Cryptology ePrint Archive: Report 2020/541

There Can Be No Compromise: The Necessity of Ratcheted Authentication in Secure Messaging

Benjamin Dowling and Britta Hale

Abstract: Modern messaging applications often rely on out-of-band communication to achieve entity authentication, with human users actively verifying and attesting to long-term public keys. This "user-mediated" authentication is done primarily to reduce reliance on trusted third parties by replacing that role with the user. Despite a great deal of research focusing on analyzing the confidentiality aspect of secure messaging, the authenticity aspect of it has been largely assumed away. Consequently, while many existing protocols provide some confidentiality guarantees after a compromise, such as post-compromise security (PCS), authenticity guarantees are generally lost. This leads directly to potential man-in-the-middle (MitM) attacks within the intended threat model. In this work, we address this gap by proposing a model to formally capture user-mediated entity authentication in ratcheted secure messaging protocols that can be composed with any ratcheted key exchange. Our threat model captures post-compromise entity authentication security. We demonstrate that the Signal application's user-mediated authentication protocol cannot be proven secure in this model and suggest a straightforward fix for Signal that allows the detection of an active adversary. Our results have direct implications for other existing and future ratcheted secure messaging applications.

Category / Keywords: cryptographic protocols / Secure Messaging, Ratcheted Authentication, Signal, Double Ratchet, User-Mediated Authentication, Ceremonies

Date: received 8 May 2020

Contact author: britta hale at nps edu,benjamin dowling@inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 20200510:210120 (All versions of this report)

Short URL: ia.cr/2020/541


[ Cryptology ePrint archive ]