Abstract
Faced with the threats posed by man-in-the-middle attacks, messaging platforms rely on “out-of-band” authentication, assuming that users have access to an external channel for authenticating one short value. For example, assuming that users recognizing each other’s voice can authenticate a short value, Telegram and WhatApp ask their users to compare 288-bit and 200-bit values, respectively. The existing protocols, however, do not take into account the plausible behavior of users who may be “lazy” and only compare parts of these values (rather than their entirety).
Motivated by such a security-critical user behavior, we study the security of lazy users in out-of-band authentication. We start by showing that both the protocol implemented by WhatsApp and the statistically optimal protocol of Naor, Segev, and Smith (CRYPTO’06) are completely vulnerable to man-in-the-middle attacks when the users consider only a half of the out-of-band authenticated value. In this light, we put forward a framework that captures the behavior and security of lazy users. Our notions of security consider both statistical security and computational security, and for each flavor we derive a lower bound on the tradeoff between the number of positions that are considered by the lazy users and the adversary’s forgery probability.
Within our framework, we then provide two authentication protocols. First, in the statistical setting, we present a transformation that converts any out-of-band authentication protocol into one that is secure even when executed by lazy users. Instantiating our transformation with a new refinement of the protocol of Naor et al. results in a protocol whose tradeoff essentially matches our lower bound in the statistical setting. Then, in the computational setting, we show that the computationally optimal protocol of Vaudenay (CRYPTO’05) is secure even when executed by lazy users—and its tradeoff matches our lower bound in the computational setting.
- Deena Alghamdi, Ivan Flechais, and Marina Jirotka. 2015. Security practices for households bank customers in the Kingdom of Saudi Arabia. In Symposium on Usable Privacy and Security (SOUPS). 297--308.Google Scholar
- Joël Alwen, Sandro Coretti, and Yevgeniy Dodis. 2019. The double ratchet: Security notions, proofs, and modularization for the Signal protocol. In Advances in Cryptology – EUROCRYPT’19. 129--158.Google Scholar
- Boaz Barak. 2002. Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In Proceedings of the 43rd Annual IEEE Symposium on Foundations of Computer Science. 345--355.Google Scholar
Cross Ref
- Mihir Bellare and Phillip Rogaway. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security. 62--73.Google Scholar
Digital Library
- Mihir Bellare, Asha Camper Singh, Joseph Jaeger, Maya Nyayapati, and Igors Stepanovs. 2017. Ratcheted encryption and key exchange: The security of messaging. In Advances in Cryptology – CRYPTO’17. 619--650.Google Scholar
- Steven M. Bellovin and Michael Merritt. 1994. An attack on the Interlock Protocol when used for authentication. IEEE Transactions on Information Theory 40, 1 (1994), 273--275.Google Scholar
Digital Library
- Denis Besnard and Budi Arief. 2004. Computer security impaired by legitimate users. Computers 8 Security 23, 3 (2004), 253--264.Google Scholar
- Katriel Cohn-Gordon and Cas Cremers. 2017. Mind the Gap: Where Provable Security and Real-World Messaging Don’t Quite Meet. Cryptology ePrint Archive, Report 2017/982.Google Scholar
- Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2017. A formal security analysis of the Signal messaging protocol. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS8P). 451--466.Google Scholar
Cross Ref
- Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. 2018. On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees. In Proceedings of the 25th ACM Conference on Computer and Communications Security. 1802--1819.Google Scholar
Digital Library
- Danny Dolev, Cynthia Dwork, and Moni Naor. 2000. Non-malleable cryptography. SIAM Journal on Computing 30, 2 (2000), 391--437.Google Scholar
Digital Library
- Janna Lynn Dupree, Richard Devries, Daniel M. Berry, and Edward Lank. 2016. Privacy personas: Clustering users via attitudes and behaviors toward security practices. In Proceedings of the CHI Conference on Human Factors in Computing Systems. ACM, 5228--5239.Google Scholar
Digital Library
