Friday, October 14, 2016

How the Textsecure Protocol (Signal, WhatsApp, Facebook, Allo) Works




Goals


The goal of TextSecure is to offer "end-to-end security, deniability, forward secrecy, and future secrecy". What this means in practice is that TextSecure wants to construct a stream of messages between two people which keeps key material around for as short a time as possible. Key compromise in the future should not make it possible to decrypt traffic observed today. 

I've covered a critical analysis of the Signal Protocol below. It studies the implemented architecture, notes discovered flaws, and evaluates how well the stated goals are met. A deeper analysis of the goals follows the system description.


Terminology


TextSecure is one name given to the application now called Signal. The codebase and the documentation throughout it use the name TextSecure. In order to maintain consistency with the System, I will refer to the entire system as TextSecure. 

In reality, there are a number of different things here:

The TextSecure Server, referred to as TS in the linked whitepapers (bottom) is the centralized server which coordinates state for the rest of the system. 

The Signal Protocol refers to the more general protocol in use by messaging apps from Facebook Messenger to Google Allo. It implements the functionality described below, but leaves these implementations free to do message routing and metadata tracking however they like.

The Signal application is a mobile application which implements the Signal Protocol using the described TextSecure Server policies analyzed below. This is the original implementation of the protocol. 


Architecture



TextSecure is a modification of the Off-The-Record chat protocol with a focus on asynchronous coordination. Whereas OTR requires an interactive handshake, TextSecure considers the indeterminate latency unacceptable. Having to bring an app into the foreground and carry out a handshake before being able to send a message would offer a terrible user experience.

Instead, copies of the server's role in the key negotiation are stored by a centralized server for potential clients to fetch and use. This server acts as a channel not trusted with key information able to decrypt anything; all encryption is end to end. 


Cryptography




TextSecure uses a small set of cryptographic primitives. Public key cryptography is carried out through elliptic-curve Diffie-Hellman using Curve25519. AES is used for symmetric encryption, for both counter mode without padding and cipher block chaining mode. HMAC-SHA256 is used for message authentication. These are the trusted base.

Double Ratchet:


The core of TextSecure's encryption engine is the Axolotl double ratchet algorithm. The big-picture idea is that there are two ratchets that can move forward: a receive ratchet and a send ratchet. The structure allows for the first half of the key negotiation to be saved and replayed asynchronously later to yield a full handshake. 

The receive ratchet is used when a message is received, which must include new material for the next key negotiation. This material is used to generate new symmetric keys for encryption and message authentication later. 

The sending hash ratchet generates a new set of keys using the keystream generated from the previous set of coordinated shared secrets. This ratchet is reset when the receive ratchet is activated and the shared secrets change.

What is important here to observe is that a sender never has to wait in order to send a message. They can always take a step to send a message which terminates in a bounded amount of time. These messages will all be encrypted with different symmetric keys. This means that the current keys on either person's devices cannot be used to decrypt a message sent in the past. (We see later that this has one caveat.)


Protocol



- Phase 1: Textsecure Registration



Registration starts by having a client tell the server the phone number with which it can be contacted, as well as whether it would prefer to receive a token via phone call or via SMS. This token acts as the proof of ownership which enables the user to store registration information with textsecure. 

The client sends message authentication and encryption symmetric keys ('signaling' keys), and their long-term public key.

It also posts a collection of prekeys, which are one-time copies of the client's half of key negotiation when the client is a recipient. These stored prekeys allow a sender to carry out key negotiation without requiring the client be able to respond, reducing negotiation latency significantly. The client also uploads a "prekey of last resort" which is used last and is shared between all sessions until the recipient pushes new prekeys.

That signal doesn't warn the user about relying on a prekey that's been used by other clients is less than ideal, in my opinion. 

The client then registers with Google Cloud Messaging to get a registration ID to give textsecure. This registration with textsecure includes whether the client wants to receive SMS or only data.


