SLIDE 1
Major Effort: E2E-Encrypted Messaging
- Government surveillance
and/or coercion
- Untrusted or corrupted
messaging servers
2
Key challenge: Detecting man-in-the-middle attacks when setting up E2E-encrypted channels
Out-of-Band Authentication in Group Messaging: Computational, - - PowerPoint PPT Presentation
Out-of-Band Authentication in Group Messaging: Computational, - - PowerPoint PPT Presentation
Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University Major Effort: E2E-Encrypted Messaging Government surveillance and/or coercion
SLIDE 2
SLIDE 3
Man-in-the-Middle Attacks
3
Alice’s phone Bob’s phone
SLIDE 4
Man-in-the-Middle Attacks
- Impossible to detect without any setup
4
Alice’s phone Bob’s phone
Impractical to assume a trusted PKI in messaging platforms…
SLIDE 5
Out-of-Band Authentication
Practical to assume: Users can “out-of-band” authenticate one short value
Bob
Bob’s phone Alice’s phone
5
- Users can compare a short string displayed on their devices
- Assuming that they recognize each other’s voice, this is a low-bandwidth
authenticated channel
SLIDE 6
Out-of-Band Authentication
Facebook Telegram Allo
6
Signal WhatsApp Wire
SLIDE 7
Out-of-Band Authentication
Bounded
7
Within the cryptography community:
- Considered by Rivest and Shamir in ’84 (“Interlock” protocol)
- Formalized by Vaudenay ’05 (computational security)
and by Naor, Segev and Smith ’06 (statistical security) Bounded vs. unbounded adversaries
SLIDE 8
The User-to-User Setting
- An equivalent problem: Detecting MitM attacks in message authentication
Bob’s phone Alice’s phone
8
SLIDE 9
Out-of-band channel
The User-to-User Setting
Bob’s phone Alice’s phone
The image part with relationship ID rId9 was not found in the file.… … … …
9
The image part with relationship ID rId5 was not found in the file. The image part with relationship ID rId10 was not found in the file. SLIDE 10
The User-to-User Setting
Alice’s phone
Out-of-band channel
The image part with relationship ID rId11 was not found in the file.… … Bob’s phone
10
The image part with relationship ID rId5 was not found in the file. The image part with relationship ID rId12 was not found in the file.Minimize user effort Maximize security
SLIDE 11
User-to-User Bounds
Protocols Lower Bounds Computational Security
11
Security
[Vau05, PV06]
Statistical Security
[NSS06]
SLIDE 12
This Talk: The Group Setting
✓ ?
User-to-User Setting Group Setting
Tightly characterized Not yet studied
12
✓ ✓ ?
x
Practical protocols deployed Impractical protocols deployed
SLIDE 13
Our Contributions
A framework modeling out-of-band authentication in the group setting
… … …
13
- Users communicate over an insecure channel
- Group administrator can out-of-band authenticate one short value to all users
- Consistent with and supported by existing messaging platforms
…
Out-of-band channel
SLIDE 14
Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational
Our Contributions
A framework modeling out-of-band authentication in the group setting
14
Computational Security Statistical Security Our computationally-secure protocol is practically relevant, and substantially improves the currently-deployed protocols:
SLIDE 15
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
15
Protocols Lower Bounds Computational Security Statistical Security
SLIDE 16
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
16
Protocols Lower Bounds Computational Security Statistical Security
SLIDE 17
Communication Model
… …
…
17
Out-of-band channel
- Insecure channel: Adversary can read, remove and insert messages
- Out-of-band channel:
Adversary can read, remove and delay messages, for all or for some of the users Adversary cannot modify messages/insert new ones in an undetectable manner
SLIDE 18
Correctness & Security
… …
…
18
Out-of-band channel
- Computational vs. statistical security
SLIDE 19
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
19
Protocols Lower Bounds Computational Security Statistical Security
SLIDE 20
The Naïve Protocol
20
… …
Seems impractical…
SLIDE 21
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
21
Protocols Lower Bounds Computational Security Statistical Security
SLIDE 22
Our Computationally-Secure Protocol
22
Out-of-band channel
SLIDE 23
Our Computationally-Secure Protocol
23
SLIDE 24
Example: One Possible Attack
24
SLIDE 25
Concurrent Non-Malleable Commitments
…
- Infeasible to “non-trivially correlate” concurrent executions
25
…
SLIDE 26
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
26
Protocols Lower Bounds Computational Security Statistical Security
SLIDE 27
Our Statistical Lower Bound
… …
…
27
Out-of-band channel
SLIDE 28
Protocol Structure
28
SLIDE 29
29
SLIDE 30
Lemma 1: There exists a man-in-the-middle attacker that succeeds with probability
30
SLIDE 31
- The security of the protocol guarantees that
31
- The security of the protocol guarantees that
SLIDE 32
Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational
Summary
A framework modeling out-of-band authentication in the group setting
32
Computational Security Statistical Security
Thank You!
https://eprint.iacr.org/2018/493