A Formal Security Analysis of the Signal Messaging Protocol

The Signal protocol is a cryptographic messaging protocol that provides end-to-end encryption for instant messaging in WhatsApp, Wire, and Facebook Messenger among many others, serving well over 1 billion active users. Signal includes several uncommon security properties (such as future secrecy or post-compromise security ), enabled by a novel technique called *ratcheting* in which session keys are updated with every message sent. We conduct a formal security analysis of Signal\u27s initial extended triple Diffie-Hellman (X3DH) key agreement and Double Ratchet protocols as a multi-stage authenticated key exchange protocol. We extract from the implementation a formal description of the abstract protocol, and define a security model which can capture the ratcheting key update structure as a multi-stage model where there can be a tree of stages, rather than just a sequence. We then prove the security of Signal\u27s key exchange core in our model, demonstrating several standard security properties. We have found no major flaws in the design, and hope that our presentation and results can serve as a foundation for other analyses of this widely adopted protocol

Актуальні питання використання приватних месенджерів у громадах

Останнім часом цифрові технології змінюють повсякденне життя, створюючи засади для сталого соціально-економічного розвитку громад і територій; неможливо уявити інфраструктурний та інвестиційний розвиток без комплексного застосування сучасних інформаційних технологій

Automated Symbolic Verification of Telegram's MTProto 2.0

MTProto 2.0 is a suite of cryptographic protocols for instant messaging at the core of the popular Telegram messenger application. In this paper we analyse MTProto 2.0 using the symbolic verifier ProVerif. We provide fully automated proofs of the soundness of MTProto 2.0's authentication, normal chat, end-to-end encrypted chat, and rekeying mechanisms with respect to several security properties, including authentication, integrity, secrecy and perfect forward secrecy; at the same time, we discover that the rekeying protocol is vulnerable to an unknown key-share (UKS) attack. We proceed in an incremental way: each protocol is examined in isolation, relying only on the guarantees provided by the previous ones and the robustness of the basic cryptographic primitives. Our research proves the formal correctness of MTProto 2.0 w.r.t. most relevant security properties, and it can serve as a reference for implementation and analysis of clients and servers.Comment: 19 page

HYBRID CRYPTOSYSTEMS IN CLIENT-SERVER ARCHITECTURE ON THE APPLICATION LAYER OF THE INTERNET

Uslijed sve šire upotrebe kriptografije u raznim domenama računarstva razvijaju se sve napredniji kriptografski algoritmi, protokoli i sustavi o čijoj ispravnosti ovisi povjerljivost privatne i poslovne komunikacije sve većeg broja ljudi. Povrh kompleksnosti svake od kriptografskih komponenti, moderne klijentsko-poslužiteljske arhitekture zahtijevaju njihove precizno izvedene kombinacije s drugim elementima sustava koji također primjenjuju kriptografiju u različite svrhe. S ciljem boljeg razumijevanja uloge kriptografskih primitiva u suvremenim distribuiranim sustavima, u ovom su radu objedinjene značajke temeljnih kriptografskih metoda zajedno s njihovim primjenama na aplikacijskom sloju Interneta. Na primjerima popularnih hibridnih kriptosustava (Transport Layer Security, Secure Shell, End-to-end Encryption) predstavljene su namjene kriptografije u distribuiranim mrežnim aplikacijama uz sažet opis glavnih ideja koje se koriste pri oblikovanju takvih sustava. Rad ne ulazi u tehničke detalje i implementacije algoritama, već doprinosi jezgrovit pregled navedenih principa i ideja uz praktične primjere relevantne mladim programskim inženjerima.Due to the increasing use of cryptography in various domains of computing, more and more advanced cryptographic algorithms, protocols, and systems are being developed, the correctness of which largely determines the confidentiality of private and business communication of an increasing number of people. In addition to the complexity of each of the cryptographic components, modern client-server architectures require their precisely executed combinations with other elements of the system that also apply cryptography for various purposes. In order to better understand the role of cryptographic primitives in modern distributed systems, this paper combines the features of basic cryptographic methods together with their applications on the application layer of the Internet. Examples of popular hybrid cryptosystems (Transport Layer Security, Secure Shell, End-to-end Encryption) present the purposes of cryptography in distributed network applications with a brief description of the main ideas used in designing such systems. The paper does not go into technical details and implementations of algorithms but contributes a concise overview of these principles and ideas with practical examples relevant to young software engineers

Contingent payments on a public ledger: models and reductions for automated verification

International audienceWe study protocols that rely on a public ledger infrastructure, concentrating on protocols for zero-knowledge contingent payment, whose security properties combine diverse notions of fairness and privacy. We argue that rigorous models are required for capturing the ledger semantics, the protocol-ledger interaction, the cryptographic primitives and, ultimately, the security properties one would like to achieve.Our focus is on a particular level of abstraction, where network messages are represented by a term algebra, protocol execution by state transition systems (e.g. multiset rewrite rules) and where the properties of interest can be analyzed with automated verification tools. We propose models for: (1) the rules guiding the ledger execution, taking the coin functionality of public ledgers such as Bitcoin as an example; (2) the security properties expected from ledger-based zero-knowledge contingent payment protocols; (3) two different security protocols that aim at achieving these properties relying on different ledger infrastructures; (4) reductions that allow simpler term algebras for homomorphic cryptographic schemes.Altogether, these models allow us to derive a first automated verification for ledger-based zero-knowledge contingent payment using the Tamarin prover. Furthermore , our models help in clarifying certain underlying assumptions, security and efficiency tradeoffs that should be taken into account when deploying protocols on the blockchain

Análise do modelo de ataques ao protocolo Signal: uma abordagem usando lógica e mCRL2

O objetivo deste trabalho foi analisar possíveis ataques ao protocolo Signal através de modelagens utilizando a ferramenta mCRL2. O protocolo Signal é constituído pelos protocolos Extended Triple Diffie-Hellman e o Double Ratchet, ambos criados em 2013. O Signal, um dos primeiros protocolos a implementar criptografia ponta-a-ponta, é amplamente utilizado nos principais aplicativos de troca de mensagens, como o Whatsapp. Devido à sua popularidade, o protocolo foi escolhido neste trabalho para verificarmos se ele é realmente seguro, ou seja, se um invasor pode interceptar todas as mensagens trocadas entre dois usuários. A ferramenta mCRL2 permitiu a especificação, visualização, simulação e verificação formal do protocolo. Neste trabalho discutimos algumas estratégias de interceptações conhecidas, juntamente com uma análise dos resultados obtidos com o uso da ferramenta mCRL2