"Matej Kovacic" (via whispersystems Mailing List)
2018-01-11 19:22:16 UTC
Hi,
I don't remember this to be discussed here - two interesting articles
regarding Signal security.
"Signal encrypts messages using AES256 in CBC mode and its integrity
patterns are calculated with HMAC-SHA256 whose result is truncated to 64
bits.
These choices can be debated. Thus, although Signal uses a good
encryption / integrity (Encrypt-then-Mac) composition, the incorrect
implementation of the CBC mode has revealed many vulnerabilities over
the years. This was particularly the case in TLS. As a result, the
existence of better alternatives, both in performance and security, has
led this mode to be discouraged by the RFC authors of HTTP / 2 [h2]. The
next version of TLS does not even support it [tls].
In addition, if the HMAC-SHA256 algorithm is, to date, faultless, the
truncation of the 64-bit integrity pattern significantly weakens its
efficiency. This choice may be justified by the use of SMS as the
original method of transporting messages. Currently, all Signal messages
are notified using Firebase Cloud Messaging (formerly Google Cloud
Messaging), and carried over the mobile data channel. Useful bandwidth
problems can no longer be a justification. In fact, the large bandwidth
now available even plays against this truncation, making it easier to
bombard fraudulent messages to successfully forge a correct pattern."
...
"Moreover, as this article has presented, the Signal and Whatsapp
servers are in charge of issuing the public keys of a user's contacts.
For this, a cryptographic derivative of the numbers of all the contacts
of a user is sent to the servers, which respond with associated public
keys. This cryptographic derivation is unfortunately easily reversible,
and it is possible to find the list of contacts of a user of these
applications. In addition, it is the responsibility of users to verify
the authenticity of keys delivered by servers, a step probably rarely
performed and whose verification mechanisms were recently degraded in
Signal, sometimes inexplicably. For Whatsapp, this key distribution
mechanism was even the cause of a tumult in January 2017, when the
Guardian newspaper reported that a public vulnerability for eight months
and uncorrected allows the interception of messages in clear"
https://www.ssi.gouv.fr/uploads/2017/10/chiffrement_messagerie_instantanee_fmaury_anssi.pdf
And the fresh one:
Researchers from Ruhr-Universität Bochum (RUB) in Germany found that
anyone who controls WhatsApp/Signal servers can covertly add new members
to any private group, allowing them to spy on group conversations, even
without the permission of the administrator:
https://thehackernews.com/2018/01/whatsapp-encryption-spying.html
Regards,
M.
I don't remember this to be discussed here - two interesting articles
regarding Signal security.
"Signal encrypts messages using AES256 in CBC mode and its integrity
patterns are calculated with HMAC-SHA256 whose result is truncated to 64
bits.
These choices can be debated. Thus, although Signal uses a good
encryption / integrity (Encrypt-then-Mac) composition, the incorrect
implementation of the CBC mode has revealed many vulnerabilities over
the years. This was particularly the case in TLS. As a result, the
existence of better alternatives, both in performance and security, has
led this mode to be discouraged by the RFC authors of HTTP / 2 [h2]. The
next version of TLS does not even support it [tls].
In addition, if the HMAC-SHA256 algorithm is, to date, faultless, the
truncation of the 64-bit integrity pattern significantly weakens its
efficiency. This choice may be justified by the use of SMS as the
original method of transporting messages. Currently, all Signal messages
are notified using Firebase Cloud Messaging (formerly Google Cloud
Messaging), and carried over the mobile data channel. Useful bandwidth
problems can no longer be a justification. In fact, the large bandwidth
now available even plays against this truncation, making it easier to
bombard fraudulent messages to successfully forge a correct pattern."
...
"Moreover, as this article has presented, the Signal and Whatsapp
servers are in charge of issuing the public keys of a user's contacts.
For this, a cryptographic derivative of the numbers of all the contacts
of a user is sent to the servers, which respond with associated public
keys. This cryptographic derivation is unfortunately easily reversible,
and it is possible to find the list of contacts of a user of these
applications. In addition, it is the responsibility of users to verify
the authenticity of keys delivered by servers, a step probably rarely
performed and whose verification mechanisms were recently degraded in
Signal, sometimes inexplicably. For Whatsapp, this key distribution
mechanism was even the cause of a tumult in January 2017, when the
Guardian newspaper reported that a public vulnerability for eight months
and uncorrected allows the interception of messages in clear"
https://www.ssi.gouv.fr/uploads/2017/10/chiffrement_messagerie_instantanee_fmaury_anssi.pdf
And the fresh one:
Researchers from Ruhr-Universität Bochum (RUB) in Germany found that
anyone who controls WhatsApp/Signal servers can covertly add new members
to any private group, allowing them to spy on group conversations, even
without the permission of the administrator:
https://thehackernews.com/2018/01/whatsapp-encryption-spying.html
Regards,
M.
--
PGP Fingerprint: EBA8 0F17 24C4 17EA C4D2 2222 01B8 BBC8 FBF6 FFAD
PGP Key:
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x01B8BBC8FBF6FFAD
Personal blog: https://telefoncek.si
PGP Fingerprint: EBA8 0F17 24C4 17EA C4D2 2222 01B8 BBC8 FBF6 FFAD
PGP Key:
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x01B8BBC8FBF6FFAD
Personal blog: https://telefoncek.si