A Formal Security Analysis of the Signal Messaging Protocol Luke - - PowerPoint PPT Presentation

a formal security analysis of the signal messaging
SMART_READER_LITE
LIVE PREVIEW

A Formal Security Analysis of the Signal Messaging Protocol Luke - - PowerPoint PPT Presentation

Oct 13, 2022 328 likes •594 views

A Formal Security Analysis of the Signal Messaging Protocol Luke Garratt Computer Science University of Oxford 1 Why what is doing is . Luke Garratt Computer Science University of Oxford 2 Professors minions* Katriel Cohn-Gordon

slide-1
SLIDE 1

A Formal Security Analysis of the Signal Messaging Protocol

Luke Garratt

Computer Science University of Oxford

1

slide-2
SLIDE 2

Why what is doing is .

Luke Garratt

Computer Science University of Oxford

2

slide-3
SLIDE 3

Cas Cremers Ben Dowling Katriel Cohn-Gordon Luke Garratt

Professors

minions*

*PhD students

3

Douglas Stebila

slide-4
SLIDE 4

What should Signal achieve? Does it?

4

slide-5
SLIDE 5

5

Forward secrecy:

slide-6
SLIDE 6

6

Forward secrecy: Post-compromise security:

slide-7
SLIDE 7

Why is this useful?

7

slide-8
SLIDE 8

Why is this useful?

Older protocols have no forward secrecy. (E.g. TLS-RSA)

  • Adversary can store ciphertext traffic of target session, obtain long-term keys

later and then decrypt.

8

slide-9
SLIDE 9

Why is this useful?

Older protocols have no forward secrecy. (E.g. TLS-RSA)

  • Adversary can store ciphertext traffic of target session, obtain long-term keys

later and then decrypt.

Newer protocols have forward secrecy. (E.g. TLS-DHE)

  • Adversary must now obtain long-term keys first, wait for interesting target session

and then launch a man-in-the-middle attack.

9

slide-10
SLIDE 10

Why is this useful?

Older protocols have no forward secrecy. (E.g. TLS-RSA)

  • Adversary can store ciphertext traffic of target session, obtain long-term keys

later and then decrypt.

Newer protocols have forward secrecy. (E.g. TLS-DHE)

  • Adversary must now obtain long-term keys first, wait for interesting target session

and then launch a man-in-the-middle attack.

Fancy protocols have post-compromise security. (Signal?)

  • Adversary must now obtain long-term keys and immediately attack and keep on

attacking if it wants to compromise future targeted sessions.

10

slide-11
SLIDE 11

[PCS, CSF ‘16]: “Security guarantees even after your peer’s key is compromised.”

11

slide-12
SLIDE 12

Our Signal security model

Adapted Bellare-Rogaway-style, multi-stage key exchange model.

[1] Bellare and Rogaway, “Entity Authentication and Key Distribution”. [2] Fischlin and Günther, “Multi-Stage Key Exchange…”.

12

slide-13
SLIDE 13

Our Signal security model

Our model captures:

  • Adversary has full network control.

13

slide-14
SLIDE 14

Our Signal security model

Our model captures:

  • Adversary has full network control.
  • Perfect forward secrecy.

14

slide-15
SLIDE 15

Our Signal security model

Our model captures:

  • Adversary has full network control.
  • Perfect forward secrecy.
  • Key compromise impersonation attacks.

15

slide-16
SLIDE 16

Our Signal security model

Our model captures:

  • Adversary has full network control.
  • Perfect forward secrecy.
  • Key compromise impersonation attacks.
  • Some (but not all) random numbers can be compromised.

16

slide-17
SLIDE 17

Our Signal security model

Our model captures:

  • Adversary has full network control.
  • Perfect forward secrecy.
  • Key compromise impersonation attacks.
  • Some (but not all) random numbers can be compromised.
  • Post-compromise security.

17

slide-18
SLIDE 18

Main result

  • Theorem. The Signal protocol is a secure multi-stage key

exchange protocol in our model, under the GDH assumption and assuming all KDFs are random oracles.

18

slide-19
SLIDE 19

19

slide-20
SLIDE 20

Limitations

20

slide-21
SLIDE 21

Limitations

  • Theoretical analysis (not considering implementations).

21

slide-22
SLIDE 22

Limitations

  • Theoretical analysis (not considering implementations).
  • Long-term identity key is used in initial handshake and to sign

medium-term key. We just assume for simplicity that the medium term key is authentic.

22

slide-23
SLIDE 23

Limitations

  • Theoretical analysis (not considering implementations).
  • Long-term identity key is used in initial handshake and to sign

medium-term key. We just assume for simplicity that the medium term key is authentic.

  • We assume honest key distribution.

23

slide-24
SLIDE 24

Limitations

  • Theoretical analysis (not considering implementations).
  • Long-term identity key is used in initial handshake and to sign

medium-term key. We just assume for simplicity that the medium term key is authentic.

  • We assume honest key distribution.
  • Multiple devices not considered yet.

24

slide-25
SLIDE 25

[Signal, EuroS&P ‘17]: “Looks pretty good! (some caveats)”

25

slide-26
SLIDE 26

Thanks for listening

1. There’s this cool new security property called “post-compromise security”. 2. Signal Protocol achieves it in addition to other security properties. 3. But there is more to investigate.

[PCS] On Post-Compromise Security. Cohn-Gordon, Cremers and Garratt. CSF ‘16. ePrint link: ia.cr/2016/221.

26

[Signal] A Formal Security Analysis of the Signal Messaging Protocol. Cohn-Gordon, Cremers, Dowling, Garratt, and Stebila. Euro S&P ‘17. ePrint link: ia.cr/2016/1013.