Secure Group Communication A THESIS SUBMITTED TO THE FACULTY OF THE GRADUATE SCHOOL OF THE UNIVERSITY OF MINNESOTA BY Michael L. Schliep IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Doctor of Philosophy Nicholas J. Hopper May, 2021 © Michael L. Schliep 2021 ALL RIGHTS RESERVED Acknowledgements Many people were involved in this dissertation and I am ever grateful for your contri- butions and support. First and foremost, my wife, Anna Wagner Schliep, thank you for all of the support you provided for me to pursue my academic interests and conclude this dissertation. I would like to thank my advisor Nick Hopper for providing the opportunity and guid- ance for this work. I would also like to thank my co-authors and collaborators: Max Schuchard, John Geddes, Shuai Li, Se Eun Oh, Ian Kariniemi, Rahul Parhi, Eugene Vasserman. Thank you for all of the conversations we have had and contributions you have provided; your collaboration was essential to this dissertation. Additionally, I am grateful for the other members of the committee, Stephen McCamant, Kangjie Lu, and Andrew Odlyzko, for your volunteered time, feedback, and discussions. Last, but certainly not least, I thank my parents, David and Denise Schliep. Your continued support and encouragement has made this possible and I would not have achieved this without you. i Dedication To Anna, I would never have finished this work without your endless support. ii Abstract Communication privacy is constantly under threat from Nation State Adversaries (NSA). This has led many platforms, such as Facebook and Apple, to implement secure conver- sation cryptographic protocols in their messaging applications. However, many of the protocols do not provide provable security and do not provide other security guarantees about the conversation. One example of a missing security property is message order consistency between all participants. In this dissertation I demonstrate practical at- tacks against a popular private messaging protocol and application (Signal). I propose two private group messing protocols with provable privacy properties for two network- ing models; online instant messaging, and mobile messaging. I show the performance of these models is practical for mutually authenticated groups ≤ 50 participants. Finally, I propose an improvement to the DP5 private presence protocol that reduces the message size from quadratic to logarithmic. iii Contents Acknowledgementsi Dedication ii Abstract iii List of Tables ix List of Figuresx 1 Introduction1 1.1 Thesis Statement...............................3 1.2 Outline....................................4 2 Background6 2.1 Networking Models..............................7 2.2 Threat Model.................................7 2.3 Security Properties..............................8 2.4 Related Work.................................9 3 Signal Messaging Protocol 12 3.1 Signal Design................................. 15 3.1.1 Prior Security Analysis....................... 16 3.1.2 Threat Model............................. 18 3.1.3 Secure Conversation Properties................... 18 3.2 Protocol Usage Attacks........................... 21 iv 3.2.1 Confidentiality............................ 23 3.2.2 Speaker Consistency Attacks.................... 27 3.3 Group Conversation Attacks......................... 29 3.3.1 Mitigations.............................. 32 3.4 Traffic Analysis................................ 34 3.4.1 Censorship Circumvention...................... 34 3.4.2 Conversation Metadata....................... 36 4 Synchronous Secure Communication 38 4.1 Private Group Instant Messaging...................... 41 4.1.1 Goals................................. 41 4.1.2 Prior Secure Messaging Protocols.................. 43 4.1.3 System Model............................. 45 4.1.4 Threat Model............................. 45 4.2 Design..................................... 46 4.2.1 Strawman Design........................... 46 4.2.2 Primitives............................... 47 4.2.3 Overview............................... 48 4.2.4 SYM-GOTR Protocol........................ 49 4.2.5 User Authentication......................... 55 4.3 Security.................................... 57 4.3.1 Confidentiality............................ 58 4.3.2 Message Integrity and Authentication............... 58 4.3.3 Participant Consistency....................... 59 4.3.4 Forward and Backward Secrecy................... 59 4.3.5 Participant Repudiation....................... 59 4.3.6 Message Repudiation......................... 60 4.3.7 Message Unlinkability........................ 60 4.3.8 Global Transcript........................... 62 4.3.9 GOTR Improvements........................ 62 4.4 Performance Evaluation........................... 