Secure Messaging Lecture 23 Messaging Alice Bob Secure - - PowerPoint PPT Presentation

secure messaging
SMART_READER_LITE
LIVE PREVIEW

Secure Messaging Lecture 23 Messaging Alice Bob Secure - - PowerPoint PPT Presentation

Jan 10, 2024 781 likes •937 views

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

slide-1
SLIDE 1

Secure Messaging

Lecture 23

slide-2
SLIDE 2

Messaging


 Alice 
 Bob

slide-3
SLIDE 3

Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable to adversary) Messages that are sent/received while a party is corrupt are revealed to the adversary Goal: Messages sent/received prior to compromise and after compromise should remain “secure” Forward secrecy (secrecy of prior messages) and 
 “Future secrecy” (secrecy of future messages) Assumes that secure deletion is possible

Secure Messaging

slide-4
SLIDE 4

Communication model different from standard setting for TLS Many applications/services offering secure chat “Off-The-Record” messaging (2004) Signal protocol (starting 2013) Used in WhatsApp, Google Allo, Facebook Messenger, Skype (optional), etc. Some formal analysis (2017)

Secure Messaging

slide-5
SLIDE 5

Synchronous Messaging A first solution


 Alice 
 Bob

PK1

A

EncPK0

B(m1)

PK1

B

EncPK1

A(m’1)

PK2

A

EncPK1

B(m2)

PK2

B

EncPK2

A(m’2)

PK0

B should be used only once (over all senders), so that SK0 B can

be deleted after recovering m0 E.g., Alice may download PK0

B from a list of PKs hosted by a

server who deletes each PK on download

slide-6
SLIDE 6

Synchronous Messaging A first solution


 Alice 
 Bob

PK1

A

EncPK0

B(m1)

PK1

B

EncPK1

A(m’1)

PK2

A

EncPK1

B(m2)

PK2

B

EncPK2

A(m’2)

(SKi,PKi) are generated just before sending PKi and deleted right after using SKi for decryption (window for compromising SKi) At any point only one SK stored Assumes strict alternation

slide-7
SLIDE 7

An Optimization


 Alice 
 Bob

PK1

A

EncPK0

B(m1)

PK1

B

EncPK1

A(m’1)

PK2

A

EncPK1

B(m2)

PK2

B

EncPK2

A(m’2)

Consider using El Gamal encryption: PK0

B=gy, ciphertext = (gx,MK)

and PK1

A=gx’. Use gx in the ciphertext as next PK?

Can be OK when a symmetric key is derived using a random

  • racle, under stronger assumptions than DDH

included!

slide-8
SLIDE 8

Asynchronicity


 Alice 
 Bob

PK1

A

EncPK0

B(m1)

PK1

B

EncPK1

A(m’1)

PK2

A

EncPK1

B(m2)

PK2

B

EncPK2

A(m’2)

Ideally, should be able to delete the decryption key right after using it for a single decryption EncPK1

A(m’2)

SK1

A should be 


remembered until
 PK2

A ack’ed and


some time passes

PK1

B

Have to 
 continue 
 using PK1

A

Typical choice:
 Repeat PK1

B until a 


message received 
 (then don’ t use 
 derived key 
 as one-time pad!)

slide-9
SLIDE 9

Suppose Alice and Bob have shared a symmetric key Want forward secrecy without need for synchronisation Ratcheting
 Ki → Ki+1 using a "forward-secure PRG” s.t. Ki remains pseudorandom even given Ki+1 After using Ki for encryption/decryption, derive Ki+1 and delete Ki Does not help with “future secrecy”

Ratcheting

slide-10
SLIDE 10

Double Ratcheting

X1 SKEK00

B(m1)

Y1 X2 SKEK10

B(m3)

Update public-keys for every received message, and do symmetric key ratcheting for messages in between Can delete an asymmetric secret key after the second symmetric key is derived from it X1 SKEK01

B(m2)

SKEK10

A(m’

1)

Y1 SKEK11

A(m’

2)

Y0 X1

K00

B

K01

B

Y1 X1

K10

A

K11

A

Y1 X2

K10

B

K02

B

K12

A

K11

B

slide-11
SLIDE 11

Double Ratcheting

X1 SKEK00

B(m1)

Y1 X2 SKEK10

B(m3)

If messages received out of order, will need to retain symmetric keys that were ratcheted through X1 SKEK01

B(m2)

SKEK10

A(m’

1)

Y1 SKEK11

A(m’

2)

Y0 X1

K00

B

K01

B

Y1 X1

K10

A

K11

A

Y1 X2

K10

B

K02

B

K12

A

K11

B

slide-12
SLIDE 12

Messaging


 Alice 
 Bob

Need to protect against a corrupt server.

Symmetric keys are used for AEAD (e.g., using encrypt-then-MAC) Asymmetric key updates are MAC’ed using a key derived from the previous asymmetric key (Long-term) Identity key (signature verification key) should be

  • btained via (out-of-band) trusted setup
slide-13
SLIDE 13

Easy to ensure that conversation is with an entity who created a certain “identity key” (signature verification key) But in real life, want to ensure it is a certain person A malicious server can launch an adversary-in-the-middle attack Options (can use a combination): Trusted key servers: Key servers will have to verify real-life identity! Require “transparency” to deter corrupt servers. Trust-On-First-Use: problematic assumption, e.g., if server always corrupt. Manual key dissemination or via a web-of-trust Use PAKE (need shared secrets) KeyBase: proves control of social media identities instead of “real-life” identity. Enough to trust at least one service.

Establishing Identity

Initial encryption 
 PK will be signed
 with this

slide-14
SLIDE 14

Suppose Alice and Bob chat with each other. Later, Bob turns

  • ver the transcript to a “Judge”

Can Alice claim that she is not responsible for the transcript? Problem: If the messages are signed by Alice, she can’ t deny responsibility Assumption: Alice is responsible for keeping her private keys secure (and her public key is known to the Judge) Alice should not sign the messages, but only MAC them Bob also has the MAC key. So he could have faked the MACs himself More complicated if Judge observed the (encrypted) transcript between Alice and Bob.

Deniability