SoK: Secure Messaging

@article{Unger2015SoKSM,
  title={SoK: Secure Messaging},
  author={Nik Unger and Sergej Dechand and Joseph Bonneau and Sascha Fahl and Henning Perl and Ian Goldberg and Matthew Smith},
  journal={2015 IEEE Symposium on Security and Privacy},
  year={2015},
  pages={232-249}
}
Motivated by recent revelations of widespread state surveillance of personal communication, many solutions now claim to offer secure and private messaging. This includes both a large number of new projects and many widely adopted tools that have added security features. The intense pressure in the past two years to deliver solutions quickly has resulted in varying threat models, incomplete objectives, dubious security claims, and a lack of broad perspective on the existing cryptographic… 

Tables from this paper

Poster: Can Johnny Authenticate?
TLDR
A between-subjects study is conducted to analyze in detail how well users can locate and complete the authentication ceremony when they are aware of the need for authentication, and finds differences in key verification success rates.
SoK: Securing Email -- A Stakeholder-Based Analysis (Extended Version)
TLDR
The tussle among stakeholders is used to explain the evolution of fragmented secure email solutions undertaken by industry, academia, and independent developers, and it is concluded that a one-size-fits-all solution is unlikely.
Privacy and data protection in smartphone messengers
TLDR
This paper analyzed the most prominent messenger apps with respect to privacy concepts, focusing not only on the transmission layer regarding the support of encrypted communication, but also attacks targeting the communication metadata, e.g. detecting the existence of communication between users.
A Comparison of Secure Messaging Protocols and Implementations
TLDR
This thesis investigates protocols for end-to-end encrypted instant messaging, focusing on the existing implementations of one of the recent and popular such protocols, called Signal, and analyzing the most used secure messaging applications.
Practical Traffic Analysis Attacks on Secure Messaging Applications
TLDR
This paper devise traffic analysis attacks that enable an adversary to identify administrators as well as members of target IM channels with high accuracies, and designed and deployed an open-source, publicly available countermeasure system, called IMProxy, that can be used by IM clients with no need for any support from IM providers.
SoK: Securing Email - A Stakeholder-Based Analysis
TLDR
A fresh look at the state of secure email is taken and open problems in the area are discussed.
Obstacles to the Adoption of Secure Communication Tools
TLDR
It is found that the adoption of secure communication tools is hindered by fragmented user bases and incompatible tools, and the vast majority of participants did not understand the essential concept of end-to-end encryption, limiting their motivation to adopt secure tools.
Secure Complaint-Enabled Source-Tracking for Encrypted Messaging
TLDR
This paper presents an alternative to message traceback that offers more privacy to users and requires less platform-side storage, and formalizes security goals for source-tracking schemes and design and implement two source- tracking schemes with different security and performance tradeoffs.
Systematization of Threats and Requirements for Private Messaging with Untrusted Servers: The Case of e-Mailing and Instant Messaging
TLDR
A list of threats against message delivering, archiving, and contact synchronization and a list of requirements intended for whom undertakes the task of implementing secure and private messaging are described.
Forward-Secure Puncturable Identity-Based Encryption for Securing Cloud Emails
TLDR
This paper formalizes a new cryptographic primitive named forward-secure puncturable identity-based encryption (fs-PIBE) for enhancing the security and privacy of cloud email systems, and proposes a concrete construction of fs-P IBE with constant size of ciphertext, to prove its security in the standard model.
...
...

References

SHOWING 1-10 OF 180 REFERENCES
How Secure is TextSecure?
TLDR
It is formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.
SafeSlinger: easy-to-use and secure public-key exchange
TLDR
SafeSlinger is a system leveraging the proliferation of smartphones to enable people to securely and privately exchange their public keys, which establishes a secure channel offering secrecy and authenticity, which is used to support secure messaging and file exchange.
Off-the-record communication, or, why not to use PGP
TLDR
This paper presents a protocol for secure online communication, called "off-the-record messaging", which has properties better-suited for casual conversation than do systems like PGP or S/MIME.
Secure Group Instant Messaging Using Cryptographic Primitives
TLDR
A scheme, IBECRT, is proposed, which uses ID-based encryption and the Chinese Remainder Theorem, and achieves uniform work-load distribution and hiding the users' identity in a conference, authentication of senders, and integrity protection of the messages exchanged.
Johnny 2: a user test of key continuity management with S/MIME and Outlook Express
TLDR
The first user study of KCM-secured email is presented, conducted on naïve users who had no previous experience with secure email, and concludes that KCM is a workable model for improving email security today, but work is needed to alert users to "phishing" attacks.
CONIKS: A Privacy-Preserving Consistent Key Service for Secure End-to-End Communication
TLDR
This work presents CONIKS, a system that provides automated key management for end users capable of seamless integration into existing secure messaging applications and preserves user’s privacy by ensuring that adversaries cannot harvest large numbers of usernames from the directories.
A user study of off-the-record messaging
TLDR
A user study of the OTR plugin for the Pidgin instant messaging client using the think aloud method finds a variety of usability flaws remaining in the design of OTR and discusses how these errors can be repaired, as well as identifies an area that requires further research to improve its usability.
Security Analysis of Accountable Anonymity in Dissent
TLDR
The improved and hardened dissent protocol systematically addresses the delicate balance between provably hiding the identities of well-behaved users, while provably revealing the identity of disruptive users, a challenging task because many forms of misbehavior are inherently undetectable.
Multi-party off-the-record messaging
TLDR
This paper identifies the properties of multi-party private meetings, the differences not only between the physical and electronic medium but also between two- and multi- party scenarios, which have important implications for the design of private chatrooms.
Proactively Accountable Anonymous Messaging in Verdict
TLDR
Verdict is presented, the first practical anonymous group communication system built using proactively verifiable DC-nets: participants use public-key cryptography to construct DC-net ciphertexts, and use zero-knowledge proofs of knowledge to detect and exclude misbehavior before disruption.
...
...