- Phase 2: Key comparison


Textsecure allows for clients to compare the fingerprint of each other's long-term keys to verify each other's identity. It also includes support for displaying keys as QR codes to enable convenient comparison. 


- Phase 3.1: Sending an initial message


The sender starts by requesting a prekey for the recipient. They're given the prekey index, the prekey, the registration ID, and the long-term public key of the recipient. These are used to negotiate a shared secret through the HDKF key derivation algorithm. This is referred to as the root key.

An ephemeral keypair is generated for this message. The root key is used with HDKF to derive a new root key and a chaining key. This chaining key is what is used to generate encryption and MAC keys. 

Lastly, AES counters are initialized. There are two counters: ctr and pctr. The ctr counter is incremented with every sent message while the pctr counter holds the counter of the last message seen. This allows a recipient to enforce an ordering between messages received out of order.

These are used to encrypt the message for the recipient, which is send to the signal server. This message contains the information necessary for the recipient to complete the key negotiation handshake. 

The signal server will check that the Google Cloud Messenger registration ID is right for the phone number in question, and will encrypt the message with the 'signaling' keys before sending the message to the cloud server. This indirection ensures that Google Cloud Messenger does not see the message sender. 


- Phase 3.2: Receiving a message


The sender receives the prekey index and uses it to find the prekey used by the sender. It then uses the information sent to complete the handshake and to find the same root keys as the sender. These generate the keys used to decrypt the sent message.



- Phase 4: Sending a Follow-up Message



If the original sender wants to send a second message before the recipient replies, they generate a new chaining key and use this to find new encryption and message authentication keys.
- Phase 5: Sending a Reply


When the recipient wishes to reply they first choose a new ephemeral keypair. Using the sender's ephemeral public key, and their ephemeral private key, they generate a new shared secret. This is used to find a new chaining key to find new keys for encryption and authorization. This is used to encrypt the message, which is sent along with the new ephemeral public key.


Known Issues



Key Submission



TextSecure uses a shared secret between the TextSecure server and client, the machine-generated "pw", to authenticate upload of new prekeys. This is also used for authenticating sent messages. Leaking the password is then enough to allow someone to both send messages and upload keys on behalf of a user. The encrypted export function allowed a TextSecure client to move accounts between phones, but was removed because the export included the machine-generated password in it. This unencrypted backup was placed on the device's SD card, which meant that other apps on the phone could read it. 

This feature has since been removed. If you noticed it missing, it's not a usability bug. It's a conservative approach to a real problem. 


Unknown Key-Share Attack



This attack is one of forged delivery. If an attacker carries out a UKS attack, they trick someone into crafting a message for another person (the target) when they believe they are communicating with the attacker. 

This is easily done by a powerful attacker by replacing their own public key on the TextSecure server with the target's public key. They can do this by re-registering their number with TextSecure. They then can use QR codes to validate that their fingerprint matches what the sender has. This is the fingerprint of the target's key. 

Then, they must re-register the sender's account and intercept the validation SMS or phone call from reaching the sender. This is trivial to anybody with a permissive-enough warrant. They now can authenticate as the sender and pass along the signed message. 

This attack has not been fixed by TextSecure. They added signing of prekeys, but they are still not cryptographically associated with an identity. They may be passed-off and replayed due to this lack of association.  

A feasible fix would be to have the sender and recipient both mentioned in the encrypted body of the message. 

Goal Evaluation


TextSecure achieves forward security due to it's construction. Forward secrecy states that if long-lived public keys remain secure, that leakage of current symmetric keys forms a security breach which is active for a bounded amount of time. Since the public keys are required in each new ratchet, this is met.

Perfect forward secrecy is defined as the property that seizing the current keys had by a client won't allow an adversary from decrypting messages sent previously. This is enforced by the TextSecure wire protocol but it turns into a bit of a semantics game. Since keys are only stored on the devices, it is unlikely for a key to be disclosed without having access to other keys currently on the app. The long-term key isn't enough to decrypt a message without the short-term keys associated with the ratchet state, but these can be pulled from the phone and used to decrypt messages sent and not yet replied to (messages using the previous ratchet). This is disclosure of a "previous" message technically.

