Research Program: Secure Messaging Protocols

Overview of the Field: A secure messaging protocol (SMP) is the collection of procedures that use cryptographic schemes to send and receive messages (and other data such as files, VOIP streams, and more). A bit more precisely, such a protocol describes how:

  • cryptographic keys are created, distributed, authenticated, used and deleted,
  • messages are prepared (encrypted, authenticated, etc) for transport and
  • how received packets are processed (decrypted, verified, etc.).

Any messaging platform can only ever be as secure as the underlying protocol it is built on. This makes messaging protocols a fundamental and critical tool, not just for Wickr but for any secure messaging platform.

The market for messaging encompasses well over a billion end-users as well as countless organizations across the world and most sectors of private, military and government life. However, these protocols can be quite complicated beasts making them far from trivial to get “right”. Even more so when more advanced functionalities are needed such as Group Messaging, Managed Secure Messaging, Federation, Verifiable Abuse Reporting, Transcript Consistency, P2P Transport, Real-time Conference Calling, etc. The difficulty only grows when more advanced security properties are needed such as Post Compromise Security, Deniability and Resilience to Insider Attacks. In fact, even just precisely defining such notions is proving to be far from a done deal.

This motivates steering clear of ad-hoc solutions whenever possible and instead applying a more rigorous cryptographic methodology to the design and analysis of new messaging protocols (and accompanying security notions). To this end, Wickr is increasingly engaged, both with industry and academia, in pushing forward this field of applied cryptography.

This page is devoted to Wickr’s research in the area. As such it is focused on the state of and specific context within which Wickr’s research is taking place. However, for a (less detailed but) more holistic view of cryptography and secure messaging protocols we encourage the interested reader to look at this series of blog posts. The first covers some important historical milestones while the second a more high-level look at the secure messaging crypto field covering several other active research threads beyond the pure message protocols covered below.

2-Party Messaging Protocols Context: A natural place to start when applying cryptographic techniques to building better secure messaging platforms is to focus on the core messaging protocols. In that spirit several recent research projects in the field can be traced back to the introduction and deployment of the Double Ratchet (key agreement) protocol and the various secure messaging protocols that are built onto of it. Thanks to its novel design and strong security claims it triggered a new line of cryptographic research into provable security for 2-party messaging protocols. Initial, in [GCDGS17], the focus was on proving some type of formal security for that protocol.

With this result public cryptographers quickly expanded their focus beyond the original Double Ratchet protocol. At CRYPTO 2017 [BCJNS17] focused on a uni-direction variant of the protocol. Meanwhile, at CRYPTO 2018, in [PR18, JS18], a new focus was introduced when two teams of cryptographers posed themselves the question “How strong of a security notion can a 2-party secure messaging protocol provide?” While the details differed, a common theme in the results was that, at least in theory, we can construct significantly more powerful protocols than any used in practice today. While the specifics of these notions are quite complicated (and well outside the scope of this page) we observe that the flavor of the improvement over current protocols was in the precise type of Post Compromise Security (PCS) the new protocols provided. In other words these new protocols were even faster to “heal” from a state / key compromise by the adversary making them yet more resilient.

Unfortunately, this added security comes at a rather steep price (at least from a practical perspective). Namely, all of the new protocols in those works make use of some quite heavy cryptographic machinery which makes their wide spread use in practice implausible, at least for the for the foreseeable future. This observation set the stage for the next pair of results in [DV18] and [JMM18] who modified the previous motivating question by asking “How strong of a security notion can a 2-party secure messaging protocol provide if it is built exclusively from practical and efficient ‘standard’ cryptographic primitives?” In both works new protocols (and accompanying security notions and security proofs) are introduced which ultimately demonstrate that the answer remains: “stronger security than anything used in practice today”! Roughly speaking, the security improvements over the original Signal protocol can be described as follows:

  1. As before, a main strengthening is in the type of PCS provided by the protocol.
  2. Moreover, the protocols also prevent certain forgery attacks. For example, if Alice and Bob are in a 2-party session with each other an Alice’s state is leaked to the adversary then this should not allow the adversary to forge messages to Alice as if they came from Bob. For lack of a better term we call this “Asymmetric Authenticity” and remark that to the best of our knowledge no Double Ratchet based protocol currently in use in practice has asymmetric authenticity (though Wickr’s messaging protocol does).
  3. Finally, the new protocols ensure, as an explicit security goal (called “RECOVER-security” by [DV18]), that once a forgery is accepted by a Alice in a session with Bob then no further communication between the two in that session will succeed.

While RECOVER-security is undoubtably a novel and interesting security property, at least in a theoretical sense, we at Wickr believe that it remains somewhat in the eye of the beholder as to wether it is truly desirable in practice. In particular, the adversary may continue to impersonate Bob to Alice while Bob has no (in-band) means to notify Alice that this is happening. Thus, the value of the property may well depend on the particular use case of the SMP.

In any case a (seemingly unavoidable) consequence of RECOVER-security (and the [JMM18] analogue) is that any protocol satisfying it is unable to handle messages received out of order. In particular, when a message is dropped any and all future communication remains undecryptable until the dropped message is resent and delivered. In other words RECOVER-security contradicts “Message Loss Resilience”.

Bibliography

[BCJNS16]

Mihir Bellare, Asha Camper Singh, Joseph Jaeger, Maya Nyayapati, Igors Stepanovs: Ratcheted Encryption and Key Exchange: The Security of Messaging. CRYPTO 2017: 619-650

[DV18]

F. Betül Durak, Serge Vaudenay: Bidirectional Asynchronous Ratcheted Key Agreement without Key-Update Primitives. IACR Cryptology ePrint Archive 2018: 889 (2018)

[GCDG17]

Katriel Cohn-Gordon, Cas J. F. Cremers, Benjamin Dowling, Luke Garratt, Douglas Stebila: A Formal Security Analysis of the Signal Messaging Protocol. EuroS&P 2017: 451-466

[GCG16]

Katriel Cohn-Gordon, Cas J. F. Cremers, Luke Garratt: On Post-compromise Security. CSF 2016: 164-178

[GLR17]

Paul Grubbs, Jiahui Lu, Thomas Ristenpart: Message Franking via Committing Authenticated Encryption. CRYPTO 2017: 66-97

[JMM18]

Daniel Jost, Ueli Maurer, Marta Mularczyk: Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging. EUROCRYPT 2019: 159-188

[JS18]

Joseph Jaeger, Igors Stepanovs: Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging. CRYPTO 2018: 33-62

[PR18]

Bertram Poettering, Paul Rösler: Towards Bidirectional Ratcheted Key Exchange. CRYPTO 2018: 3-32

[UG18]

Nik Unger, Ian Goldberg: Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging. PoPETs 2018: 21-66 (2018)