More is Less: On the End-to-End Se­cu­ri­ty of Group Chats in Si­gnal, Whats­App, and Three­ma

Paul Rös­ler, Chris­ti­an Main­ka, Jörg Schwenk

IEEE Eu­ropean Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy, EuroS&P 2018


Ab­stract

Se­cu­re in­stant mes­sa­ging is uti­li­zed in two va­ri­ants: one-to-one com­mu­ni­ca­ti­on and group com­mu­ni­ca­ti­on. While the first va­ri­ant has re­cei­ved much at­ten­ti­on la­te­ly (Frosch et al., EuroS&P16; Cohn-Gor­don et al., EuroS&P17; Ko­beis­si et al., EuroS&P17), litt­le is known about the cryp­to­gra­phic me­cha­nis­ms and se­cu­ri­ty gua­ran­tees of se­cu­re group com­mu­ni­ca­ti­on in in­stant mes­sa­ging.

To ap­proach an in­ves­ti­ga­ti­on of group in­stant mes­sa­ging pro­to­cols, we first pro­vi­de a com­pre­hen­si­ve and rea­lis­tic se­cu­ri­ty model. This model com­bi­nes se­cu­ri­ty and re­lia­bi­li­ty goals from va­rious re­la­ted li­te­ra­tu­re to cap­tu­re re­le­vant pro­per­ties for com­mu­ni­ca­ti­on in dy­na­mic groups. The­re­by the de­fi­ni­ti­ons con­s­i­der their sa­tis­fia­bi­li­ty with re­spect to the in­stant de­li­very of mes­sa­ges. To show its ap­p­lica­bi­li­ty, we ana­ly­ze three wi­de­ly used re­al-world pro­to­cols: Si­gnal, Whats­App, and Three­ma. Since these pro­to­cols and their im­ple­men­ta­ti­ons are most­ly un­do­cu­men­ted for the pu­blic and two out of three ap­p­li­ca­ti­ons among them are clo­sed sour­ce, we de­scri­be the group pro­to­cols em­ploy­ed in Si­gnal, Whats­App, and Three­ma. By ap­p­ly­ing our model, we re­veal se­ver­al short­co­mings with re­spect to the se­cu­ri­ty de­fi­ni­ti­on. The­re­fo­re we pro­po­se ge­ne­ric coun­ter­me­a­su­res to en­han­ce the pro­to­cols re­gar­ding the re­qui­red se­cu­ri­ty and re­lia­bi­li­ty goals. Our sys­te­ma­tic ana­ly­sis re­veals that (1) the com­mu­ni­ca­ti­ons' in­te­gri­ty – re­pre­sen­ted by the in­te­gri­ty of all ex­chan­ged mes­sa­ges – and (2) the groups' clo­sen­ess – re­pre­sen­ted by the mem­bers' abi­li­ty of ma­na­ging the group – are not end-to-end pro­tec­ted.

We ad­di­tio­nal­ly show that strong se­cu­ri­ty pro­per­ties, such as Fu­ture Secrecy which is a core part of the one-to-one com­mu­ni­ca­ti­on in the Si­gnal pro­to­col, do not hold for its group com­mu­ni­ca­ti­on.

[paper] [sli­des (RWC 2018)] [video (RWC 2018)]

Tags: broad­cast, End-to-End En­cryp­ti­on, Fu­ture Secrecy, group com­mu­ni­ca­ti­on, si­gnal, Three­ma, Whats­app