Deniability is much shaker. While it's possible to say that anybody could have created a given message, since the prekeys are published, the centralization of TextSecure poses a threat to that. The TextSecure server authenticates and forwards messages, and may log them. While the content is encrypted end-to-end, the metadata is not.

Sources


Analysis Whitepaper:
http://ieeexplore.ieee.org/document/7467371/


Marlinspike, Moxie (30 March 2016). "Signal on the outside, Signal on the inside". Open Whisper Systems. Retrieved 31 March 2016.

70 comments:

  1. ALL the above are nowadays intereptable protocols and ALL major goverments have tools to intercept them.
    Even the manufacturers like facebook add the possibility of disabling encryption remote.

    ALL fake encryption.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Always so interesting to visit your site.What a great info, thank you for sharing. this will help me so much in my learning
    http://buyfblikescheap.com/buy-facebook-photo-likes/

    ReplyDelete
  4. The blog and data is excellent and informative as well
    buy facebook post likes

    ReplyDelete
  5. This is an awesome motivating article.I am practically satisfied with your great work.You put truly extremely supportive data. Keep it up. Continue blogging. Hoping to perusing your next post
    buy active facebook likes

    ReplyDelete
  6. I really loved reading your blog. It was very well authored and easy to undertand. Unlike additional blogs I have read which are really not tht good. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he ejoyed it as well!
    buy facebook photo likes reviews

    ReplyDelete
  7. I agree with, of course, all of these varients of solving that issue are great, but as for me, it is much easier just to use this app https://mxspy.com/whatsapp-hack/. It works very stable and good, try it.

    ReplyDelete
  8. This is interesting! But you know, I would better install this wonderful whatsapp spy http://copy9.com/facebook-spy-a-complete-beginners-guide-to-spy-app/ on your phone and spy anybody you.

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. if you are using whatsapp than below mention link will help to make your impression strong in front of your friendsfree Love Images and Hindi Whatsapp Status and WhatsApp Status

    ReplyDelete
  11. Take the initiative and create WhatsApp groups of distinct audiences. You can create groups on the basis of their geographical location, interest and demographics. You can also limit the room of your WhatsApp groups such as how many people will be in one group. After doing the complete process, start sending messages to the group. WhatsApp

    ReplyDelete
  12. Take the initiative and create WhatsApp groups of distinct audiences. You can create groups on the basis of their geographical location, interest and demographics. You can also limit the room of your WhatsApp groups such as how many people will be in one group. After doing the complete process, start sending messages to the group. WhatsApp

    ReplyDelete
  13. Alaways so fascinating to visit your site.What an extraordinary information, thank you for sharing. this will help me such a great amount in my
    Female Call Girls service in Delhi
    Russian escorts girls in Delhi
    Model Call Girls Delhi
    Hi Profile escorts girls in Delhi

    ReplyDelete
  14. It's a nice topic to think over. You can order an essay about how to protect your personal information on https://thepaperwriting.com/term-paper-writing.

    ReplyDelete
  15. Thanks for sharing this amazing article and i think you know about lucky patcher apk download no root and i think it works like a charm. PLease post more article like this and i will visit here again.

    ReplyDelete
  16. The post contains lots of knowledgeable facts with step by step guide.For more exiting post related to Tech you must visit this website

    ReplyDelete
  17. Always so interesting to visit your site.What a great info, thank you for sharing. this will help me so much in my learning
    /holi image
    / holi shayari status
    /love couple image

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. I was more than happy to uncover this great site. I need to to thank you for your time due to this fantastic read!! I definitely enjoyed every bit of it and I have you bookmarked to see new information on your blog.
    la luna sangre
    pinoy tambayan
    pinoy channel

    ReplyDelete
  20. Security is always a point of consideration for social networking websites and for webmaster, the main aim of this article is not to introduce some security and privacy tips, as title shows that we are going to talk about some advance security features that are available on your Facebook account.Click here

    ReplyDelete
  21. Information contains in the article looks unique and innovative.People must enjoy it.My guide also contains informative ideas for the people,so you must take a look at that: Kik for pc

    ReplyDelete
  22. This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post! psd to responsive html

    ReplyDelete
  23. http://www.poojaroy.com/green-park-escorts.html

    ReplyDelete
  24. Thanks for sharing this amazing article and i think you know about lucky patcher all versions and i think it works like a charm.

