2018-01-10 Horst Grtz Institute for IT Security Chair for Network - - PowerPoint PPT Presentation

2018 01 10
SMART_READER_LITE
LIVE PREVIEW

2018-01-10 Horst Grtz Institute for IT Security Chair for Network - - PowerPoint PPT Presentation

Oct 14, 2022 383 likes •892 views

On the End-to-End Security of Group Chats Real World Crypto 2018 2018-01-10 Horst Grtz Institute for IT Security Chair for Network and Data Security Paul Rsler , Christian Mainka, Jrg Schwenk On the End-to-End Security of Group Chats

slide-1
SLIDE 1

Horst Görtz Institute for IT Security Chair for Network and Data Security Paul Rösler, Christian Mainka, Jörg Schwenk

2018-01-10

On the End-to-End Security of Group Chats Real World Crypto 2018

slide-2
SLIDE 2

Horst Görtz Institute for IT Security Chair for Network and Data Security Paul Rösler, Christian Mainka, Jörg Schwenk

2018-01-10

On the End-to-End Security of Group Chats Real World Crypto 2018

Or: Why what is doing is

slide-3
SLIDE 3

Horst Görtz Institute for IT Security Chair for Network and Data Security Paul Rösler, Christian Mainka, Jörg Schwenk

2018-01-10

On the End-to-End Security of Group Chats Real World Crypto 2018

Or: Why what is doing is (in )

slide-4
SLIDE 4

4

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Secure Group Instant Messaging: End-to-End

  • Dynamic group of users
slide-5
SLIDE 5

5

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Secure Group Instant Messaging: End-to-End

  • Dynamic group of users
  • One central server
slide-6
SLIDE 6

6

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Secure Group Instant Messaging: End-to-End

  • Dynamic group of users
  • One central server
  • End-to-end protection

within protected transport layer

  • Server potentially malicious
slide-7
SLIDE 7

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018 Chair for Network and Data Security

  • Prof. Dr. Jörg Schwenk

Agenda

▪ Security Model ▪ Protocol Overview and Weaknesses ▪ Signal ▪ WhatsApp ▪ (Threema) ▪ Problems and Solutions ▪ Traceable Delivery ▪ Closeness

slide-8
SLIDE 8

8

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Secure Group Instant Messaging: Two Parties

Confidentiality

  • Message Confidentiality

Security Model Protocols & Weaknesses Problems & Solutions

Integrity

  • Message Authentication

Groups Two Parties

slide-9
SLIDE 9

9

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Secure Group Instant Messaging: Two Parties

Confidentiality

  • Message Confidentiality

Hey! Hi! Integrity

  • Message Authentication
  • No Duplication
  • Traceable Delivery

“Only successful delivery is acknowledged”

Groups Two Parties

Security Model Protocols & Weaknesses Problems & Solutions

slide-10
SLIDE 10

10

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Secure Group Instant Messaging: Groups

Confidentiality

  • Message Confidentiality
  • Closeness

“Only group (admin) decides on membership” Hey! Hi! Integrity

  • Message Authentication
  • No Duplication
  • Traceable Delivery
  • No Creation

“Only successful delivery is acknowledged”

Groups Two Parties

Security Model Protocols & Weaknesses Problems & Solutions

slide-11
SLIDE 11

11

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Security Model: Malicious Server

  • Malicious Server
  • Can decrypt transport layer

protection

  • E.g. IM provider, TLS certificate

forger on network, ...

Security Model Protocols & Weaknesses Problems & Solutions

slide-12
SLIDE 12

12

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Security Model: Malicious Server

  • Malicious Server
  • Can decrypt transport layer

protection

  • E.g. IM provider, TLS certificate

forger on network, ... Traceable Delivery Closeness ?

Security Model Protocols & Weaknesses Problems & Solutions

slide-13
SLIDE 13

13

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Security Model: Compromising Attacker

  • Compromising Attacker
  • Access to members’ secrets
  • E.g. access to device, cryptanalysis, …

Traceable Delivery Closeness ?

Security Model Protocols & Weaknesses Problems & Solutions

slide-14
SLIDE 14

14

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Security Model: Compromising Attacker

  • Compromising Attacker
  • Access to members’ secrets
  • E.g. access to device, cryptanalysis, …
  • Advanced Goals:
  • Forward Secrecy
  • Future Secrecy

(aka Post Compromise Security aka Backward Secrecy)

Secure Secure

Traceable Delivery Closeness ?

Security Model Protocols & Weaknesses Problems & Solutions

slide-15
SLIDE 15

15

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Security Model: Compromising Attacker

  • Compromising Attacker
  • Access to members’ secrets
  • E.g. access to device, cryptanalysis, …
  • Advanced Goals:
  • Forward Secrecy
  • Future Secrecy

(aka Post Compromise Security aka Backward Secrecy)

Secure Secure

Traceable Delivery Closeness

(Fut. Sec.)