- F. Betül Durak and Serge Vaudenay. 2018. Bidirectional Asynchronous Ratcheted Key Agreement without Key-Update Primitives. Cryptology ePrint Archive, Report 2018/889.Google Scholar
- Carl M. Ellison. 1996. Establishing identity without certification authorities. In Proceedings of the 6th USENIX Security Symposium. 7--7.Google Scholar
- Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, and Thorsten Holz. 2016. How secure is TextSecure? In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS8P). 457--472.Google Scholar
Cross Ref
- Oded Goldreich. 1998. Modern Cryptography, Probabilistic Proofs and Pseudorandomness. Springer.Google Scholar
- Oded Goldreich. 2001. Foundations of Cryptography – Volume 1: Basic Techniques. Cambridge University Press.Google Scholar
- Vipul Goyal. 2011. Constant round non-malleable protocols using one way functions. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing. 695--704.Google Scholar
Digital Library
- Vipul Goyal, Chen-Kuei Lee, Rafail Ostrovsky, and Ivan Visconti. 2012. Constructing non-malleable commitments: A black-box approach. In Proceedings of the 53rd Annual IEEE Symposium on Foundations of Computer Science. 51--60.Google Scholar
Digital Library
- Vipul Goyal, Omkant Pandey, and Silas Richelson. 2016. Textbook non-malleable commitments. In Proceedings of the 48th Annual ACM Symposium on Theory of Computing. 1128--1141.Google Scholar
Digital Library
- Vipul Goyal, Silas Richelson, Alon Rosen, and Margarita Vald. 2014. An algebraic approach to non-malleability. In Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science. 41--50.Google Scholar
Digital Library
- Matthew Green. 2018. Attack of the Week: Group Messaging in WhatsApp and Signal. A Few Thoughts on Cryptographic Engineering. Retrieved on March 17, 2020 from https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging.Google Scholar
- Andy Greenberg. 2018. WhatsApp security flaws could allow snoops to slide into group chats. Wired Magazine. Retrieved on March 17, 2020 from https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats.Google Scholar
- Marian Harbach, Emanuel Von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It’s a hard lock life: A field study of smartphone (un)locking behavior and risk perception. In Symposium on Usable Privacy and Security (SOUPS). 213--230.Google Scholar
- Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the Workshop on New Security Paradigms. 133--144.Google Scholar
Digital Library
- Amir Herzberg and Hemi Leibowitz. 2016. Can Johnny finally encrypt?: Evaluating E2E-encryption in popular IM applications. In Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust. 17--28.Google Scholar
Digital Library
- Joseph Jaeger and Igors Stepanovs. 2018. Optimal channel security against fine-grained state compromise: The safety of messaging. In Advances in Cryptology – CRYPTO’18. 33--62.Google Scholar
- Daniel Jost, Ueli Maurer, and Marta Mularczyk. 2019. Efficient ratcheting: Almost-optimal guarantees for secure messaging. In Advances in Cryptology – EUROCRYPT’19. 159--188.Google Scholar
- Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. 2017. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS8P). 435--450.Google Scholar
Cross Ref
- S. J. Li and Heung-Yeung Shum. 2003. Secure human-computer identification against peeping attacks (SecHCI): A survey.Google Scholar
- Huijia Lin and Rafael Pass. 2009. Non-malleability amplification. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing. 189--198.Google Scholar
Digital Library
- Huijia Lin and Rafael Pass. 2011. Constant-round non-malleable commitments from any one-way function. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing. 705--714.Google Scholar
Digital Library
- Tina Membe. 2017. A look at how private messengers handle key changes. Medium. Retrieved on March 17, 2020 from https://medium.com/@pepelephew/a-look-at-how-private-messengers-handle-key-changes-5fd4334b809a.Google Scholar
- Moni Naor. 1991. Bit commitment using pseudorandomness. Journal of Cryptology 4, 2 (1991), 151--158.Google Scholar
Digital Library
- Moni Naor, Gil Segev, and Adam Smith. 2006. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. In Advances in Cryptology – CRYPTO’06. 214--231.Google Scholar
- Moni Naor, Gil Segev, and Adam D. Smith. 2008. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. IEEE Transactions on Information Theory 54, 6 (2008), 2408--2425.Google Scholar
Digital Library
