skip to main content
research-article

The Security of Lazy Users in Out-of-Band Authentication

Published:17 April 2020Publication History
Skip Abstract Section

Abstract

Faced with the threats posed by man-in-the-middle attacks, messaging platforms rely on “out-of-band” authentication, assuming that users have access to an external channel for authenticating one short value. For example, assuming that users recognizing each other’s voice can authenticate a short value, Telegram and WhatApp ask their users to compare 288-bit and 200-bit values, respectively. The existing protocols, however, do not take into account the plausible behavior of users who may be “lazy” and only compare parts of these values (rather than their entirety).

Motivated by such a security-critical user behavior, we study the security of lazy users in out-of-band authentication. We start by showing that both the protocol implemented by WhatsApp and the statistically optimal protocol of Naor, Segev, and Smith (CRYPTO’06) are completely vulnerable to man-in-the-middle attacks when the users consider only a half of the out-of-band authenticated value. In this light, we put forward a framework that captures the behavior and security of lazy users. Our notions of security consider both statistical security and computational security, and for each flavor we derive a lower bound on the tradeoff between the number of positions that are considered by the lazy users and the adversary’s forgery probability.

Within our framework, we then provide two authentication protocols. First, in the statistical setting, we present a transformation that converts any out-of-band authentication protocol into one that is secure even when executed by lazy users. Instantiating our transformation with a new refinement of the protocol of Naor et al. results in a protocol whose tradeoff essentially matches our lower bound in the statistical setting. Then, in the computational setting, we show that the computationally optimal protocol of Vaudenay (CRYPTO’05) is secure even when executed by lazy users—and its tradeoff matches our lower bound in the computational setting.

