SAID: Reshaping Signal into an Identity-Based Asynchronous Messaging Protocol with Authenticated Ratcheting
Blazy, Olivier ; Bossuat, Angele ; Bultel, Xavier ; Foque, Pierre-Alain ; Onete, Cristina and Pagnin, Elena LU
(2019)
IEEE European Symposium on Security and Privacy (EuroS&P)
- Abstract
- As messaging applications are becoming increasingly popular, it is of utmost importance to analyze their security and mitigate existing weaknesses. This paper focuses on one of the most acclaimed messaging applications: Signal. Signal is a protocol that provides end-to-end channel security, forward secrecy, and post-compromise security. These features are achieved thanks to a key-ratcheting mechanism that updates the key material at every message. Due to its high security impact, Signal's key-ratcheting has recently been formalized, along with an analysis of its security. In this paper, we revisit Signal, describing some attacks against the original design and proposing SAID: Signal Authenticated and IDentity-based. As the name indicates,... (More)
- As messaging applications are becoming increasingly popular, it is of utmost importance to analyze their security and mitigate existing weaknesses. This paper focuses on one of the most acclaimed messaging applications: Signal. Signal is a protocol that provides end-to-end channel security, forward secrecy, and post-compromise security. These features are achieved thanks to a key-ratcheting mechanism that updates the key material at every message. Due to its high security impact, Signal's key-ratcheting has recently been formalized, along with an analysis of its security. In this paper, we revisit Signal, describing some attacks against the original design and proposing SAID: Signal Authenticated and IDentity-based. As the name indicates, our protocol relies on an identity-based setup, which allows us to dispense with Signal's centralized server. We use the identity-based long-term secrets to obtain persistent and explicit authentication, such that SAID achieves higher security guarantees than Signal. We prove the security of SAID not only in the Authenticated Key Exchange (AKE) model (as done by previous work), but also in the Authenticated and Confidential Channel Establishment (ACCE) model, which we adapted and redefined for SAID and asynchronous messaging protocols in general into a model we call identity-based Multistage Asynchronous Messaging (iMAM). We believe our model to be more faithful in particular to the true security of Signal, whose use of the message keys prevents them from achieving the composable guarantee claimed by previous analysis. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/83e6a766-d219-4a0c-bc37-333781482ae6
- author
- Blazy, Olivier
; Bossuat, Angele
; Bultel, Xavier
; Foque, Pierre-Alain
; Onete, Cristina
and Pagnin, Elena
LU
- publishing date
- 2019
- type
- Chapter in Book/Report/Conference proceeding
- publication status
- published
- subject
- host publication
- IEEE European Symposium on Security and Privacy (EuroS&P),
- conference name
- IEEE European Symposium on Security and Privacy (EuroS&P)
- conference location
- Stockholm, Sweden
- conference dates
- 2019-06-17 - 2019-06-19
- external identifiers
-
- scopus:85072019432
- ISBN
- 978-1-7281-1148-3
- 978-1-7281-1149-0
- DOI
- 10.1109/EuroSP.2019.00030
- language
- English
- LU publication?
- no
- id
- 83e6a766-d219-4a0c-bc37-333781482ae6
- date added to LUP
- 2021-01-26 15:53:14
- date last changed
- 2024-05-16 03:58:33
@inproceedings{83e6a766-d219-4a0c-bc37-333781482ae6,
abstract = {{As messaging applications are becoming increasingly popular, it is of utmost importance to analyze their security and mitigate existing weaknesses. This paper focuses on one of the most acclaimed messaging applications: Signal. Signal is a protocol that provides end-to-end channel security, forward secrecy, and post-compromise security. These features are achieved thanks to a key-ratcheting mechanism that updates the key material at every message. Due to its high security impact, Signal's key-ratcheting has recently been formalized, along with an analysis of its security. In this paper, we revisit Signal, describing some attacks against the original design and proposing SAID: Signal Authenticated and IDentity-based. As the name indicates, our protocol relies on an identity-based setup, which allows us to dispense with Signal's centralized server. We use the identity-based long-term secrets to obtain persistent and explicit authentication, such that SAID achieves higher security guarantees than Signal. We prove the security of SAID not only in the Authenticated Key Exchange (AKE) model (as done by previous work), but also in the Authenticated and Confidential Channel Establishment (ACCE) model, which we adapted and redefined for SAID and asynchronous messaging protocols in general into a model we call identity-based Multistage Asynchronous Messaging (iMAM). We believe our model to be more faithful in particular to the true security of Signal, whose use of the message keys prevents them from achieving the composable guarantee claimed by previous analysis.}},
author = {{Blazy, Olivier and Bossuat, Angele and Bultel, Xavier and Foque, Pierre-Alain and Onete, Cristina and Pagnin, Elena}},
booktitle = {{IEEE European Symposium on Security and Privacy (EuroS&P),}},
isbn = {{978-1-7281-1148-3}},
language = {{eng}},
title = {{SAID: Reshaping Signal into an Identity-Based Asynchronous Messaging Protocol with Authenticated Ratcheting}},
url = {{http://dx.doi.org/10.1109/EuroSP.2019.00030}},
doi = {{10.1109/EuroSP.2019.00030}},
year = {{2019}},
}