I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S - - PowerPoint PPT Presentation

IMPROVED STRONGLY DENIABLE AUTHENTICATED KEY EXCHANGES FOR SECURE MESSAGING

Nik Unger

and

Ian Goldberg

2

Secure Messaging

3

Secure Messaging

Confidentiality Authentication Plaintext TLS to Server End-to End Zone “All-Verifier” Authentication Anonymous Deniable Authentication (OTR, Signal)

4

Why Deniability?

5

Deniable Messaging

A B

<B> there’s a protest about it tomorrow <B> want to go? <A> Yes! <B> ok, no phones Crypto Magic

6

Deniable Messaging

<B> there’s a protest about it tomorrow <B> want to go? <A> Yes! <B> ok, no phones

7

Deniable Messaging…?

A B

8

Offline vs. Online Deniability

A B

<B> there’s a protest about it tomorrow <B> want to go? <A> Yes! <B> ok, no phones Crypto Magic

A B

Offline Deniability Online Deniability

9

Deniable Messaging…?

• See Appendix A

– Attacks on OTRv3 and Signal

• Also see ia.cr/2018/424:

10

Deniable Messaging

A B

11

Deniable Messaging

A B

12

In This Paper

• Two new efficient key exchange protocols

Interactive Non-interactive

13

Security Properties

• Confidentiality
• Mutual authentication
• Forward secrecy
• Contributiveness
• Offline and online deniability

14

Crypto Toolbox

Identity key (long-term asymmetric) Ephemeral key (short-term asymmetric) Diffie-Hellman shared secret Shared session key (symmetric)

15

Crypto Toolbox

ID key Eph. key Diffie-Hellman shared secret

Signature MAC Ring signature

Create: need private Verify: need public Create: need Verify: need Create: need one private , , or Verify: need all public , , and Sym. key

16

Crypto Toolbox

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

17

Deniable Authenticated Key Exchanges

A B

DAKE

Secure messaging protocol

18

DAKEZ

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

19

DAKEZ: Authentication

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

Nobody else knows

• r ,

so they know

20

B

DAKEZ: Authentication

A

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

Nobody else knows

• r ,

so they know

21

DAKEZ: Offline Deniability

F F

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

22

DAKEZ: Online Deniability

A

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

A

B

23

Mobile?

24

Mobile Use

A B

“Prekeys” Recipient ID Message Message

25

ZDH

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

&

26

ZDH: Authentication

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

& Nobody else knows so any reader must know

27

Weak Forward Secrecy

A B

(Ciphertext for & )

Collect (Time passes) (Like Signal, originally)

28

XZDH

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

& &

29

Is This Secure?

30

Is This Secure?

“Yes.”

31

OTRv4 Adoption

• External adoption: OTRv4 team

32

Performance

SIGMA-R (OTRv3) DAKEZ (OTRv4) 3DH ZDH X3DH (Signal) XZDH (OTRv4) Key Gen. (ms) 0.0240 0.0440 0.0228 0.0429 0.0240 0.0444 Key Exch. (ms) 0.3478 1.094 0.4229 0.778 0.5533 0.9217 ID Key (bytes) 32 32 32 32 32 32 Prekey (bytes)

• 32

32 32 & 96 32 & 96 Key Exch. (bytes) 272 464 80 304 80 304

33

Extras in the Paper

34

Extras in the Paper

Quantum- resistant transitional security

A B

Efficient dual-receiver encryption

A “B”

Defeating key-compromise impersonation Implementation details & advice

35

Summary

• New key exchanges: DAKEZ, (X)ZDH
• Secure connection, eponymous, no all-verifier

authentication required? Use these!

• Code & data: crysp.org/software/dakez_xzdh
• Come see OTRv4 at HotPETs
• Coming soon: group messaging

Thank you! njunger@uwaterloo.ca

36

You’ve Activated My Bonus Slides!!!

37

Limited Online Deniability

A B

“Prekeys”

Recipient ID , Auth, Msg Auth with , Auth, Msg

38

RSDAKE and Spawn

• Standard model

Random oracle model

• – Obscure assumptions

common assumptions

• – Seconds

milliseconds

• – Improved security (contributiveness, forward

secrecy)

• RSDAKE

DAKEZ

• Spawn

ZDH

39

DAKE Comparison

40

Signal Deniability

IKA IKB EKA EKB 1 2 1 3 IKA IKB EKA SPKB OTKB 1 2 1 3 4

3DH X3DH

41

Lack of Contributiveness

• Problems with non-contributory:

– Can coerce a client to use a known secret – Can use a secret known to a third-party, allowing

them to decrypt without their consent

• Non-problems with non-contributory:

– Contributiveness does not prevent desirable bits – Contributiveness does not defend against weak

PRNGs

42

ZDH

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

&

43

ZDH: Authentication

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

& Nobody else knows

• r ,

so they know . They also know

44

Mitigating KCI Attacks

A B

Shared key ( ):

Diffie-Hellman shared secret Signature MAC Ring signature ID key Eph. key Sym. key

45

Online Deniability Attack for Signal

• (Alice is coerced by Judson)
• Alice downloads Bob’s prekey: IKB, SPKB,

Sig(IKB, Encode(SPKB))

• Judson generates key pair with public EKA
• Alice provably reveals DH(IKA, SPKA)
• Alice sends EKA to Bob
• Judson can compute the secret, Alice cannot

46

Quantum Transitional Security

• Authenticate quantum KEM, like CECPK1

47

DAKEZ

48

ZDH & XZDH