Security Model Protocols & Weaknesses Problems & Solutions

slide-16
SLIDE 16

16

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)

Protocol Overview: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-17
SLIDE 17

17

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Protocol Overview: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-18
SLIDE 18

18

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Protocol Overview: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-19
SLIDE 19

19

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Protocol Overview: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-20
SLIDE 20

20

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Protocol Overview: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-21
SLIDE 21

21

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-22
SLIDE 22

22

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-23
SLIDE 23

23

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-24
SLIDE 24

24

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-25
SLIDE 25

25

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-26
SLIDE 26

26

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-27
SLIDE 27

27

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-28
SLIDE 28

28

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-29
SLIDE 29

29

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-30
SLIDE 30

30

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Ciphertexts (ID static)
  • Acks (plain)
  • Group update as

message

  • Forward and future secure key streams of direct communication
  • Group ID as proof of membership
  • Traceable delivery by ack forgery *
  • Closeness by using compromised group ID

Weaknesses: Signal

Security Model Protocols & Weaknesses Problems & Solutions

slide-31
SLIDE 31

31

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Protocol Overview: WhatsApp

  • Group updates plain

via server

  • Forward secure key streams for each group (and sender)

Security Model Protocols & Weaknesses Problems & Solutions

slide-32
SLIDE 32

32

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Weaknesses: WhatsApp

  • Group updates plain

via server

  • Forward secure key streams for each group (and sender)
  • Traceable delivery by ack forgery *
  • Closeness by group update forgery

Security Model Protocols & Weaknesses Problems & Solutions

slide-33
SLIDE 33

33

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Problems & Solutions: Traceable Delivery

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

Security Model Protocols & Weaknesses Problems & Solutions

slide-34
SLIDE 34

34

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-35
SLIDE 35

35

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-36
SLIDE 36

36

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-37
SLIDE 37

37

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-38
SLIDE 38

38

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-39
SLIDE 39

39

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-40
SLIDE 40

40

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-41
SLIDE 41

41

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-42
SLIDE 42

42

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-43
SLIDE 43

43

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-44
SLIDE 44

44

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

Problems & Solutions: Traceable Delivery

Security Model Protocols & Weaknesses Problems & Solutions

slide-45
SLIDE 45

45

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

  • Acks are not authenticated

→ Explicit authentication by delivering as content message (AE) or signing

  • * For Signal and WhatsApp with key stream (stateful encryption):
  • Key omissions in key stream are ignored

→ Ack newest in order received message (e.g., with content messages) → Send negative ack (NACK) on key omission

Problems & Solutions: Traceable Delivery

✘2

1

Security Model Protocols & Weaknesses Problems & Solutions

slide-46
SLIDE 46

46

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Problems …: Closeness

Receiving according to …

  • Guest list approach
  • WhatsApp: updates sent plain
  • Ticket approach
  • Signal: updates accepted if group ID in message

Security Model Protocols & Weaknesses Problems & Solutions

slide-47
SLIDE 47

47

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Problems …: Closeness

Receiving according to …

  • Guest list approach
  • WhatsApp: updates sent plain
  • Manipulable by server
  • Ticket approach
  • Signal: updates accepted if group ID in message
  • Static group ID ⇒ not (future) secure against compromising attacker

Security Model Protocols & Weaknesses Problems & Solutions

slide-48
SLIDE 48

48

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

… and Solutions: Closeness

  • Guest list approach
  • Authentic update messages
  • Causality [MarPoe ePrint ‘17]
  • Not desired: “reordered, delayed, or lost in normal operation”

(Moxie Marlinspike)

  • At least traceable delivery
  • Ticket approach

Hey! Hi!

Security Model Protocols & Weaknesses Problems & Solutions

slide-49
SLIDE 49

49

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

… and Solutions: Closeness

  • Guest list approach
  • Authentic update messages
  • Causality [MarPoe ePrint ‘17]
  • Not desired: “reordered, delayed, or lost in normal operation”

(Moxie Marlinspike)

  • At least traceable delivery
  • Ticket approach
  • At least traceable delivery
  • Future secrecy also for group secret (in addition to pairwise channels)
  • Group key exchange: [KimPerTsu TISSEC ’04], [CCGMM ePrint ‘17]

Secure

Hey! Hi!

Security Model Protocols & Weaknesses Problems & Solutions

slide-50
SLIDE 50

50

On the End-to-End Security of Group Chats Real World Crypto 2018 | Paul Rösler | Zürich | 05.01.2018

Summary

  • First security model for group instant messaging
  • Captures security and reliability
  • Description (⇒ reverse engineering) of three major IM protocols
  • Application of model to protocols
  • Revelation of discrepancies between security definition and protocols:

ia.cr/2017/713 @roeslpa Closeness Forward Secrecy Future Secrecy Traceable Delivery No Duplication No Creation