SAID: Reshaping Signal into an Identity-Based Asynchronous Messaging Protocol with Authenticated Ratcheting

Blazy, Olivier; Bossuat, Angèle; Bultel, Xavier; Fouque, Pierre-Alain; Onete, Cristina; Pagnin, Elena

doi:10.1109/eurosp.2019.00030

Cited by 6 publications

(12 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Further differences from the MSKE model are that we use a generic partnering notion (instead of protocol-dependent session identifiers), define authentication flexibly (e.g., unilateral authentication does not necessarily mean server authentication), provide a metric to meaningfully compare security statements of differing yet similar protocols, and, due to the ACCE nature of our model, provide valuable security statements on channels that are built using 'internal' symmetric keys (for which composition results of the MSKE models can naturally provide no generic guarantees). 4 Contributions Our contributions can be summarized as follows:…”

Section: Flexibility and Generalization For Acce Originally The Authementioning

confidence: 99%

“…Their QACCE and msACCE models are, however, strongly tailored to the respectively analyzed protocols (QUIC and TLS 1.3). Blazy et al [4] also proposed very recently a multistage ACCE model to analyze a ratcheting protocol. Similarly, their model strongly depends on the analyzed protocol, pursuing a contrary strategy to ours (i.e., a specialized instead of a generic model).…”

Section: Related Workmentioning

confidence: 99%

“…One could imagine that the round-trips in the protocol may serve as stages. However, one can only define round-trips in a protocol execution if both session participants can be observed (which is not the case when considering active adversaries) 4. The composition theorems by Fischlin and Günther[14,16,17] explicitly exclude internally used keys (such that internal keys in Quic or TLS 1.3 cannot be used for generic symmetric primitives).…”

mentioning

confidence: 99%

See 2 more Smart Citations

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Dowling

Rösler

Schwenk

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The Noise protocol framework is a suite of channel establishment protocols, of which each individual protocol ensures various security properties of the transmitted messages, but keeps specification, implementation, and configuration relatively simple. Implementations of the Noise protocols are themselves, due to the employed primitives, very performant. Thus, despite its relative youth, Noise is already used by large-scale deployed applications such as WhatsApp and Slack. Though the Noise specification describes and claims the security properties of the protocol patterns very precisely, there has been no computational proof yet. We close this gap. Noise uses only a limited number of cryptographic primitives which makes it an ideal candidate for reduction-based security proofs. Due to its patterns' characteristics as channel establishment protocols, and the usage of established keys within the handshake, the authenticated and confidential channel establishment (ACCE) model (Jager et al. CRYPTO 2012) seems to perfectly fit for an analysis of Noise. However, the ACCE model strictly divides protocols into two non-overlapping phases: the preaccept phase (i.e., the channel establishment) and post-accept phase (i.e., the channel). In contrast, Noise allows the transmission of encrypted messages as soon as any key is established (for instance, before authentication between parties has taken place), and then incrementally increases the channel's security guarantees. By proposing a generalization of the original ACCE model, we capture security properties of such staged channel establishment protocols flexibly-comparably to the multi-stage key exchange model (Fischlin and Günther CCS 2014). We give security proofs for eight of the 15 basic Noise patterns in the full version (EPRINT 2019/436) and exemplify them by the proof of the XK pattern in this article.

show abstract

Section: Flexibility and Generalization For Acce Originally The Authementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Dowling

Rösler

Schwenk

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Signal's PCS guarantee is limited by two main factors: the lack of persistent authentication (noticed by Blazy et al [5]) and the frequency of asymmetric ratchets, which is our key motivation.…”

Section: Introductionmentioning

confidence: 99%

“…Persistent authentication [5]. In Signal, the two parties initially use long-term identity-keys to authenticate.…”

Section: Introductionmentioning

confidence: 99%

Marshal

Blazy

Fouque

Jacques

et al. 2022

Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

Secure messaging applications are deployed on devices that can be compromised, lost, stolen, or corrupted in many ways. Thus, recovering from attacks to get back to a clean state is essential and known as healing. Signal is a widely-known, privacy-friendly messaging application, that uses key-ratcheting mechanism updates keys at each stage to provide end-to-end channel security, forward secrecy, and post-compromise security. We strengthen this last property, by providing a faster healing. Signal needs up to two full chains of messages before recovering, our protocol enables recovery after the equivalent of a chain of only one message. We also provide an extra protection against session-hijacking attacks. We do so, while building on the pre-existing Signal backbone, without weakening its other security assumptions, and still being compatible with Signal's out-of-order message handling feature. Our implementation results show that, while slower than Signal (as expected), MARSHAL's spectacular gain in healing speed comes at a surprisingly low cost, with individual stages (including keyderivation, encryption, and decryption) taking less than 6 ms. CCS CONCEPTS• Security and privacy → Public key (asymmetric) techniques; Security protocols;

show abstract

Symmetric Asynchronous Ratcheted Communication with Associated Data

Yan

Vaudenay

2020

Advances in Information and Computer Security

View full text Add to dashboard Cite

Following up mass surveillance and privacy issues, modern secure communication protocols now seek strong security, such as forward secrecy and post-compromise security, in the face of state exposures. To address this problem, ratcheting was thereby introduced, widely used in real-world messaging protocols like Signal. However, ratcheting comes with a high cost. Recently, Caforio et al. proposed pragmatic constructions which compose a weakly secure "light" protocol and a strongly secure "heavy" protocol, in order to achieve the so-called ratcheting on demand. The light protocol they proposed has still a high complexity.In this paper, we prove the security of the lightest possible protocol we could imagine, which essentially encrypts then hashes the secret key. We prove it without any random oracle by introducing a new security notion in the standard model. Our protocol composes well with the generic transformation techniques by Caforio et al. to offer high security and performance at the same time.

show abstract

SAID: Reshaping Signal into an Identity-Based Asynchronous Messaging Protocol with Authenticated Ratcheting

Cited by 6 publications

References 21 publications

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Marshal

Symmetric Asynchronous Ratcheted Communication with Associated Data

Contact Info

Product

Resources

About