How Secure is TextSecure? Tilman Frosch∗y, Christian Mainkay, Christoph Badery, Florian Bergsmay,Jorg¨ Schwenky, Thorsten Holzy ∗G DATA Advanced Analytics GmbH firstname.lastname @gdata.de f g yHorst Gortz¨ Institute for IT-Security Ruhr University Bochum firstname.lastname @rub.de f g Abstract—Instant Messaging has gained popularity by users without providing any kind of authentication. Today, many for both private and business communication as low-cost clients implement only client-to-server encryption via TLS, short message replacement on mobile devices. However, until although security mechanisms like Off the Record (OTR) recently, most mobile messaging apps did not protect confi- communication [3] or SCIMP [4] providing end-to-end con- dentiality or integrity of the messages. fidentiality and integrity are available. Press releases about mass surveillance performed by intelli- With the advent of smartphones, low-cost short-message gence services such as NSA and GCHQ motivated many people alternatives that use the data channel to communicate, to use alternative messaging solutions to preserve the security gained popularity. However, in the context of mobile ap- and privacy of their communication on the Internet. Initially plications, the assumption of classical instant messaging, fueled by Facebook’s acquisition of the hugely popular mobile for instance, that both parties are online at the time the messaging app WHATSAPP, alternatives claiming to provide conversation takes place, is no longer necessarily valid. secure communication experienced a significant increase of new Instead, the mobile context requires solutions that allow for users. asynchronous communication, where a party may be offline A messaging app that claims to provide secure instant for a prolonged time. In this setting, existing solutions, such messaging and has attracted a lot of attention is TEXTSECURE. as OTR, are only applicable in a limited fashion. Besides numerous direct installations, its protocol is part of Secure Messaging and TextSecure. In the light of the Android’s most popular aftermarket firmware CYANOGEN- recent revelations of mass surveillance actions performed MOD.TEXTSECURE’s successor Signal continues to use the by intelligence services such as NSA and GCHQ, several underlying protocol for text messaging. In this paper, we secure text messaging (TM) solutions that claim not to be present the first complete description of TEXTSECURE’s com- prone to surveillance and to offer a certain level of security plex cryptographic protocol, provide a security analysis of have appeared on the market [5]. its three main components (key exchange, key derivation and One of the most popular apps for secure TM is TEXT- 1 authenticated encryption), and discuss the main security claims SECURE , an app developed by Open WhisperSystems that of TEXTSECURE. Furthermore, we formally prove that—if key claims to support end-to-end security of text messages. registration is assumed to be secure—TEXTSECURE’s push While previously focusing on encrypted short message ser- messaging can indeed achieve most of the claimed security vice (SMS) communication, Open WhisperSystems intro- goals. duced data channel-based push messaging in February 2014. Thus, the app offers both an iMessage- and WhatsApp-like communication mode, providing SMS+data channel or data 1. Introduction channel-only communications [6]. Following Facebook’s ac- quisition of WHATSAPP,TEXTSECURE gained in popular- Since more than a decade, Instant Messaging (IM) is ity among the group of privacy-conscious users and has cur- an alternative to classical e-mail communication, for both rently more than 500,000 installations via Google Play. Its private and business communication. IM has different fea- encrypted messaging protocol has also been integrated into tures; most importantly, messages are delivered in real-time, the OS-level SMS-provider of CyanogenMod [7], a popular but only if both parties are online. However, in contrast to open-source aftermarket Android firmware that has been security mechanisms available for e-mail such as PGP [1] installed on about 10 million Android devices [8]. According and S/MIME [2], instant messages were sent unprotected: to media reports [9], TextSecure’s protocol has additionally In the early days, many popular IM solutions like MSN been implemented in WhatsApp’s Android client. While we MESSENGER and YAHOO MESSENGER did not provide any did not verify this claim, in consequence the protocol’s secu- security mechanisms at all. AOL only added a protection mechanism similar to S/MIME to their IM service later 1. The name of the App has been changed to SIGNAL in November 2015 on and Trillian’s SECUREIM messenger encrypted the data to be consistant with the iOS App. rity would affect several hundred million users. Despite this OTR’s focus differed significantly from previous message popularity, the messaging protocol behind TEXTSECURE prKGotection mechanisms like