    ReplyDelete
  25. will make sure that you are entertained throughout and you are not getting bored. So, just hire them and be ready to spend the most amazing
    http://www.poojaroy.com/connaught-place-escorts.html

    ReplyDelete
  26. http://www.vipescorts.us/meet-high-profile-sizzling-escorts-for-ultimate-satisfaction/
    their business trip after brainstorming working hours. Keeping this problem in mind, the Delhi based call girls have planned special services for them.

    ReplyDelete
  27. the Bangalore escorts sexy escorts. Privacy is undoubtedly one of the main reason of using the blur or fake pictures in the profile by the sexy and hot escorts of Privacy is the utmost priority of all the sophisticated and independent call-girls .
    Independent Bangalore Escorts agency

    ReplyDelete
  28. You can watch Pinoy Tv dramas videos on Pinoy tv channel. All videos are available here better quality than the other sites. Our Pinoy channel is designed to provide you best video service purposefully to watch videos for daily entertainment.

    ReplyDelete
  29. India is also one such country where this profession is considered as unethical and also not accepted by the society. It is illegal also. So, all those females who work as escorts in the city indore escorts
    http://www.mumbaiescortsclub.in/indore-escorts

    ReplyDelete
  30. their looks are lascivious and their figure is toned remarkably well. You can enjoy thoroughly, with them, because they are extremely fun loving and equally entertaining.
    http://www.mumbaiescortsclub.in/vadodara-escorts/

    ReplyDelete

  31. One of the most amazing things to know about the Delhi escort girls is that they are good enough to offer you complimentary services. If you want to enjoy assistance of two lovable girls together, you should opt for the escort duos services. This idea is good for those men who are willing to have assistance of perky and busty girls together or the pair of blonde and brunette.
    Delhi Escorts
    Independent Delhi Escorts
    Escorts in Delhi
    Female Escorts In Delhi
    http://www.janviarora.com/

    ReplyDelete
  32. I think this is a really good article. You make this information interesting and engaging. You give readers a lot to think about and I appreciate that kind of writing. Download Whatsapp video Status

    ReplyDelete
  33. I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. proyectos whatsapp

    ReplyDelete
  34. Wow amazing article dear, I found what I was looking for, thanks for sharing this information

    ReplyDelete
  35. The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. Funny Whatsapp group link to Join

    ReplyDelete
  36. Hot,sexy and busty housewife escort services in Delhi, provided by Delhi escorts, If you want to do erotic activities with lovely housewives then contact us.
    Escorts Delhi

    ReplyDelete
  37. HP Printer Support Number1-855-499-1999 can also help you with opening times and other details of your local store. Many people prefer to go into a store before buying an expensive item so that they can have a demonstration of the product. If you are buying something for portability you will want to pick it up and hold it to make sure it is right for what you need.
    HP Printer Support Phone Number

    ReplyDelete
  38. Office gives you the best experience in your works. You can easily do you work easy with the help of office app. It can gives you excel, word and PowerPoint so you can use it and makes your work easy. You can download from the given link Office/setup.

    ReplyDelete
  39. In our MacBook, technical support delegates at MacBook backing are very talented and experienced, who give users support at the earliest opportunity. You need to get a instant solution through MacBook technical support which is guaranteed you also. You don’t need to stress over it since we give you the fast technical support through macbook support number :18003823046.

    ReplyDelete
  40. ATT Customer Service – Get an inconvenience free email understanding. Under such irksome conditions, all the better you can do is to call at the ATT Email Support Number . The professionals will help you by giving the best arrangements according to the issue you have. Aside from this, you can likewise call us to request a specialist's direction to utilize ATT in the best way.