- Omkant Pandey, Rafael Pass, and Vinod Vaikuntanathan. 2008. Adaptive one-way functions and applications. In Advances in Cryptology – CRYPTO’08. 57--74.Google Scholar
- Sylvain Pasini and Serge Vaudenay. 2006. An optimal non-interactive message authentication protocol. In Topics in Cryptology – CT-RSA’06. 280--294.Google Scholar
- Rafael Pass and Alon Rosen. 2008. New and improved constructions of nonmalleable cryptographic protocols. SIAM Journal on Computing 38, 2 (2008), 702--752.Google Scholar
Digital Library
- Rafael Pass and Hoeteck Wee. 2010. Constant-round non-malleable commitments from sub-exponential one-way functions. In Advances in Cryptology – EUROCRYPT’10. 638--655.Google Scholar
- Andrew S. Patrick, Allan Christian Long, and Scott Flinn. 2003. HCI and security systems. In Proceedings of the CHI Conference on Human Factors in Computing Systems. 1056--1057.Google Scholar
Digital Library
- Trevor Perrin and Moxie Marlinspike. 2016. The Double Ratchet Algorithm. Retrieved on March 17, 2020 from https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf.Google Scholar
- Bertram Poettering and Paul Rösler. 2018. Towards bidirectional ratcheted key exchange. In Advances in Cryptology – CRYPTO’18. 3--32.Google Scholar
- Ronald L. Rivest and Adi Shamir. 1984. How to expose an eavesdropper. Communications of the ACM 27, 4 (1984), 393--395.Google Scholar
Digital Library
- Paul Rösler, Christian Mainka, and Jörg Schwenk. 2018. More is less: On the end-to-end security of group chats in Signal, WhatsApp, and Threema. In Proceedings of the 3nd IEEE European Symposium on Security and Privacy (EuroS8P).Google Scholar
Cross Ref
- Lior Rotem and Gil Segev. 2018. Out-of-band authentication in group messaging: Computational, statistical, optimal. In Advances in Cryptology – CRYPTO’18. 63--89.Google Scholar
- Michael Schliep, Ian Kariniemi, and Nicholas Hopper. 2017. Is Bob sending mixed signals? In Proceedings of the 2017 Workshop on Privacy in the Electronic Society. 31--40.Google Scholar
Digital Library
- Telegram. 2020. End-to-End Encrypted Voice Calls—Key Verification. Retrieved on March 17, 2020 from https://core.telegram.org/api/end-to-end/voice-calls#key-verification.Google Scholar
- Telegram. 2020. End-to-End Encryption. Retrieved on March 17, 2020 from https://core.telegram.org/api/end-to-end.Google Scholar
- Telegram. 2020. FAQ for the Technically Inclined—Hash collisions for Diffie-Hellman Keys. Retrieved on March 17, 2020 from https://core.telegram.org/techfaq#hash-collisions-for-diffie-hellman-keys.Google Scholar
- Serge Vaudenay. 2005. Secure communications over insecure channels based on short authenticated strings. In Advances in Cryptology – CRYPTO’05. 309--326.Google Scholar
- Viber Encryption 2020. Viber Encryption Overview. Retrieved on March 17, 2020 from https://www.viber.com/app/uploads/Viber-Encryption-Overview.pdf.Google Scholar
- Hoeteck Wee. 2010. Black-box, round-efficient secure computation via non-malleability amplification. In Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science. 531--540.Google Scholar
Digital Library
- WhatsApp Encryption 2017. WhatsApp Encryption Overview. Retrieved on March 17, 2020 from https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.Google Scholar
- Wikipedia. 2020. Instant messaging. Retrieved on March 17, 2020 from https://en.wikipedia.org/wiki/Instant_messaging.Google Scholar
Index Terms
The Security of Lazy Users in Out-of-Band Authentication
Recommendations
Security and efficiency in authentication protocols resistant to password guessing attack
LCN '97: Proceedings of the 22nd Annual IEEE Conference on Local Computer NetworksCryptographic protocols for authentication and key exchange are necessary for secure communications. Most protocols have assumed that a strong secret for authentication should be shared between communicating participants in the light of a threat of ...
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityAnonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
On Continuous After-the-Fact Leakage-Resilient Key Exchange
CS2 '15: Proceedings of the Second Workshop on Cryptography and Security in Computing SystemsRecently, the Continuous After-the-Fact Leakage (CAFL) security model has been introduced for two-party authenticated key exchange (AKE) protocols. In the CAFL model, an adversary can adaptively request arbitrary leakage of long-term secrets even after ...






Comments