Paper 2022/1215

Continuous Authentication in Secure Messaging

Benjamin Dowling, University of Sheffield
Felix Günther, ETH Zurich
Alexandre Poirrier, Computer Science Laboratory of the École Polytechnique, Direction Générale de l'Armement

Secure messaging schemes such as the Signal protocol rely on out-of-band channels to verify the authenticity of long-running communication. Such out-of-band checks however are only rarely actually performed by users in practice. In this paper, we propose a new method for performing continuous authentication during a secure messaging session, without the need for an out-of-band channel. Leveraging the users' long-term secrets, our Authentication Steps extension guarantees authenticity as long as long-term secrets are not compromised, strengthening Signal's post-compromise security. Our mechanism further allows to detect a potential compromise of long-term secrets after the fact via an out-of-band channel. Our protocol comes with a novel, formal security definition capturing continuous authentication, a general construction for Signal-like protocols, and a security proof for the proposed instantiation. We further provide a prototype implementation which seamlessly integrates on top of the official Signal Java library, together with bandwidth and storage overhead benchmarks.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. ESORICS 2022
Secure messaging Authentication Compromise detection Post-compromise security
Contact author(s)
b dowling @ sheffield ac uk
mail @ felixguenther info
alexandre poirrier @ polytechnique org
2022-09-14: approved
2022-09-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benjamin Dowling and Felix Günther and Alexandre Poirrier},
      title = {Continuous Authentication in Secure Messaging},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1215},
      year = {2022},
      doi = {10.1007/978-3-031-17146-8_18},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.