How Secure is TextSecure?

Instant Messaging has gained popularity by users for both private and business communication as low-cost short message replacement on mobile devices. However, until recently, most mobile messaging apps did not protect confidentiality or integrity of the messages. Press releases about mass surveillance performed by intelligence services such as NSA and GCHQ motivated many people to use alternative messaging solutions to preserve the security and privacy of their communication on the Internet. Initially fueled by Facebook\u27s acquisition of the hugely popular mobile messaging app WhatsApp, alternatives claiming to provide secure communication experienced a significant increase of new users. A messaging app that claims to provide secure instant messaging and has attracted a lot of attention is TextSecure. Besides numerous direct installations, its protocol is part of Android\u27s most popular aftermarket firmware CyanogenMod. TextSecure\u27s successor Signal continues to use the underlying protocol for text messaging. In this paper, we present the first complete description of TextSecure\u27s complex cryptographic protocol, provide a security analysis of its three main components (key exchange, key derivation and authenticated encryption), and discuss the main security claims of TextSecure. Furthermore, we formally prove that - if key registration is assumed to be secure - TextSecure\u27s push messaging can indeed achieve most of the claimed security goals

On mitigation of client-side attacks and protection of private data

Die vorliegende Dissertation befasst sich mit der Frage wie und unter welchen Bedingungen die Kontrolle über private Daten auf existierenden Computersystemen verbessert werden kann. Die Arbeit fokussiert sich dabei auf die Themenbereichen Web- und Browsersecurity, kryptographische Protokolle, sowie sichere, datenschutzfreundliche Systemarchitekturen und zeigt, wie die proaktive Erforschung potentieller Angriffsvektoren und die Kenntnis der genauen Funktionsweise des zu schützenden Systems durch dessen Analyse es erlauben Erkennungs- und, wenn möglich, Schutzmechanismen zu realisieren, sowie sichere Architekturen zu schaffen

Futuretrust-future trust services for trustworthy global transactions

Against the background of the regulation 2014/910/EU [EU1] on electronic identification (eID) and trusted services for electronic transactions in the internal market (eIDAS), the FutureTrust project, which is funded within the EU Framework Programme for Research and Innovation (Horizon 2020) under Grant Agreement No. 700542, aims at supporting the practical implementation of the regulation in Europe and beyond. For this purpose, the FutureTrust project will address the need for globally interoperable solutions through basic research with respect to the foundations of trust and trustworthiness, actively support the standardisation process in relevant areas, and provide Open Source software components and trustworthy services which will ease the use of eID and electronic signature technology in real world applications. The FutureTrust project will extend the existing European Trust Service Status List (TSL) infrastructure towards a "Global Trust List", develop a comprehensive Open Source Validation Service as well as a scalable Preservation Service for electronic signatures and seals. Furthermore it will provide components for the eID-based application for qualified certificates across borders, and for the trustworthy creation of remote signatures and seals in a mobile environment. The present contribution provides an overview of the FutureTrust project and invites further stakeholders to actively participate as associated partners and contribute to the development of future trust services for trustworthy global transactions.</p