a formal security analysis of the signal messaging
play

A Formal Security Analysis of the Signal Messaging Protocol Luke - PowerPoint PPT Presentation

Oct 13, 2022 •328 likes •591 views

A Formal Security Analysis of the Signal Messaging Protocol Luke Garratt Computer Science University of Oxford 1 Why what is doing is . Luke Garratt Computer Science University of Oxford 2 Professors minions* Katriel Cohn-Gordon

  1. A Formal Security Analysis of the Signal Messaging Protocol Luke Garratt Computer Science University of Oxford 1

  2. Why what is doing is . Luke Garratt Computer Science University of Oxford 2

  3. Professors minions* Katriel Cohn-Gordon Cas Cremers Luke Garratt *PhD students Douglas Stebila 3 Ben Dowling

  4. What should Signal achieve? Does it? 4

  5. Forward secrecy: 5

  6. Forward secrecy: Post-compromise security: 6

  7. Why is this useful? 7

  8. Why is this useful? Older protocols have no forward secrecy. (E.g. TLS-RSA) Adversary can store ciphertext traffic of target session, obtain long-term keys ● later and then decrypt. 8

  9. Why is this useful? Older protocols have no forward secrecy. (E.g. TLS-RSA) Adversary can store ciphertext traffic of target session, obtain long-term keys ● later and then decrypt. Newer protocols have forward secrecy. (E.g. TLS-DHE) ● Adversary must now obtain long-term keys first, wait for interesting target session and then launch a man-in-the-middle attack. 9

  10. Why is this useful? Older protocols have no forward secrecy. (E.g. TLS-RSA) Adversary can store ciphertext traffic of target session, obtain long-term keys ● later and then decrypt. Newer protocols have forward secrecy. (E.g. TLS-DHE) ● Adversary must now obtain long-term keys first, wait for interesting target session and then launch a man-in-the-middle attack. Fancy protocols have post-compromise security. (Signal?) ● Adversary must now obtain long-term keys and immediately attack and keep on attacking if it wants to compromise future targeted sessions. 10

  11. [PCS, CSF ‘16]: “Security guarantees even after your peer’s key is compromised.” 11

  12. Our Signal security model Adapted Bellare-Rogaway-style, multi-stage key exchange model. [1] Bellare and Rogaway, “Entity Authentication and Key Distribution”. [2] Fischlin and Günther, “Multi-Stage Key Exchange…”. 12

  13. Our Signal security model Our model captures: ● Adversary has full network control. 13

  14. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. 14

  15. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. ● Key compromise impersonation attacks. 15

  16. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. ● Key compromise impersonation attacks. ● Some (but not all) random numbers can be compromised. 16

  17. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. ● Key compromise impersonation attacks. ● Some (but not all) random numbers can be compromised. ● Post-compromise security. 17

  18. Main result Theorem. The Signal protocol is a secure multi-stage key exchange protocol in our model, under the GDH assumption and assuming all KDFs are random oracles. 18

  19. 19

  20. Limitations 20

  21. Limitations ● Theoretical analysis (not considering implementations). 21

  22. Limitations ● Theoretical analysis (not considering implementations). ● Long-term identity key is used in initial handshake and to sign medium-term key. We just assume for simplicity that the medium term key is authentic. 22

  23. Limitations ● Theoretical analysis (not considering implementations). ● Long-term identity key is used in initial handshake and to sign medium-term key. We just assume for simplicity that the medium term key is authentic. ● We assume honest key distribution. 23

  24. Limitations ● Theoretical analysis (not considering implementations). ● Long-term identity key is used in initial handshake and to sign medium-term key. We just assume for simplicity that the medium term key is authentic. ● We assume honest key distribution. ● Multiple devices not considered yet. 24

  25. [Signal, EuroS&P ‘17]: “Looks pretty good! (some caveats)” 25

  26. Thanks for listening 1. There’s this cool new security property called “post-compromise security”. 2. Signal Protocol achieves it in addition to other security properties. 3. But there is more to investigate. [PCS] On Post-Compromise Security . Cohn-Gordon, Cremers and Garratt. CSF ‘16. ePrint link: ia.cr/2016/221. [Signal] A Formal Security Analysis of the Signal Messaging Protocol . Cohn-Gordon, Cremers, Dowling, Garratt, and Stebila. Euro S&P ‘17. ePrint link: ia.cr/2016/1013. 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Formal security analysis of authentication in an asynchronous communication model Bsc thesis

Formal security analysis of authentication in an asynchronous communication model Bsc thesis

Formal security analysis of authentication in an asynchronous communication model Bsc thesis presentation Jacob Wahlgren & Sam Hedin June 18 KTH 1 Outline Introduction Background Secure Data Sharing Methods Results Owner event

1.71k views • 124 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 4: Security

348 views • 34 slides
GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS Spectrum Monitoring Explore real-world signals Easy access for beginners Live demodulation Batch processing of signals TASKS OF RECEIVING UNKNOWN

626 views • 16 slides
Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015

731 views • 62 slides
Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Fact or fiction? Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory http://www.cl.cam.ac.uk/teaching/0910/R08/ Michaelmas 2009 MPhil ACS Hans D. Baumann, DOCMA 3 Real Introductory examples:

