Following Edward Snowden’s revelations about government mass surveillance, end-to-end encryption is now widely available through services such as Facebook’s WhatsApp. The technique ensures that only sender and recipient can read a message. Dr. Jiangshan Yu at the University of Luxembourg has developed a solution to a longstanding problem in the field of end-to-end encryption: With current end-to-end encryption methods, if an attacker compromises a recipient’s device he can then intercept, read and alter all future communications without sender or recipient ever knowing. Dr. Yu’s solution, developed in collaboration with Prof. Mark Ryan (University of Birmingham) and Prof. Cas Cremers (University of Oxford), adds an extra layer of security, forcing attackers to leave evidence of any such activity and prompting users to take action.
The paper presenting the protocol, ‘DECIM: Detecting Endpoint Compromise in Messaging’, was published in the IEEE Transactions on Information Forensics and Security, a leading peer-reviewed journal in the field of computer security and cryptography. Dr. Yu, Research Associate at the University’s Interdisciplinary Centre for Security, Reliability and Trust (SnT), was motivated to undertake this research by the discovery of mass software vulnerabilities, such as the Heartbleed bug, that make the majority of devices vulnerable to compromise. “There are excellent end-to-end encryption services out there, but once a device has been compromised there’s little we can do. That’s the problem we wanted to solve,” he explained.
CURRENT ENCRYPTION METHODS
Current End-to-end encryption uses pairs of cryptographic ‘keys’, stored in the device, for the sender to encrypt and the recipient to decrypt messages; anyone wanting to read a user’s messages has to first hack into their phone to steal the latest keys. The attacker then performs a ‘Man-in-the-middle’ (MITM) attack, for example by taking control of the user’s WIFI router to intercept their messages, and uses the stolen keys to impersonate them.
Current encryption protocols such as Signal used by WhatsApp make the most of the fact that a MITM attacker can only intercept messages sent via the compromised network (in this case the WiFi). For example, as soon as you send a message via 3G rather than the compromised WiFi the attacker will no longer be able to act as an intermediary. They will lose track of the keys and be locked out of the conversation.
DETECTING INVISIBLE ATTACK
Dr. Yu’s DECIM solution addresses the question of what to do when the attacker is in a position to intercept all of a user’s messages on a long-term basis. Both Internet Service Providers and messaging service operators are in such a position – all messages pass through their servers. Unlike an attack via WiFi, if the attacker obtains a customer’s keys, he might never be locked out of a conversation, and the customer would never know.
With DECIM, the recipient’s device automatically certifies new key pairs, storing the certificates in a tamper-resistant public ledger. For example, to prepare for receiving a message, a recipient’s device (let’s call the recipient Robert) certifies an encryption key, and publishes the certificate in the ledger. To send a message, the sender’s device (let’s call the sender Sally) uses a cryptographic process to fetch and verify the certified encryption key from the ledger. She then uses it to send a message to Robert, whose device opens it with the corresponding decryption key.
If an attacker wants to impersonate Robert, he will need to put a forged key certificate in the ledger, persuading Sally’s device to use a fake encryption key. However, the DECIM ledger supports automatic cryptographic proof generation and verification to ensure that the log cannot be tampered with. So, if Robert’s device detects forged certificates, it is sure evidence of an attacker impersonating him. The log also records device activity, so if Robert sees a record for a device that he hasn’t used recently it is again evidence of an attack.
Dr. Yu and his collaborators undertook a formal security analysis (the so-called ‘Tamarin prover’), which tests against all possible attacks, verifying DECIM’s capabilities. This is a rare step for a messaging protocol, and the same analysis for other protocols revealed several security flaws. “There’s no silver bullet in the field of end-to-end encryption”, says Dr. Yu, a member of SnT’s Critical and Extreme Security and Dependability Research Group (CritiX), “but we hope that our contribution can add an extra layer of security and help to level the playing field between users and attackers.”
Photo: © University of Luxembourg