    ATT Customer Service Number
    ATT Email Support Number
    ATT email login

    Comcast Email Support Number
    Comcast Customer Service Number

    AOL Customer Service Number
    AOL Support Number
    AOL Mail Help Number
    AOL Mail login
    Change Aol password

    ReplyDelete
  41. There are different systems in soothsaying, for example, diminish engage Love marriage specialist the typical thing, in India similarly as utilizing energize
    any place all through the world, for example, America, Germany, Australia Canada UK New Zealand Use this valuable stone looking in Italy and more nations are. Each individual
    on the planet needs every achievement in Love Problem Solution each field, in any case does not have any future in the hands of any human. He can't control his needs with no other person's data; it
    is made by the limitations of the planet and stars as much as in the life of an individual. There are sure and negative viewpoints that come similarly because of your planets
    and star groupings who has gotten exceptional Breakup problem solution getting ready from his incredible pro, who had gotten the direction of soothsaying, was a remarkable valuable stone gazer; he has
    been instructed by them. His experience is generally splendid, India has not many awesome prophets, To recognize love well, different stargazers are accessible on the web these
    days yet it isn't right that all are sharp Vashikaran specialist and instructed Many diviners have no data yet they do prompt
    Love marriage specialist
    Love Problem Solution
    Breakup problem solution
    Vashikaran specialist

    ReplyDelete
  42. McAfee Support will resolve all your issues related to subscription, renewal and installation of McAfee antivirus in your system it make your system fast and secure.

    Contact McAfee
    McAfee Help

    ReplyDelete
  43. This comment has been removed by the author.

    ReplyDelete
  44. This comment has been removed by the author.

    ReplyDelete
  45. I liked your article as i am finding Facebook ads spy tools from past ten days but i am not able to find but your article helped me a lot so thank you so much.

    ReplyDelete
  46. Nice Post, Thanks for sharing.
    Get in touch with to take the antivirus technical support, We are available round the clock for the instant help, Dial our Kaspersky Support usa+1-866-272-9202 to avail instant help.

    ReplyDelete
  47. Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!!

    Vashikaran specialist

    ReplyDelete
  48. Sign in to enter office setup product key. Know how to benefit, download, install, set in movement, uninstall and reinstall MS office setup and Get Started by now Office setup.if you have any query related to officecom then contact us.For your PC ultimate protection, you can use the Webroot antivirus trial version free from Webroot website www.webroot.com/safe. You can protect your system against viruses, threats, malware and more online threats.

    www.office.com/setup | WWW.WEBROOT.COM/SAFE

    ReplyDelete
  49. Tatsächlich könnten Sie für eine große Überraschung bereit sein, wenn Sie feststellen, dass es bereits möglich ist, Mobiltelefone auszuspionieren. www.iphoneorten.de/ Es könnte Sie potenziell vor dem Verlust von Kreditkarteninformationen oder sogar Ihrer Identität schützen.

    ReplyDelete
  50. I amazed with the research you made to create this actual put up amazing. Great activity!

    www.caramembuatwebsiteku.com/tips-tentang-struktur-website

    ReplyDelete


  51. We solve All types of Email related issues and give our best services like, • Password Recovery • Protecting email accounts from malware. If you facing
    issue while using email then You can contact us att.net email support number USA+1-866-272-9202 Toll Free is right way to obtain technical support & avail 24/7 with online AT&T Customer Service.

    ReplyDelete
  52. What a superb post! I have no words to describe this post because everthing is clear with your wonderfull words. I really feel out of world reading your post, it is full of fresh and usefull. I really appreciate, keep the work continue.

    norton.com/setup ! www.norton.com/setup ! office.com/setup


    ReplyDelete
  53. This article was really helpful. The tip to clarify the topic was good for me to read, I liked your ideas, keep continue.

    norton.com/setup

    ReplyDelete