491 views • 7 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 3: Coding

527 views • 36 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 7: Using

393 views • 38 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 2: A

530 views • 41 slides
ELG3 1 2 5 Signal and System Analysis Lab2: Signal Manipulation and Graphics TA: Jungang Liu

ELG3 1 2 5 Signal and System Analysis Lab2: Signal Manipulation and Graphics TA: Jungang Liu

ELG3 1 2 5 Signal and System Analysis Lab2: Signal Manipulation and Graphics TA: Jungang Liu School of Information Technology and Engineering (SITE) Outline 1. Periodic Signals 2. Signal Combination 3. Matlab Graphing

376 views • 20 slides
Video eavesdropping- RF Y.K. Roland Tai 1. Introduction 2. History of TEMPEST 3. Type of RF

Video eavesdropping- RF Y.K. Roland Tai 1. Introduction 2. History of TEMPEST 3. Type of RF

11/8/2009 Security : Forensic Signal Analysis: MPHIL ACS 2009 Security : Forensic Signal Analysis Video eavesdropping- RF Y.K. Roland Tai 1. Introduction 2. History of TEMPEST 3. Type of RF leakages 4. Counter-measures. 5. Experiment &

828 views • 23 slides
Superintendent Evaluation Raymond G. Gordon Queensbury UFSD Board of Education President Jacinda

Superintendent Evaluation Raymond G. Gordon Queensbury UFSD Board of Education President Jacinda

Superintendent Evaluation Raymond G. Gordon Queensbury UFSD Board of Education President Jacinda H. Conboy, Esq. NYS Council of School Superintendents General Counsel Douglas W. Huntley, Ed.D. Queensbury UFSD Superintendent of Schools NYS

577 views • 29 slides
Missing Growth from Creative Destruction Philippe Aghion (LSE) Antonin Bergeaud (PSE-BdF) Timo

Missing Growth from Creative Destruction Philippe Aghion (LSE) Antonin Bergeaud (PSE-BdF) Timo

Missing Growth from Creative Destruction Philippe Aghion (LSE) Antonin Bergeaud (PSE-BdF) Timo Boppart (IIES) Peter J. Klenow (Stanford) Huiyu Li (FRB SF) 1 Bank of Italy Seminar, April 2018 1 DISCLAIMER: Opinions and conclusions herein are

763 views • 48 slides
Week 5.2, Wed, Sept 18 Homework 3 Due: September 23 rd , 2019 @ 11:59PM on Gradescope Midterm 1:

Week 5.2, Wed, Sept 18 Homework 3 Due: September 23 rd , 2019 @ 11:59PM on Gradescope Midterm 1:

Week 5.2, Wed, Sept 18 Homework 3 Due: September 23 rd , 2019 @ 11:59PM on Gradescope Midterm 1: September 25 (evening) 1 Due: September 23 (11:59PM) on Gradescope Shorter than Homework 2 Goal: Practice Greedy Algorithms before

418 views • 20 slides
Annual General Meeting 11 October 2012 Graham Kraehe AO Chairman Annual General Meeting 2012

Annual General Meeting 11 October 2012 Graham Kraehe AO Chairman Annual General Meeting 2012

Annual General Meeting 11 October 2012 Graham Kraehe AO Chairman Annual General Meeting 2012 FY12 results: guidance delivered; growth strategy momentum Sales revenue up 20% to US$5,625 million IFCO contribution, new customer wins, new

1.04k views • 74 slides
Predictor-corrector ensemble filters for high-dimensional nonlinear systems and sparse data and

Predictor-corrector ensemble filters for high-dimensional nonlinear systems and sparse data and

Predictor-corrector ensemble filters for high-dimensional nonlinear systems and sparse data and regularized ensemble Kalman filter for a wildfire model Jan Mandel University of Colorado at Denver and Health Sciences Center NCAR MMM and IMAGe

982 views • 71 slides
AI Large Practical Alan Smaill School of Informatics Sep 27 2017 Alan Smaill AI Large

AI Large Practical Alan Smaill School of Informatics Sep 27 2017 Alan Smaill AI Large

N I V E U R S E I H T T Y O H F G R E U D I B N AI Large Practical Alan Smaill School of Informatics Sep 27 2017 Alan Smaill AI Large Practical Sep 27 2017 1/16 AILP: Course Description N I V E U R S E I H

486 views • 21 slides
On Partial Sums in Cyclic Groups Douglas R. Stinson David R. Cheriton School of Computer Science

On Partial Sums in Cyclic Groups Douglas R. Stinson David R. Cheriton School of Computer Science

On Partial Sums in Cyclic Groups Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo DMD/OCW 2015 Ottawa, May 22, 2015 This talk is based on joint work with Dan Archdeacon, Jeff Dinitz and Amelia Mattern. A

459 views • 20 slides
Lecture 38 tf/idf and information retrieval Mark Hasegawa-Johnson 5/1/2020 CC-BY 4.0: you

Lecture 38 tf/idf and information retrieval Mark Hasegawa-Johnson 5/1/2020 CC-BY 4.0: you

Lecture 38 tf/idf and information retrieval Mark Hasegawa-Johnson 5/1/2020 CC-BY 4.0: you may remix or redistribute if you cite the source Outline similarity vs. semantic field: word2vec at different scales term frequency (tf): the

1.13k views • 36 slides

More recommend