Is bob sending mixed signals?

Michael Schliep; Ian Kariniemi; Nick Hopper

doi:10.1145/3139550.3139568

Is bob sending mixed signals?

Michael Schliep, Ian Kariniemi, Nick Hopper

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Scopus citations

Abstract

Demand for end-to-end secure messaging has been growing rapidly and companies have responded by releasing applications that implement end-to-end secure messaging protocols. Signal and protocols based on Signal dominate the secure messaging applications. In this work we analyze conversational security properties provided by the Signal Android application against a variety of real world adversaries. We identify vulnerabilities that allow the Signal server to learn the contents of attachments, undetectably re-order and drop messages, and add and drop participants from group conversations. We then perform proof-of-concept attacks against the application to demonstrate the practicality of these vulnerabilities, and suggest mitigations that can detect our attacks. The main conclusion of our work is that we need to consider more than confidentiality and integrity of messages when designing future protocols. We also stress that protocols must protect against compromised servers and at a minimum implement a trust but verify model.

Original language	English (US)
Title of host publication	WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017
Publisher	Association for Computing Machinery, Inc
Pages	31-40
Number of pages	10
ISBN (Electronic)	9781450351751
DOIs	https://doi.org/10.1145/3139550.3139568
State	Published - Oct 30 2017
Event	16th ACM Workshop on Privacy in the Electronic Society, WPES 2017 - Dallas, United States Duration: Oct 30 2017 → …

Publication series

Name	WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017
Volume	2017-January

Other

Other	16th ACM Workshop on Privacy in the Electronic Society, WPES 2017
Country/Territory	United States
City	Dallas
Period	10/30/17 → …

Bibliographical note

Funding Information:
This work was sponsored by the National Science Foundation under grant 1314637.

Publisher Copyright:
© 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery.

Access

10.1145/3139550.3139568

OpenUrl availability

Full text

Cite this

Schliep, M., Kariniemi, I., & Hopper, N. (2017). Is bob sending mixed signals? In WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017 (pp. 31-40). (WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017; Vol. 2017-January). Association for Computing Machinery, Inc. https://doi.org/10.1145/3139550.3139568

Is bob sending mixed signals? / Schliep, Michael; Kariniemi, Ian; Hopper, Nick.
WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017. Association for Computing Machinery, Inc, 2017. p. 31-40 (WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017; Vol. 2017-January).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Schliep, M, Kariniemi, I & Hopper, N 2017, Is bob sending mixed signals? in WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017. WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017, vol. 2017-January, Association for Computing Machinery, Inc, pp. 31-40, 16th ACM Workshop on Privacy in the Electronic Society, WPES 2017, Dallas, United States, 10/30/17. https://doi.org/10.1145/3139550.3139568

Schliep M, Kariniemi I, Hopper N. Is bob sending mixed signals? In WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017. Association for Computing Machinery, Inc. 2017. p. 31-40. (WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017). doi: 10.1145/3139550.3139568

@inproceedings{4db5e5f9ce0244c5b2dc086d31e74791,

title = "Is bob sending mixed signals?",

abstract = "Demand for end-to-end secure messaging has been growing rapidly and companies have responded by releasing applications that implement end-to-end secure messaging protocols. Signal and protocols based on Signal dominate the secure messaging applications. In this work we analyze conversational security properties provided by the Signal Android application against a variety of real world adversaries. We identify vulnerabilities that allow the Signal server to learn the contents of attachments, undetectably re-order and drop messages, and add and drop participants from group conversations. We then perform proof-of-concept attacks against the application to demonstrate the practicality of these vulnerabilities, and suggest mitigations that can detect our attacks. The main conclusion of our work is that we need to consider more than confidentiality and integrity of messages when designing future protocols. We also stress that protocols must protect against compromised servers and at a minimum implement a trust but verify model.",

author = "Michael Schliep and Ian Kariniemi and Nick Hopper",

note = "Funding Information: This work was sponsored by the National Science Foundation under grant 1314637. Publisher Copyright: {\textcopyright} 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery.; 16th ACM Workshop on Privacy in the Electronic Society, WPES 2017 ; Conference date: 30-10-2017",

year = "2017",

month = oct,

day = "30",

doi = "10.1145/3139550.3139568",

language = "English (US)",

series = "WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017",

publisher = "Association for Computing Machinery, Inc",

pages = "31--40",

booktitle = "WPES 2017 - Proceedings of the 2017 Workshop on Privacy in the Electronic Society, co-located with CCS 2017",