63 4.4.1 Setup................................. 65 v 4.4.2 Broadcast............................... 65 4.4.3 CPU Usage.............................. 66 4.4.4 Complexity.............................. 66 4.4.5 Practical Example.......................... 66 4.5 Discussion................................... 67 4.5.1 Usability............................... 68 4.5.2 Key Verification........................... 68 4.6 Proofs of Security............................... 68 4.6.1 Assumptions............................. 71 4.6.2 Model................................. 72 4.6.3 Confidentiality............................ 73 4.6.4 Integrity and Authentication.................... 75 4.6.5 Participant Consistency....................... 77 4.6.6 Perfect Forward Secrecy....................... 78 4.6.7 Backward Secrecy.......................... 79 4.7 Usability.................................... 81 4.7.1 Secure Group Setup......................... 84 4.7.2 Receiving Messages.......................... 85 5 Mobile Communication With Privacy and Integrity 88 5.1 Mobile Secure Messaging........................... 89 5.1.1 Mobile Messaging Model....................... 89 5.1.2 Multi-providers for conversation integrity............. 90 5.1.3 Service Availability.......................... 91 5.1.4 Threat Model............................. 91 5.1.5 Security Properties.......................... 92 5.2 Design..................................... 93 5.2.1 Overview............................... 93 5.2.2 Message Order............................ 94 5.2.3 Primitives............................... 95 5.2.4 Registration.............................. 96 5.2.5 Two Party Ciphertext Blocks.................... 96 vi 5.2.6 OES Authentication Block..................... 98 5.2.7 Setup Message............................ 99 5.2.8 Receipt Message........................... 100 5.2.9 Conversation Message........................ 101 5.2.10 Participant Update Message..................... 101 5.2.11 Two Party Channels......................... 102 5.2.12 Long-term Key Verification..................... 104 5.3 Security.................................... 105 5.3.1 Message Confidentiality....................... 106 5.3.2 Message Authentication and Integrity............... 106 5.3.3 Forward Secrecy........................... 107 5.3.4 Post-Compromise Secrecy...................... 108 5.3.5 Conversation Integrity........................ 108 5.3.6 Participant Consistency....................... 110 5.3.7 Deniability.............................. 110 5.4 Evaluation................................... 112 5.4.1 Scalability............................... 114 5.5 Discussion................................... 114 5.5.1 Limitations of Group Key Agreements............... 114 5.5.2 Multiple Providers.......................... 115 5.5.3 Denial of Service........................... 116 5.6 Formal definitions and proofs........................ 116 5.6.1 Security Assumptions........................ 117 5.6.2 Message Confidentiality....................... 118 5.6.3 Message Integrity and Authentication............... 124 5.6.4 Conversation Integrity........................ 128 5.6.5 Deniability.............................. 132 5.6.6 Message Unlinkability........................ 135 6 Private Presence 137 6.1 Goals..................................... 139 6.1.1 DP5 Overview............................ 139 vii 6.1.2 Threat Model............................. 140 6.1.3 Security Goals............................ 141 6.1.4 Related Work............................. 142 6.2 The MP3 Protocol.............................. 143 6.2.1 Overview............................... 143 6.2.2 Cryptographic Primitives...................... 144 6.2.3 Dynamic Broadcast Encryption................... 146 6.2.4 Setup................................. 147 6.2.5 Long-term Epoch........................... 148 6.2.6 Short-term Epoch.......................... 152 6.2.7 Details................................. 153 6.3 Experimental Results............................. 157 6.4 Modifications to Dynamic Broadcast Encryption............. 158 6.5 Availability Against Malicious Parties................... 159 7 Future Work and Final Remarks 161 References 164 viii List of Tables 3.1 Algorithms.................................. 27 4.1 Asymptotic complexity for each operation. The top line is the size of the broadcast message and the bottom is the maximum number of p2p mes- sages sent by an individual. All p2p messages are of constant size. The last two columns represent the computational complexity of the operation. 67 6.1 Bandwidth complexities comparing MP3 and DP5 as a function of N, Nfmax, Nrev, and Nunrev............................ 160 ix List of Figures 1.1 Speaker inconsistency in a conversation...................3 3.1 Speaker inconsistency