Skip to main content

Security Analysis of SFrame

  • 1047 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

As people become more and more privacy conscious, the need for end-to-end encryption (E2EE) has become widely recognized. We study the security of SFrame, an E2EE mechanism recently proposed to IETF for video/audio group communications over the Internet. Although a quite recent project, SFrame is going to be adopted by a number of real-world applications. We inspected the original specification of SFrame. We found a critical issue that will lead to an impersonation (forgery) attack by a malicious group member with a practical complexity. We also investigated the several publicly-available SFrame implementations, and confirmed that this issue is present in these implementations.

Keywords

  • End-to-End Encryption
  • SFrame
  • Authenticated encryption
  • Signature
  • Impersonation

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_7
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    https://zoom.us/.

  2. 2.

    https://www.webex.com.

  3. 3.

    https://duo.google.com/about/.

  4. 4.

    https://meet.jit.si/.

  5. 5.

    https://fosdem.org/2021/schedule/.

  6. 6.

    https://mailarchive.ietf.org/arch/browse/cfrg/?q=SFrame.

References

  1. Andreeva, E., et al.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016). https://doi.org/10.1007/s00145-015-9206-4

    MathSciNet  CrossRef  MATH  Google Scholar 

  2. Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol, October 2020. https://tools.ietf.org/html/draft-ietf-mls-protocol-10

  3. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    CrossRef  Google Scholar 

  4. Cisco Systems: SFrame (2020). https://github.com/cisco/sframe

  5. Cisco Systems: Zero-Trust Security for Webex White Paper (2021). https://www.cisco.com/c/en/us/solutions/collateral/collaboration/white-paper-c11-744553.pdf

  6. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020)

    MathSciNet  CrossRef  Google Scholar 

  7. Dodis, Y., Grubbs, P., Ristenpart, T., Woodage, J.: Fast message franking: from invisible salamanders to encryptment. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 155–186. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_6

    CrossRef  Google Scholar 

  8. Dworkin, M.: NIST SP 800–38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007). U.S. Department of Commerce/National Institute of Standards and Technology

    Google Scholar 

  9. Omara, E.: Extend Tag Calculation to Cover Nonce #59 (2021). https://github.com/eomara/sframe/pull/59

  10. Omara, E.: Remove Signature #58 (2021). https://github.com/eomara/sframe/pull/58

  11. Ferguson, N.: Authentication Weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf

  12. Garman, C., Green, M., Kaptchuk, G., Miers, I., Rushanan, M.: Dancing on the lip of the volcano: chosen ciphertext attacks on apple iMessage. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 655–672. USENIX Association, August 2016

    Google Scholar 

  13. Isobe, T., Ito, R.: Security analysis of end-to-end encryption for zoom meetings. IEEE Access 9, 90677–90689 (2021)

    CrossRef  Google Scholar 

  14. Isobe, T., Minematsu, K.: Breaking message integrity of an end-to-end encryption scheme of LINE. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 249–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_13

    CrossRef  Google Scholar 

  15. Jitsi: Jitsi Meet API library (2020). https://github.com/jitsi/lib-jitsi-meet/

  16. Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_15

    CrossRef  Google Scholar 

  17. Knodel, M., Baker, F., Kolkman, O., Celi, S., Grover, G.: Definition of End-to-end Encryption, February 2021. https://datatracker.ietf.org/doc/draft-knodel-e2ee-definition/

  18. Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_19

    CrossRef  Google Scholar 

  19. Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). Internet Engineering Task Force - IETF, Request for Comments 5869, May 2010

    Google Scholar 

  20. Matrix.org Foundation: Olm: a Cryptographic Ratchet (2016). https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/olm.md

  21. Mattsson, J., Westerlund, M.: Authentication key recovery on Galois/Counter Mode (GCM). In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 127–143. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_7

    CrossRef  Google Scholar 

  22. McGrew, D.A.: An Interface and Algorithms for Authenticated Encryption. Internet Engineering Task Force - IETF, Request for Comments 5116, January 2008

    Google Scholar 

  23. Menezes, A.J., Oorschot, P.C.V., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)

    MATH  Google Scholar 

  24. Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15

    CrossRef  Google Scholar 

  25. Omara, E.: Google Duo End-to-End Encryption Overview - Technical Paper (2020). https://www.gstatic.com/duo/papers/duo_e2ee.pdf

  26. Omara, E., Uberti, J., Gouaillard, A., Murillo, S.G.: Secure Frame (SFrame), November 2020. https://tools.ietf.org/html/draft-omara-sframe-01

  27. Omara, E., Uberti, J., Gouaillard, A., Murillo, S.G.: Secure Frame (SFrame), March 2021. https://tools.ietf.org/html/draft-omara-sframe-02

  28. Open Whisper Systems.: Signal Github Repository (2017). https://github.com/WhisperSystems/

  29. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002. https://doi.org/10.1145/586110.586125

  30. Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_24

    CrossRef  Google Scholar 

  31. Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in signal, WhatsApp, and Threema. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 415–429. IEEE (2018)

    Google Scholar 

  32. Corretgé, S.I.: The road to End-to-End Encryption in Jitsi Meet (2021). https://fosdem.org/2021/schedule/event/e2ee/attachments/slides/4435/export/events/attachments/e2ee/slides/4435/E2EE.pdf

  33. Murillo, S.G.: SFrame.js (2020). https://github.com/medooze/sframe

  34. Turner, J.M.: The keyed-hash message authentication code (HMAC). Federal Inf. Process. Stand. Publ. 198(1) (2008)

    Google Scholar 

Download references

Acknowledgments

We are grateful to the SFrame designers (Emad Omara, Justin Uberti, Alex Gouaillard, and Sergio Garcia Murillo) for the fruitful discussion and feedback about our findings. We would like to thank the anonymous reviewers for their insightful comments, and Shiguredo Inc. for helpful discussion about real-world applications of the end-to-end encryption. Takanori Isobe is supported by JST, PRESTO Grant Number JPMJPR2031, Grant-in-Aid for Scientific Research (B)(KAKENHI 19H02141) and SECOM science and technology foundation.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ryoma Ito .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Isobe, T., Ito, R., Minematsu, K. (2021). Security Analysis of SFrame. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)