Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal
Extensive efforts are currently put into securing messaging platforms, where a key challenge is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and recent attacks indicate that the security of group messaging is still quite fragile.
We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other’s voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO ’05) and Naor et al. (CRYPTO ’06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it.
Within our framework we establish tight bounds on the tradeoff between the adversary’s success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff.
In particular, considering groups that consist of an administrator and k additional users, for statistically-secure protocols we show that at least \((k+1)\cdot (\log (1/\epsilon ) - \varTheta (1))\) bits must be out-of-band authenticated, whereas for computationally-secure ones \(\log (1/\epsilon ) + \log k\) bits suffice, where \(\epsilon \) is the adversary’s success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).
- [BR93]Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
- [BSJ+17]Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_21CrossRefGoogle Scholar
- [CCD+17]Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the Signal messaging protocol. In: Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466 (2017)Google Scholar
- [CGCG+17]Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees. Cryptology ePrint Archive, Report 2017/666 (2017)Google Scholar
- [CIO98]Crescenzo, G.D., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pp. 141–150 (1998)Google Scholar
- [DG03]Damgard, I., Groth, J.: Non-interactive and reusable non-malleable commitment schemes. In: Proceedings of the 35th Annual ACM Symposium on Theory of Computing, pp. 426–437 (2003)Google Scholar
- [Ell96]Ellison, C.M.: Establishing identity without certification authorities. In: Proceedings of the 6th USENIX Security Symposium, p. 7 (1996)Google Scholar
- [FMB+16]Frosch, T., Mainka, C., Bader, C., Bergsma, F., Schwenk, J., Holz, T.: How secure is TextSecure? In: Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P), pp. 457–472 (2016)Google Scholar
- [Goy11]Goyal, V.: Constant round non-malleable protocols using one way functions. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pp. 695–704 (2011)Google Scholar
- [Gre18a]Green, M.: Attack of the week: Group messaging in WhatsApp and Signal. A Few Thoughts on Cryptographic Engineering (2018). https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging
- [Gre18b]Greenberg, A.: WhatsApp security flaws could allow snoops to slide into group chats. Wired Mag. (2018). https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats
- [KBB17]Kobeissi, N., Bhargavan, K., Blanchet, B.: Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In: Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 435–450 (2017)Google Scholar
- [LP11]Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pp. 705–714 (2011)Google Scholar
- [PM16]Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf. Accessed 16 May 2018
- [PR05]Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science, pp. 563–572 (2005)Google Scholar
- [RMS18]Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in Signal, WhatsApp, and Threema. In: Proceedings of the 3rd IEEE European Symposium on Security and Privacy (EuroS&P) (2018)Google Scholar
- [RS18]Rotem, L., Segev, G.: Out-of-band authentication in group messaging: computational, statistical, optimal. Cryptology ePrint Archive, Report 2018/493 (2018)Google Scholar
- [Tela]Telegram. End-to-end encrypted voice calls - key verification. https://core.telegram.org/api/end-to-end/voice-calls#key-verification. Accessed 16 May 2018
- [Telb]Telegram. End-to-end encryption. https://core.telegram.org/api/end-to-end. Accessed 16 May 2018
- [Vib]Viber encryption overview. https://www.viber.com/app/uploads/Viber-Encryption-Overview.pdf. Accessed 16 May 2018
- [Wha]WhatsApp encryption overview. https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf. Accessed 16 May 2018
- [Wik]Wikipedia. Instant messaging. https://en.wikipedia.org/wiki/Instant_messaging. Accessed 16 May 2018