ARTICLE FROM A WELL-KNOWN PUBLICATION !
End-to-end encryption or end-to-end encryption (E2EE) is considered a panacea against persistent attempts by hackers and law enforcement agencies to gain access to online communications. The point of E2EE often boils down to the fact that keys are only stored on the interlocutors’ devices and don’t make it to the server… but that’s not quite true. Let’s take a look at how E2EE actually works, using popular messengers as an example.
Simplified diagram of Double Ratchet algorithm (source: signal.org). Alice and Bob start a session by exchanging public keys
.END-TO-END ENCRYPTION The E2EE scheme uses a combination of public and private key cryptographic systems. It is obvious in general terms and quite complex at the level of detail. It uses a mass of interlinked keys, some of which have to go to the server and moreover are necessarily uploaded to it before the correspondence starts so that it can be started at any time. Let’s take a closer look at it. You probably know the beginning of the scheme because it is standard for all asymmetric encryption systems, a key pair is generated. This is necessary because single key cryptosystems (like AES) are too difficult to use in correspondence in their pure form. With them one would have to somehow arrange a secure channel to transfer the key (e.g. meet in person) and then do it again every time he changes it. Here it is like in the usual PGP: there are two interlocutors (Alice and Bob), each of them generates its own key pair. Then they exchange the public keys, keeping their secret key pair secret. The public keys are transmitted through an open channel (they are public, so let them intercept as they please) and serve two purposes: they allow to encrypt the message and verify its signature. Accordingly, secret keys are used to decrypt and form the signature.
.INFO The term “message” is used here in a broad sense. A message can be text, a media file, or service metadata that a messenger exchanges with a server. Some of this data contains timestamps, client application state, and new keys.
.DIFFIE, HELLMAN! GIVE THREE! We know from public documentation that in Telegram, the classic Diffie-Hellman (DH) protocol provides authenticated key distribution. It forms a bridge between asymmetric (RSA) and symmetric (AES) encryption, allowing a large number of parties to carry on encrypted correspondence by transmitting only public keys over an open channel. For this purpose, it generates session keys, which are a shared secret or common ephemeral key. It is computed on the basis of the secret key of one interlocutor and the public key of the other. The ephemeral keys are authenticated with long-term public keys.
.INFO In DH, the transmission channel may not be protected against eavesdropping (passive surveillance), but is required to have protection against a spoofing attack. If an attacker can spoof traffic (perform an active MITM attack), the whole scheme goes to hell.
Therefore, for its Signal messenger, Open Whisper Systems uses the triple Diffie-Hellman transform method X3DH c Curve25519 (elliptic Bernstein curve for fast DH) or X448. X3DH uses HMAC-SHA-256 and AES-256 as other cryptographic primitives.
The Extended Triple Diffie – Hellman protocol establishes a shared secret key between two parties that mutually authenticate each other based on public keys. Additionally, the keys are reconciled immediately after setting up the session and before the start of messaging. This minimizes the risk of MITM attacks by making them very sophisticated. X3DH uses four types of keys, three of which are constantly changing: ?IK (identity keys). Secret keys, which are created once and form the basis for all the others; ?EK (ephemeral key). An ephemeral key, which is used to verify the identity of an interlocutor (without disclosing the true identity); ?SPk (signed public key, signed proof of knowledge) – it is essentially an ephemeral key signed with a secret one. Usually in messengers it changes with frequency from one day to one week. Sometimes the SPk lifetime is replaced by the number of messages after which it changes; OPK (one-time public key) – is a one-time ephemeral key. It is created by the sender before a communication session is established and is deleted immediately after a successful “handshake”.[/DATAENCODE
.ENIGMA LEGACY Auxiliary keys in X3DH are changed using the Double Ratchet algorithm. It replaced OTR and introduced the concept of a key chain or a key pool. In case the interlocutor is offline, an OPK pool is provided. Several one-time ephemeral keys are pre-loaded on the server and are consumed as the conversation progresses. This allows the server to receive encrypted messages, authenticating their sender by a new key pair, even when the recipient is offline. If the OPK pool is exhausted, the server uses a spare EK. The name “double ratchet” is a reference to the Enigma encryption machine device with cog wheels that eliminated backtracking and reuse of previous values. The digital analogy is that DR is used to generate new ephemeral keys with which the next message (or a small batch of messages) is encrypted. In doing so, the ephemeral keys are guaranteed to be different, do not repeat previous keys, and cannot be predicted in a reasonable attack time.
.INFO Read more about Double Ratchet in “Why encryption in Signal, WhatsApp, Telegram and Viber won’t protect your correspondence from being hacked”.
The TextSecure protocol was based on X3DH, which was later renamed Signal. In its pure or slightly modified form, Signal protocol is used in the messenger with the same name, as well as in WhatsApp, Viber and others. Developers can give protocols their own names, but in essence it is still the same X3DH with a varying set of hash functions, PRNGs and other cryptographic primitives.
.The problem with group chats The organization of group chats in messengers is explored in detail in a recent article “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema” (PDF). Here are the main conclusions from it.
