A Formal Security Analysis of the Signal Messaging Protocol

Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017

Volumn , Issue , 2017, Pages 451-466

  Cohn Gordon, Katriel ^a   Cremers, Cas ^a   Dowling, Benjamin ^b   Garratt, Luke ^a   Stebila, Douglas ^c  

^a UNIVERSITY OF OXFORD   (United Kingdom)

^b UNIVERSITY OF LONDON   (United Kingdom)

^c MCMASTER UNIVERSITY   (Canada)

Author keywords

authenticated key exchange; future secrecy; messaging; multi stage key exchange; post compromise security; provable security; Signal

Indexed keywords

CRYPTOGRAPHY; SECURITY SYSTEMS; SIGNALING;

AUTHENTICATED KEY EXCHANGE; FUTURE SECRECY; KEY EXCHANGE; MESSAGING; POST-COMPROMISE SECURITY; PROVABLE SECURITY;

SIGNAL ANALYSIS;

EID: 85026636223     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/EuroSP.2017.27     Document Type: Conference Paper

References (50)

1. Christoph Bader, Dennis Hofheinz, Tibor Jager, Eike Kiltz, and Yong Li. "Tightly-Secure Authenticated Key Exchange". In: TCC 2015, Part I. Vol. 9014. LNCS. Springer, Heidelberg, Mar. 2015, pp. 629-658.
2. Chris Ballinger. ChatSecure. URL: https://chatsecure.org/ blog/chatsecure-v4-released/ (visited on 01/2017).
3. Mihir Bellare, Asha Camper Singh, Joseph Jaeger, Maya Nyayapati, and Igors Stepanovs. Ratcheted Encryption and Key Exchange: The Security of Messaging. Cryptology ePrint Archive, Report 2016/1028. http://eprint.iacr.org/2016/1028. 2016.
4. Mihir Bellare and Bennet S. Yee. "Forward-Security in Private-Key Cryptography". In: CT-RSA 2003. Vol. 2612. LNCS. Springer, Heidelberg, Apr. 2003, pp. 1-18.
5. Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. "High-Speed High-Security Signatures". In: CHES 2011. Vol. 6917. LNCS. Springer, Heidelberg, Sept. 2011, pp. 124-142.
6. Karthikeyan Bhargavan, Christina Brzuska, Cédric Fournet, Matthew Green, Markulf Kohlweiss, and Santiago Zanella-Béguelin. "Downgrade Resilience in Key-Exchange Protocols". In: 2016 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2016.
7. David Bogado and Danny O'Brien. Punished for a Paradox. Mar. 2, 2016. URL: https://www.eff.org/deeplinks/2016/03/ punished-for-paradox-brazils-facebook (visited on 07/2016).
8. Nikita Borisov, Ian Goldberg, and Eric Brewer. "Off-therecord Communication, or, Why Not to Use PGP". In: WPES. Washington DC, USA: ACM, 2004, pp. 77-84.
9. Ran Canetti, Shai Halevi, and Jonathan Katz. "A Forward-Secure Public-Key Encryption Scheme". In: EUROCRYPT 2003. Vol. 2656. LNCS. Springer, Heidelberg, May 2003, pp. 255-271.
10. Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. A Formal Security Analysis of the Signal Messaging Protocol. Cryptology ePrint Archive, Report 2016/1013. http://eprint.iacr.org/2016/1013. 2016.
11. Katriel Cohn-Gordon, Cas Cremers, and Luke Garratt. On Post-Compromise Security. (A shorter version of this paper appears at CSF 2016). 2016. URL: http://eprint.iacr.org/ 2016/221.
12. Conversations. URL: https://conversations.im/ (visited on 07/2016).
13. Cas Cremers and Michele Feltz. One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability. Cryptology ePrint Archive, Report 2011/300. http://eprint. iacr.org/2011/300. 2011.
14. Cas Cremers, Marko Horvat, Sam Scott, and Thyla van der Merwe. "Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication". In: 2016 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2016.
15. Jean Paul Degabriele, Anja Lehmann, Kenneth G. Paterson, Nigel P. Smart, and Mario Strefler. "On the Joint Security of Encryption and Signature in EMV". In: CT-RSA 2012. Vol. 7178. LNCS. Springer, Heidelberg, Feb. 2012, pp. 116-135.
16. Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. "Deniable authentication and key exchange". In: ACM CCS 06. ACM Press, Oct. 2006, pp. 400-409.
17. Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. "Secure Off-the-record Messaging". In: WPES. Alexandria, VA, USA: ACM, 2005, pp. 81-89.
18. Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila. "A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates". In: ACM CCS 15. ACM Press, Oct. 2015, pp. 1197-1210.
19. Electronic Frontier Foundation. Secure Messaging Scorecard. 2016. URL: https://www.eff.org/node/82654.
20. Facebook. Messenger Secret Conversations. Tech. rep. 2016. URL: https://fbnewsroomus.files.wordpress.com/2016/07/ secret-conversations-whitepaper-1.pdf (visited on 07/2016).
21. Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Joerg Schwenk, and Thorsten Holz. How Secure is TextSecure? Cryptology ePrint Archive, Report 2014/904. http://eprint.iacr.org/2014/904 (Version from April 5, 2016). 2014.
22. Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, and Thorsten Holz. "How Secure is TextSecure?" In: 1st IEEE European Symposium on Security and Privacy. IEEE Computer Society Press, Mar. 2016.
23. Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan. "Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage". In: Usenix Security 2016. 2016.
24. Matthew D. Green and Ian Miers. "Forward Secure Asynchronous Messaging from Puncturable Encryption". In: 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2015, pp. 305-320.
25. Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk. "On the Security of TLS-DHE in the Standard Model". In: CRYPTO 2012. Vol. 7417. LNCS. Springer, Heidelberg, Aug. 2012, pp. 273-293.
26. Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption". In: ACM CCS 15. ACM Press, Oct. 2015, pp. 1185-1196.
27. Nadim Kobeissi. Cryptocat. URL: https://crypto.cat/security. html (visited on 07/2016).
28. Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. "Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach". In: 2nd IEEE European Symposium on Security and Privacy. IEEE Computer Society Press, Apr. 2017.
29. Markulf Kohlweiss, Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi. "(De-)Constructing TLS 1.3". In: INDOCRYPT 2015. Vol. 9462. LNCS. Springer, Heidelberg, Dec. 2015, pp. 85-102.
30. Hugo Krawczyk. "Cryptographic Extraction and Key Derivation: The HKDF Scheme". In: CRYPTO 2010. Vol. 6223. LNCS. Springer, Heidelberg, Aug. 2010, pp. 631-648.
31. Hugo Krawczyk. "HMQV: A High-Performance Secure Diffie-Hellman Protocol". In: CRYPTO 2005. Vol. 3621. LNCS. Springer, Heidelberg, Aug. 2005, pp. 546-566.
32. Caroline Kudla and Kenneth G. Paterson. "Modular Security Proofs for Key Agreement Protocols". In: ASIACRYPT 2005. Vol. 3788. LNCS. Springer, Heidelberg, Dec. 2005, pp. 549-565.
33. Brian A. LaMacchia, Kristin Lauter, and Anton Mityagin. "Stronger Security of Authenticated Key Exchange". In: ProvSec 2007. Vol. 4784. LNCS. Springer, Heidelberg, Nov. 2007, pp. 1-16.
34. Adam Langley. Pond. 2014. URL: https://pond.imperialviolet. org/ (visited on 06/22/2015).
35. Xinyu Li, Jing Xu, Zhenfeng Zhang, Dengguo Feng, and Honggang Hu. "Multiple Handshakes Security of TLS 1.3 Candidates". In: 2016 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2016.
36. libsignal-protocol-java. GitHub repository, commit hash 4a7bc1667a68c1d8e6af0151be30b84b94fd1e38. 2016. URL: github.com/WhisperSystems/libsignal-protocol-java (visited on 07/2016).
37. Moxie Marlinspike. Advanced cryptographic ratcheting. Blog. 2013. URL: https://whispersystems.org/blog/advancedratcheting/ (visited on 07/2016).
38. Moxie Marlinspike. Open Whisper Systems partners with Google on end-to-end encryption for Allo. Blog. 2016. URL: https://whispersystems.org/blog/allo/ (visited on 07/2016).
39. Alfred Menezes and Berkant Ustaoglu. "On Reusing Ephemeral Keys in Diffie-Hellman Key Agreement Protocols". In: Int. J. Appl. Cryptol. 2.2 (Jan. 2010), pp. 154-158.
40. Vinnie Moscaritolo, Gary Belvin, and Phil Zimmermann. Silent Circle Instant Messaging Protocol Specification. Tech. rep. Archived from the original. Dec. 5, 2012. URL: https: //web.archive.org/web/20150402122917/https://silentcircle. com/ sites / default / themes / silentcircle / assets / downloads / SCIMP-paper.pdf (visited on 07/2016).
41. Kenneth G. Paterson, Jacob C. N. Schuldt, Martijn Stam, and Susan Thomson. "On the Joint Security of Encryption and Signature, Revisited". In: ASIACRYPT 2011. Vol. 7073. LNCS. Springer, Heidelberg, Dec. 2011, pp. 161-178.
42. Trevor Perrin. Double Ratchet Algorithm. GitHub wiki. 2016. URL: https://github.com/trevp/double-ratchet/wiki (visited on 07/22/2016).
43. Trevor Perrin. The XEdDSA and VXEdDSA Signature Schemes. Specification. Oct. 2016. URL: https: / / whispersystems. org / docs / specifications / xeddsa/ (visited on 07/2016).
44. Trevor Perrin and Moxie Marlinspike. The Double Ratchet Algorithm. Specification. Nov. 2016. URL: https: / / whispersystems. org / docs / specifications / doubleratchet/ (visited on 01/2017).
45. Trevor Perrin and Moxie Marlinspike. The X3DH Key Agreement Protocol. Specification. Nov. 2016. URL: https: //whispersystems.org/docs/specifications/x3dh/ (visited on 01/2017).
46. J. Reardon, D. Basin, and S. Capkun. "SoK: Secure Data Deletion". In: Security and Privacy (SP), 2013 IEEE Symposium on. May 2013, pp. 301-315.
47. Andreas Straub. OMEMO Encryption. Oct. 25, 2015. URL: https://conversations.im/xeps/multi-end.html (visited on 07/2016).
48. Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. "SoK: Secure Messaging". In: 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2015, pp. 232-249.
49. Nik Unger and Ian Goldberg. "Deniable Key Exchanges for Secure Messaging". In: ACM CCS 15. ACM Press, Oct. 2015, pp. 1211-1223.
50. WhatsApp. WhatsApp Encryption Overview. Tech. rep. 2016. URL: https: / /www. Whatsapp. com / security / WhatsApp-Security-Whitepaper.pdf (visited on 07/2016).