiality and behavior of secret keys can have pos- itive applications, too. One such application is to use a 2 Preliminaries tee to ‘upgrade’ a shared-key based message authen- tication code to a publicly verifiable signature which may be useful in scenarios where resource-constrained 2.1 Deniable protocols devices (e.g., automotive microcontroller units) need to produce publicly verifiable statements (e.g., for use in We consider the following setting for secure messaging accident investigation). protocols: two parties, Alice and Bob, each having long- Our contributions are as follows: term identity keys. The messaging scheme provides the – Removing deniability: We present a generic usual authenticity, integrity, and confidentiality guaran- method for stripping the deniability of messaging tees to Alice and Bob [36]. Suppose that one party (say protocols that provide sender authentication [Sec- Bob) has recording software (which we refer to as the tion 3.2] and a concrete implementation of it using prover) installed on his device (possibly by an exter- Intel SGX and the Signal messaging protocol [Sec- nal adversary without Bob’s knowledge). The goal of tion 3.3]. We discuss several other types of deni- the adversary is to use a protocol transcript recorded able protocols which can be similarly attacked [Sec- on Bob’s device to convince a skeptical third party ver- tion 3.4]. ifier (Valerie) that a certain message was definitely sent – Restoring deniability: We show how we can re- by Alice, the victim. Valerie is “skeptical” in the sense that store deniability (a) in the presence of adversaries she does not automatically believe the claims of provers who can only modify software, by using remote at- since provers may be dishonest. Valerie therefore expects testation itself [Section 4.1], and (b) in the presence that the claims are backed up by verifiable evidence in of stronger adversaries, by foregoing sender authen- the transcripts. tication [Section 4.2]. Circumventing Cryptographic Deniability with Remote Attestation 3 Informally, a deniable protocol prevents the prover enclave. Data belonging to the enclave are automati- from obtaining such evidence. This is not necessarily at cally protected when they leave the processor, ensuring odds with the requirement for authentication;