References

  1. Deena Alghamdi, Ivan Flechais, and Marina Jirotka. 2015. Security practices for households bank customers in the Kingdom of Saudi Arabia. In Symposium on Usable Privacy and Security (SOUPS). 297--308.Google ScholarGoogle Scholar
  2. Joël Alwen, Sandro Coretti, and Yevgeniy Dodis. 2019. The double ratchet: Security notions, proofs, and modularization for the Signal protocol. In Advances in Cryptology – EUROCRYPT’19. 129--158.Google ScholarGoogle Scholar
  3. Boaz Barak. 2002. Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In Proceedings of the 43rd Annual IEEE Symposium on Foundations of Computer Science. 345--355.Google ScholarGoogle ScholarCross RefCross Ref
  4. Mihir Bellare and Phillip Rogaway. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security. 62--73.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Mihir Bellare, Asha Camper Singh, Joseph Jaeger, Maya Nyayapati, and Igors Stepanovs. 2017. Ratcheted encryption and key exchange: The security of messaging. In Advances in Cryptology – CRYPTO’17. 619--650.Google ScholarGoogle Scholar
  6. Steven M. Bellovin and Michael Merritt. 1994. An attack on the Interlock Protocol when used for authentication. IEEE Transactions on Information Theory 40, 1 (1994), 273--275.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Denis Besnard and Budi Arief. 2004. Computer security impaired by legitimate users. Computers 8 Security 23, 3 (2004), 253--264.Google ScholarGoogle Scholar
  8. Katriel Cohn-Gordon and Cas Cremers. 2017. Mind the Gap: Where Provable Security and Real-World Messaging Don’t Quite Meet. Cryptology ePrint Archive, Report 2017/982.Google ScholarGoogle Scholar
  9. Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2017. A formal security analysis of the Signal messaging protocol. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS8P). 451--466.Google ScholarGoogle ScholarCross RefCross Ref
  10. Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. 2018. On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees. In Proceedings of the 25th ACM Conference on Computer and Communications Security. 1802--1819.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Danny Dolev, Cynthia Dwork, and Moni Naor. 2000. Non-malleable cryptography. SIAM Journal on Computing 30, 2 (2000), 391--437.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Janna Lynn Dupree, Richard Devries, Daniel M. Berry, and Edward Lank. 2016. Privacy personas: Clustering users via attitudes and behaviors toward security practices. In Proceedings of the CHI Conference on Human Factors in Computing Systems. ACM, 5228--5239.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. F. Betül Durak and Serge Vaudenay. 2018. Bidirectional Asynchronous Ratcheted Key Agreement without Key-Update Primitives. Cryptology ePrint Archive, Report 2018/889.Google ScholarGoogle Scholar
  14. Carl M. Ellison. 1996. Establishing identity without certification authorities. In Proceedings of the 6th USENIX Security Symposium. 7--7.Google ScholarGoogle Scholar
  15. Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, and Thorsten Holz. 2016. How secure is TextSecure? In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS8P). 457--472.Google ScholarGoogle ScholarCross RefCross Ref
  16. Oded Goldreich. 1998. Modern Cryptography, Probabilistic Proofs and Pseudorandomness. Springer.Google ScholarGoogle Scholar
  17. Oded Goldreich. 2001. Foundations of Cryptography – Volume 1: Basic Techniques. Cambridge University Press.Google ScholarGoogle Scholar
  18. Vipul Goyal. 2011. Constant round non-malleable protocols using one way functions. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing. 695--704.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Vipul Goyal, Chen-Kuei Lee, Rafail Ostrovsky, and Ivan Visconti. 2012. Constructing non-malleable commitments: A black-box approach. In Proceedings of the 53rd Annual IEEE Symposium on Foundations of Computer Science. 51--60.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Vipul Goyal, Omkant Pandey, and Silas Richelson. 2016. Textbook non-malleable commitments. In Proceedings of the 48th Annual ACM Symposium on Theory of Computing. 1128--1141.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Vipul Goyal, Silas Richelson, Alon Rosen, and Margarita Vald. 2014. An algebraic approach to non-malleability. In Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science. 41--50.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Matthew Green. 2018. Attack of the Week: Group Messaging in WhatsApp and Signal. A Few Thoughts on Cryptographic Engineering. Retrieved on March 17, 2020 from https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging.Google ScholarGoogle Scholar
  23. Andy Greenberg. 2018. WhatsApp security flaws could allow snoops to slide into group chats. Wired Magazine. Retrieved on March 17, 2020 from https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats.Google ScholarGoogle Scholar
  24. Marian Harbach, Emanuel Von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It’s a hard lock life: A field study of smartphone (un)locking behavior and risk perception. In Symposium on Usable Privacy and Security (SOUPS). 213--230.Google ScholarGoogle Scholar
  25. Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the Workshop on New Security Paradigms. 133--144.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Amir Herzberg and Hemi Leibowitz. 2016. Can Johnny finally encrypt?: Evaluating E2E-encryption in popular IM applications. In Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust. 17--28.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Joseph Jaeger and Igors Stepanovs. 2018. Optimal channel security against fine-grained state compromise: The safety of messaging. In Advances in Cryptology – CRYPTO’18. 33--62.Google ScholarGoogle Scholar
  28. Daniel Jost, Ueli Maurer, and Marta Mularczyk. 2019. Efficient ratcheting: Almost-optimal guarantees for secure messaging. In Advances in Cryptology – EUROCRYPT’19. 159--188.Google ScholarGoogle Scholar
