More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema

@article{Rsler2018MoreIL,
  title={More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema},
  author={Paul R{\"o}sler and Christian Mainka and J{\"o}rg Schwenk},
  journal={2018 IEEE European Symposium on Security and Privacy (EuroS\&P)},
  year={2018},
  pages={415-429}
}
Secure instant messaging is utilized in two variants: one-to-one communication and group communication. While the first variant has received much attention lately (Frosch et al., EuroS Cohn-Gordon et al., EuroS Kobeissi et al., EuroS&P17), little is known about the cryptographic mechanisms and security guarantees of secure group communication in instant messaging. To approach an investigation of group instant messaging protocols, we first provide a comprehensive and realistic security model… 

Figures from this paper

On the End-to-End Security of Group Chats in Instant Messaging Protocols
TLDR
This thesis investigates group communication security mechanisms of three major massaging applications: Signal, WhatsApp, and Threema and provides a comprehensive and realistic attacker model that reveals that strong security properties, such as Future Secrecy, do not hold for group communication.
On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees
TLDR
This work presents a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time.
Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS
TLDR
This paper presents a formal framework for group messaging in the F (cid:63) language and uses it to compare the security and performance of several candidate MLS protocols up to draft 7.0, and presents the first mechanically checked proof for MLS, the new asynchronous group messaging protocol.
A Formal Security Analysis of the Signal Messaging Protocol
TLDR
This work extracts from the implementation a formal description of the abstract protocol, and defines a security model which can capture the "ratcheting" key update structure, and proves the security of Signal's core in this model, demonstrating several standard security properties.
Universally Composable End-to-End Secure Messaging
TLDR
This work provides a full-fledged security analysis of the Signal end-to-end messaging protocol within the UC framework and improves on previous ones in the guarantees it provides, in its relaxed security assumptions, and in its modularity.
On the Worst-Case Inefficiency of CGKA
Continuous Group Key Agreement (CGKA) is the basis of modern Secure Group Messaging (SGM) protocols. At a high level, a CGKA protocol allows group members to continually be able to compute a shared
End-to-End Secure Mobile Group Messaging with Conversation Integrity and Deniability
TLDR
This paper describes a deployable, end-to-end secure mobile group messaging application with proofs of security, and proves that no protocol that satisfies these properties can be more scalable than Mobile CoWPI.
Key Agreement for Decentralized Secure Group Messaging with Strong Security Guarantees
TLDR
This paper defines decentralized continuous group key agreement (DCGKA), a new cryptographic primitive encompassing the core of a decentralized secure group messaging protocol, and gives a practical construction of a DCGKA protocol and proves its security; and describes how to construct a full messaging protocol from DCGka.
The Complexities of Healing in Secure Group Messaging: Why Cross-Group Effects Matter
TLDR
The design space of healing mechanisms is mapped, which leads to a promising solution based on global updates that affect all current and future groups, and post-compromise secure signatures, which allows group messaging protocols such as ART and MLS to achieve substantially stronger PCS guarantees.
Efficient Post-Compromise Security Beyond One Group
TLDR
This work lays out the design space of this complex healing problem to identify mechanisms that narrow the gap between the pairwise and group-key approaches, and provide stronger healing for both, and provides a security definition for post-compromise secure signatures and an instantiation.
...
...

References

SHOWING 1-10 OF 70 REFERENCES
With one it is easy, with many it gets complicated: Understanding Channel Security for Groups
TLDR
A set of formal definitions of security goals for broadcast communication are developed, capturing targets like confidentiality and authenticity, and an efficient protocol is designed that requires only reliable point-to-point links between users and a standard cryptographic building block is designed, achieving all security goals defined in this paper.
On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees
TLDR
This work presents a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time.
A Formal Security Analysis of the Signal Messaging Protocol
TLDR
This work extracts from the implementation a formal description of the abstract protocol, and defines a security model which can capture the "ratcheting" key update structure, and proves the security of Signal's core in this model, demonstrating several standard security properties.
SoK: Secure Messaging
TLDR
This paper evaluates and systematize current secure messaging solutions and proposes an evaluation framework for their security, usability, and ease-of-adoption properties, and identifies three key challenges and map the design landscape for each: trust establishment, conversation security, and transport privacy.
How Secure is TextSecure?
TLDR
It is formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.
On Post-compromise Security
TLDR
This work provides the first informal and formal definitions for post-compromise security, and shows that it can be achieved in several scenarios and develops two new strong security models for two different threat models.
Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications
TLDR
This paper analyzes nine popular mobile messaging and VoIP applications and evaluates their security models with a focus on authentication mechanisms, finding that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers.
Group communication specifications: a comprehensive study
TLDR
The specification framework presented in this article will help builders of group communication systems understand andspecify their service semantics; the extensive survey will allow them to compare their service to others, and serve as a unified framework for the classification, analysis, and comparison of group Communication systems.
Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography
TLDR
A new protocol for Byzantine agreement in a completely asynchronous network is presented that makes use of new cryptographic protocols, specifically protocols for threshold signatures and coin-tossing based on the Diffie-Hellman problem.
Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach
TLDR
This work uses ProVerif and CryptoVerif to find new and previously-known weaknesses in the protocol and suggest practical countermeasures, and demonstrates that, with disciplined programming and some verification expertise, the systematic analysis of complex cryptographic web applications is now becoming practical.
...
...