out of band authentication in group messaging
play

Out-of-Band Authentication in Group Messaging: Computational, - PowerPoint PPT Presentation

Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University Major Effort: E2E-Encrypted Messaging Government surveillance and/or coercion


  1. Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University

  2. Major Effort: E2E-Encrypted Messaging • Government surveillance and/or coercion • Untrusted or corrupted messaging servers Key challenge: Detecting man-in-the-middle attacks when setting up E2E-encrypted channels 2

  3. Man-in-the-Middle Attacks Alice’s phone Bob’s phone 3

  4. Man-in-the-Middle Attacks • Impossible to detect without any setup Bob’s phone Alice’s phone Impractical to assume a trusted PKI in messaging platforms… 4

  5. Out-of-Band Authentication Practical to assume: Users can “out-of-band” authenticate one short value Alice’s phone Bob’s phone Bob • Users can compare a short string displayed on their devices • Assuming that they recognize each other’s voice, this is a low-bandwidth authenticated channel 5

  6. Out-of-Band Authentication Facebook Telegram Allo Signal WhatsApp Wire 6

  7. Out-of-Band Authentication Bounded Bounded vs. unbounded adversaries Within the cryptography community: • Considered by Rivest and Shamir in ’84 (“Interlock” protocol) • Formalized by Vaudenay ’05 (computational security) and by Naor, Segev and Smith ’06 (statistical security) 7

  8. The User-to-User Setting • An equivalent problem: Detecting MitM attacks in message authentication Alice’s phone Bob’s phone 8

  9. The User-to-User Setting Alice’s phone Bob’s phone … … Out-of-band channel … … The image part with relationship ID rId9 was not found in the file. The image part with relationship ID rId5 was not found in the file. The image part with relationship ID rId10 was not found in the file. 9

  10. The User-to-User Setting Alice’s phone Bob’s phone … … Out-of-band channel The image part with relationship ID rId11 was not found in the file. The image part with relationship ID rId5 was not found in the file. The image part with relationship ID rId12 was not found in the file. Minimize Maximize user effort security 10

  11. User-to-User Bounds Protocols Lower Bounds Computational Security Security [Vau05, PV06] Statistical Security [NSS06] 11

  12. This Talk: The Group Setting User-to-User Setting Group Setting ? ? ✓ ✓ Tightly characterized Not yet studied x ✓ Practical protocols deployed Impractical protocols deployed 12

  13. Our Contributions A framework modeling out-of-band authentication in the group setting … … … … Out-of-band channel • Users communicate over an insecure channel • Group administrator can out-of-band authenticate one short value to all users • Consistent with and supported by existing messaging platforms 13

  14. Our Contributions A framework modeling out-of-band authentication in the group setting Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational Computational Security Statistical Security Our computationally-secure protocol is practically relevant, and substantially improves the currently-deployed protocols : 14

  15. Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational Security Statistical Security 15

  16. Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational Security Statistical Security 16

  17. Communication Model … … … Out-of-band channel • Insecure channel: Adversary can read, remove and insert messages • Out-of-band channel: Adversary can read, remove and delay messages, for all or for some of the users Adversary cannot modify messages/insert new ones in an undetectable manner 17

  18. Correctness & Security … … … Out-of-band channel • Computational vs. statistical security 18

  19. Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational Security Statistical Security 19

  20. The Naïve Protocol … … Seems impractical… 20

  21. Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational Security Statistical Security 21

  22. Our Computationally-Secure Protocol Out-of-band channel 22

  23. Our Computationally-Secure Protocol 23

  24. Example: One Possible Attack 24

  25. Concurrent Non-Malleable Commitments • Infeasible to “non-trivially correlate” concurrent executions … … 25

  26. Talk Outline • Communication model & notions of security • The naïve protocol • Our protocols & lower bounds Protocols Lower Bounds Computational Security Statistical Security 26

  27. Our Statistical Lower Bound … … … Out-of-band channel 27

  28. Protocol Structure 28

  29. 29

  30. Lemma 1: There exists a man-in-the-middle attacker that succeeds with probability 30

  31. • The security of the protocol guarantees that • The security of the protocol guarantees that 31

  32. Summary A framework modeling out-of-band authentication in the group setting Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational Computational Security Statistical Security Thank You! https://eprint.iacr.org/2018/493 32

Recommend


More recommend