  29. Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. 2017. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS8P). 435--450.Google ScholarGoogle ScholarCross RefCross Ref
  30. S. J. Li and Heung-Yeung Shum. 2003. Secure human-computer identification against peeping attacks (SecHCI): A survey.Google ScholarGoogle Scholar
  31. Huijia Lin and Rafael Pass. 2009. Non-malleability amplification. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing. 189--198.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Huijia Lin and Rafael Pass. 2011. Constant-round non-malleable commitments from any one-way function. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing. 705--714.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Tina Membe. 2017. A look at how private messengers handle key changes. Medium. Retrieved on March 17, 2020 from https://medium.com/@pepelephew/a-look-at-how-private-messengers-handle-key-changes-5fd4334b809a.Google ScholarGoogle Scholar
  34. Moni Naor. 1991. Bit commitment using pseudorandomness. Journal of Cryptology 4, 2 (1991), 151--158.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Moni Naor, Gil Segev, and Adam Smith. 2006. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. In Advances in Cryptology – CRYPTO’06. 214--231.Google ScholarGoogle Scholar
  36. Moni Naor, Gil Segev, and Adam D. Smith. 2008. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. IEEE Transactions on Information Theory 54, 6 (2008), 2408--2425.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Omkant Pandey, Rafael Pass, and Vinod Vaikuntanathan. 2008. Adaptive one-way functions and applications. In Advances in Cryptology – CRYPTO’08. 57--74.Google ScholarGoogle Scholar
  38. Sylvain Pasini and Serge Vaudenay. 2006. An optimal non-interactive message authentication protocol. In Topics in Cryptology – CT-RSA’06. 280--294.Google ScholarGoogle Scholar
  39. Rafael Pass and Alon Rosen. 2008. New and improved constructions of nonmalleable cryptographic protocols. SIAM Journal on Computing 38, 2 (2008), 702--752.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Rafael Pass and Hoeteck Wee. 2010. Constant-round non-malleable commitments from sub-exponential one-way functions. In Advances in Cryptology – EUROCRYPT’10. 638--655.Google ScholarGoogle Scholar
  41. Andrew S. Patrick, Allan Christian Long, and Scott Flinn. 2003. HCI and security systems. In Proceedings of the CHI Conference on Human Factors in Computing Systems. 1056--1057.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Trevor Perrin and Moxie Marlinspike. 2016. The Double Ratchet Algorithm. Retrieved on March 17, 2020 from https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf.Google ScholarGoogle Scholar
  43. Bertram Poettering and Paul Rösler. 2018. Towards bidirectional ratcheted key exchange. In Advances in Cryptology – CRYPTO’18. 3--32.Google ScholarGoogle Scholar
  44. Ronald L. Rivest and Adi Shamir. 1984. How to expose an eavesdropper. Communications of the ACM 27, 4 (1984), 393--395.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Paul Rösler, Christian Mainka, and Jörg Schwenk. 2018. More is less: On the end-to-end security of group chats in Signal, WhatsApp, and Threema. In Proceedings of the 3nd IEEE European Symposium on Security and Privacy (EuroS8P).Google ScholarGoogle ScholarCross RefCross Ref
  46. Lior Rotem and Gil Segev. 2018. Out-of-band authentication in group messaging: Computational, statistical, optimal. In Advances in Cryptology – CRYPTO’18. 63--89.Google ScholarGoogle Scholar
  47. Michael Schliep, Ian Kariniemi, and Nicholas Hopper. 2017. Is Bob sending mixed signals? In Proceedings of the 2017 Workshop on Privacy in the Electronic Society. 31--40.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Telegram. 2020. End-to-End Encrypted Voice Calls—Key Verification. Retrieved on March 17, 2020 from https://core.telegram.org/api/end-to-end/voice-calls#key-verification.Google ScholarGoogle Scholar
  49. Telegram. 2020. End-to-End Encryption. Retrieved on March 17, 2020 from https://core.telegram.org/api/end-to-end.Google ScholarGoogle Scholar
  50. Telegram. 2020. FAQ for the Technically Inclined—Hash collisions for Diffie-Hellman Keys. Retrieved on March 17, 2020 from https://core.telegram.org/techfaq#hash-collisions-for-diffie-hellman-keys.Google ScholarGoogle Scholar
  51. Serge Vaudenay. 2005. Secure communications over insecure channels based on short authenticated strings. In Advances in Cryptology – CRYPTO’05. 309--326.Google ScholarGoogle Scholar
  52. Viber Encryption 2020. Viber Encryption Overview. Retrieved on March 17, 2020 from https://www.viber.com/app/uploads/Viber-Encryption-Overview.pdf.Google ScholarGoogle Scholar
  53. Hoeteck Wee. 2010. Black-box, round-efficient secure computation via non-malleability amplification. In Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science. 531--540.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. WhatsApp Encryption 2017. WhatsApp Encryption Overview. Retrieved on March 17, 2020 from https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.Google ScholarGoogle Scholar
  55. Wikipedia. 2020. Instant messaging. Retrieved on March 17, 2020 from https://en.wikipedia.org/wiki/Instant_messaging.Google ScholarGoogle Scholar

Index Terms

  1. The Security of Lazy Users in Out-of-Band Authentication

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 23, Issue 2
          May 2020
          149 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3394723
          Issue’s Table of Contents

          Copyright © 2020 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 17 April 2020
          • Accepted: 1 December 2019
          • Revised: 1 August 2019
          • Received: 1 February 2019
          Published in tops Volume 23, Issue 2

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed
        • Article Metrics

          • Downloads (Last 12 months)31
          • Downloads (Last 6 weeks)3

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!