OpenPGP and S/MIME by has not been rigorously reviewed so far. While the develop- introducing two novel properties: Perfect Forward Secrecy ers behind TEXTSECURE have a long history of research and Deniability. in computer security, a security assessment is needed to Figure 1 shows how the OTR protocol version 1 works: carefully review the approach. After an initial signed Diffie-Hellman (DH) key exchange, Contribution. In summary, we make the following contri- novel DH shares are exchanged with every message, and the butions: resulting DH key is constantly changed. OTR uses malleable We are the first to completely and precisely docu- encryption [12] in combination with MACs (instead of digi- • ment and analyze TEXTSECURE’s secure push mes- tal signatures). The OTR protocol reveals the MAC keys one saging protocol. Our description was confirmed by round later to the public. This is essential for the deniability the developers of TEXTSECURE. property of the protocol: anyone can change the value of the We show that the main protocol of TEXTSECURE plaintext message, as inverting bits of the ciphertext will • consists of three building blocks: A cached One- result in an inversion of the same bits at the same positions Round Key Exchange (cORKE) protocol, a secure in the plaintext. Thus, the received messages are authentic key derivation function, and authenticated encryp- at the time of reception only (given a party verifies the first tion. We give formal security definitions and security signature and the following MACs). Since the MAC keys proofs for these blocks. are derived as hash values of the encryption keys, revealing We found subtle, but avoidable flaws in the protocol MAC keys does not compromise the security of the former, • that allows for an Unknown Key-Share attack. We and the exchanged messages remain confidential. Private have documented the issues and show how they DH shares xi and yj are deleted as soon as the key kij can be mitigated. They have been communicated to has been computed. This guarantees perfect forward secrecy the developers of TEXTSECURE. We show that our since without these private shares the encryption keys cannot proposed method of mitigation actually solves the be recomputed from the public shares Xi;Yj later. issues. Di Raimondo et al. [13] showed that OTR v1 is vul- We discuss how and to which extent deniability, • nerable to an unknown key-share (UKS) attack (also called perfect forward secrecy (PFS) and future security identity misbinding attack) [14]. We will discuss this kind (FS) are realized. While TEXTSECURE meets PFS of attack in Section 4.2. OTR version 2 did address this and FS, deniability is only achieved partially in issue by introducing a four message handshake that follows practice. the SIGMA protocol paradigm [15], effectively mitigating the UKS attack. Moreover, the protocol achieves deniability: 2. High-level Overview of TextSecure and re- public keys and signatures are exchanged within a con- lated protocols fidential channel, leaving no trace of participation for an eavesdropper. However, these strong capabilities come at the TEXTSECURE was previously compared [10] to the Off- cost of a four-message handshake. the-Record Protocol (OTR) and the Silent Circle Instant Messaging Protocol (SCIMP) [11]. In the following, we OTR and Mobile Messaging. Instant Messaging connec- discuss common elements and differences. tions are typically short-lived and online, whereas text mes- saging conversation may last for prolonged spans of time, a P Pb and parties may be offline temporarily. Additionally, text choose x0 messaging may be asynchronous, such that a sender sends x0 X0 := g (1) X0, σA σA := sign(skA,X0) choose y0 several messages before receiving an answer. y0 Y0 := g (2) Y0, σB choose x1 σB := sign(skB,Y0) The first adaption needed to derive a secure text mes- x1 X1 := g e x0 saging protocol from OTR is to make OTR work in offline k00 := H ((Y0) ) m e k00 := H(k00) e scenarios. The basic idea here is due to ElGamal [16]. Thus c00 := Enc(k00, m00) m (3) X1, c00, mac00 mac00 := MAC(k00, (X1, c00)) choose y1 OTR can be adapted to an offline scenario by storing many y1 Y1 := g e y0 ephemeral DH shares of each party on a server. k10 := H ((X1) ) m e k10 := H(k10) e c10 := Enc(k10, m10) The second adaption concerns key bookkeeping: In (4) Y1, c10, mac10 mac := MAC(km , (Y , c )) choose x2 10 10 1 10 OTR, an ephemeral DH share must be protected by a MAC x2 X2 := g e x1 k11 := H ((Y1) ) computed with a previous key, and must be acknowledged m e k11 := H(k11) c := Enc(ke , m ) by the recipient B before being used by the sender A. 11 11 11 m m (5) X2, c11, mac11, k00 mac11 := MAC(k11, (X2, c11)) . .. This secure chaining of keys through MACs needs a lot of bookkeeping, as well as the acknowledgment. Here, Figure 1: The Off-the-Record protocol. TEXTSECURE adapts to the scenario by replacing MAC chaining by a secret value derived from long-lived (ga; gb) Off-the-Record Protocol.