.Our systematic analysis revealed that communication integrity (represented by the integrity of all messages) and group membership (defined by the ability of group members to control them) have no end-to-end security. Furthermore, we showed that backward secrecy (a key security property) is not preserved when the Signal protocol is used for group chats.
Explanation: The cornerstone of end-to-end encryption is authenticated key distribution using classical or amplified DH protocol. It only works for two interlocutors forming a shared secret. Expectedly, DH is not used in messengers in group chats, and the messaging structure there lacks basic cryptographic properties. Encryption in group chats. A is the sender, B is the receiver, G is the user group
The authors show what manipulations an attacker-controlled server can perform on group chats due to their lack of E2EE. They conducted their research using Signal and WhatsApp as examples, but we should hardly expect other messengers to have any elegant solution to this problem.
.ONE THOUSAND AND ONE VULNERABILITIES Signal is one of the few messengers whose protocol has been externally audited (PDF). The report on its results is very voluminous, so I will quote the main conclusions in my translation.
.Our analysis shows that [the] Signal protocol satisfies standard cryptographic assumptions and security properties. We found no major flaws in its design, which is very encouraging. When Signal is actually used, uncertainties remain. Therefore, it is impossible to say whether [the application] Signal always achieves its stated goals.
We need to realize that messaging protocol analysis is an important part of auditing, but by no means the only part of security. Any messenger runs in a real and very vulnerable environment. It’s usually running on a not-so-latest version of Android, alongside hundreds of left-handed apps (some of which are likely to abuse permissions or even contain Trojan bookmarks), and the account itself is tied to a mobile phone number.
A huge breach is that confirmation codes come in SMS. They can be intercepted via a known vulnerability in the SS7 cellular protocol. This way an attacker will get access to all the correspondence without knowing the encryption keys and without even trying to hack Signal/Proteus/MTProto (or other securitization protocol). The messenger server itself will change the key and helpfully decrypt the last correspondence (at least undelivered messages). It will even restore your stickers. Convenience is what counts, right?
Another gaping hole in the security model is push notifications. Without them, you won’t know you’ve received a message until you manually trigger the messenger. With them, you turn the push notification server into a legalized “man in the middle.” For example, to make notifications work in iMessage, it sends encryption keys to Apple’s servers. Already they perform user authentication and (at the very least) decrypt message headers. Restore your Apple account to another device and you’ll have everything back the way it was – right down to your email and Wi-Fi passwords. It’s almost the same situation with Google and Microsoft servers. Or do you still believe in end-to-end encryption tied to your mobile number and primary account on your smartphone?
The problem of insecure key management and large attack surface concerns all messengers in general. WhatsApp, Viber and many others allow creating copies of correspondence (including cloud ones) and do not encrypt metadata (and sometimes the very fact of a conversation is more important than its content). Signal is a little better, but I do not consider it the ideal messenger for a number of reasons: FirstlySignal also uses Google’s push-notification service. Therefore, on a smartphone without Google services (e.g. all Chinese models for the domestic market without GApps) it simply does not work. Secondly, Signal uses the closed RedPhone server for voice communication. Third, Signal (like many other messengers) allows you to open a parallel session on another device simply by scanning a QR code. Fourth, at HITBSecConf2017, they talked (PDF) about a number of conceptual problems with Signal and demonstrated a successful attack on it.
.XMPP As you can see, third-party and even more so proprietary messengers are hard to trust, even if they were recommended by Snowden, Assange and EFF. So some people organize communication via their messenger – with ops and plugins. For simple messaging plugin OTR is good, but it does not support group chats. There are sister protocols mpOTR and GOTR which add this feature. Anyway, for group communication the open protocol XMPP (Extensible Messaging and Presence Protocol), formerly called Jabber, is more suitable. XMPP translates as “Extensible Messaging and Presence Protocol”, a very succinct name. Open means that the source code is fully available. You can start your own XMPP server and you do not depend on it or pay for it. There are also plenty of off-the-shelf servers and clients for every taste – such as Pidgin for the desktop and Xabber for Android. Extensibility implies the ability to transfer not only text, but other types of data as well, and add different functions and encryption schemes. For example, it is easy to transmit voice, video and files via XMPP, encrypting them with the help of TLS or PGP if you wish. Not so long ago an extension protocol was created based on XMPP OMEMOwhich uses the same DR from Open Whisper Systems as Signal and WhatsApp, but without the other drawbacks of the latter.
.CONCLUSIONS Modern messengers claim to support end-to-end encryption, but it often turns out to be oddly implemented. In addition, there are many other holes in their code that were left by accident or on purpose. The latter is much more probable, taking into account how much money and effort professionals invested in its development. I try to keep balance between comfort and the usual enjoyment of paranoia. I use different messengers (whatever is more convenient for my interlocutors) but never have really private conversations via them. There are plenty of opsource alternatives for that. Besides Xabber, I would recommend Conversations – a free XMPP client with support for OTR, OMEMO, openPGP and SOCKS5 – to Android users.
cvv fullz dumps