Computer scientists address gap in messaging privacy

September 27, 2017

Researchers have developed a solution to a longstanding problem in the field of end-to-end encryption, a technique that ensures that only sender and recipient can read a message.

With current end-to-end encryption, if an attacker compromises a recipient's device, they can then put themselves in a position to intercept, read and alter all future communications without sender or recipient ever knowing.

The new protocol, published in IEEE Transactions on Information Forensics and Security, forces attackers to leave evidence of any such activity and alerts users to take action.

Dr. Jiangshan Yu at the University of Luxembourg, Professor Mark Ryan at the University of Birmingham and Professor Cas Cremers at the University of Oxford, were motivated by the discovery of mass software vulnerabilities, such as the Heartbleed bug, that make the majority of devices vulnerable to compromise.

Dr Yu explained, "There are excellent end-to-end encryption services out there, but by definition they rely on your device itself remaining secure; once a device has been compromised there's little we can do. That's the problem we wanted to solve."

Following Edward Snowden's revelations about government mass surveillance, end-to-end encryption is now widely available through services such as Facebook's WhatsApp. The approach uses pairs of cryptographic 'keys' for the sender to encrypt and the recipient to decrypt messages; anyone wanting to read your messages has to first hack into your phone to steal your latest keys. The attacker then performs a 'Man-in-the-middle' (MITM) attack, for example by taking control of your WIFI router to intercept your messages, and uses the stolen keys to impersonate you.

Current encryption protocols such as Signal used by WhatsApp make the most of the fact that a MITM attacker can only intercept messages sent via the compromised network. For example, as soon as you send a message via 3G rather than the compromised WiFi the attacker will no longer be able to act as an intermediary. They will lose track of the keys and be locked out of the conversation.

The solution, called DECIM (Detecting Endpoint Compromise in Messaging), addresses the question of what to do when the attacker is in a position to intercept all of your messages on a long-term basis. Both your Internet Service Provider and messaging service operator are in such positions - all your messages pass through their servers - so that if they obtained your keys, they would never be locked out of a conversation, and you would never know.

With DECIM, the recipient's device automatically certifies new key pairs, storing the certificates in a tamper-resistant public ledger.

The team undertook a formal security analysis using a symbolic protocol verification tool, the 'Tamarin prover', which runs millions of possible attack situations, verifying DECIM's capabilities. This is a rare step for a messaging protocol, and the same analysis for other protocols revealed several security flaws.

"There's no silver bullet in the field of end-to-end encryption", said Dr. Yu, "but we hope that our contribution can add an extra layer of security and help to level the playing field between users and attackers."

Professor Mark Ryan, from the School of Computer Science at the University of Birmingham, said, "Our Security and Privacy group tries to solve problems that are important to society. Given the prevalence of cyber-attacks on phones and laptops, we are proud of this work on detecting when encryption keys have become compromised. Next, we intend to apply for this work on detecting encryption key compromise to applications, for example in blockchain or in Internet-based voting."

University of Birmingham

Related Security Articles from Brightsurf:

The development of climate security discourse in Japan
This research traced discourses related to climate security in Japan to determine why so little exists in Japan and whether or not such discourse could suggest new areas for consideration to more comprehensively respond to the climate change problem.

Data Security in Website Tracking
Tracking of our browsing behavior is part of the daily routine of Internet use.

High-security identification that cannot be counterfeited
Researchers from University of Tsukuba have used the principles that underpin the whispering-gallery effect to create an unbeatable anti-counterfeiting system.

New security system to revolutionise communications privacy
A new uncrackable security system created by researchers at King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Processes of Sciences (CUP Sciences) is set to revolutionize communications privacy.

Focus on food security and sustainability
The number of malnourished people is increasing worldwide. More than two billion people suffer from a lack of micronutrients.

Eliminating infamous security threats
Speculative memory side-channel attacks like Meltdown and Spectre are security vulnerabilities in computers.

Holographic color printing for optical security
Researchers from the Singapore University of Technology and Design (SUTD) have invented a new type of anti-counterfeiting device that can be useful for counterfeit deterrence of important documents such as identity cards, passports and banknotes.

UBC study: Publicizing a firm's security levels may strengthen security over time
New research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

Peatland contributions to UK water security
Scientists from the University of Leeds have developed a new global index that identifies water supplied from peatlands as a significant source of drinking water for the UK and the Republic of Ireland.

Doctors exploring how to prescribe income security
Physicians at St. Michael's Hospital are studying how full-time income support workers hired by health-care clinics can help vulnerable patients or those living in poverty improve their finances and their health.

Read More: Security News and Security Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to