A Formal Security Analysis of the Signal Messaging Protocol

The Signal protocol is a cryptographic messaging protocol that provides end-to-end encryption for instant messaging in WhatsApp, Wire, and Facebook Messenger among many others, serving well over 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a technique called ratcheting in which session keys are updated with every message sent. We conduct a formal security analysis of Signal’s initial extended triple Diffie–Hellman (X3DH) key agreement and Double Ratchet protocols as a multi-stage authenticated key exchange protocol. We extract from the implementation a formal description of the abstract protocol and define a security model which can capture the “ratcheting” key update structure as a multi-stage model where there can be a “tree” of stages, rather than just a sequence. We then prove the security of Signal’s key exchange core in our model, demonstrating several standard security properties. We have found no major flaws in the design and hope that our presentation and results can serve as a foundation for other analyses of this widely adopted protocol.

[1]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[2]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange , 2015, IACR Cryptol. ePrint Arch..

[3]  Yevgeniy Dodis,et al.  The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol , 2019, IACR Cryptol. ePrint Arch..

[4]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[5]  Alfred Menezes,et al.  The random oracle model: a twenty-year retrospective , 2015, Designs, Codes and Cryptography.

[6]  Ian Goldberg,et al.  SoK: Secure Messaging , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Jörg Schwenk,et al.  How Secure is TextSecure? , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[8]  Alfred Menezes,et al.  On reusing ephemeral keys in Diffie-Hellman key agreement protocols , 2010, Int. J. Appl. Cryptogr..

[9]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[10]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[11]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[12]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[13]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[14]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[15]  Cas J. F. Cremers,et al.  On Post-compromise Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[16]  Cas J. F. Cremers,et al.  Mind the Gap: Where Provable Security and Real-World Messaging Don't Quite Meet , 2017, IACR Cryptol. ePrint Arch..

[17]  Tanja Lange,et al.  High-Speed High-Security Signatures , 2011, CHES.

[18]  Paul Rösler,et al.  Towards Bidirectional Ratcheted Key Exchange , 2018, CRYPTO.

[19]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Matthew Green,et al.  Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage , 2016, USENIX Security Symposium.

[21]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[22]  Hugo Krawczyk,et al.  Secure off-the-record messaging , 2005, WPES '05.

[23]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[24]  Mihir Bellare,et al.  Ratcheted Encryption and Key Exchange: The Security of Messaging , 2017, CRYPTO.

[25]  Serge Vaudenay,et al.  Bidirectional Asynchronous Ratcheted Key Agreement without Key-Update Primitives , 2018, IACR Cryptol. ePrint Arch..

[26]  Jörg Schwenk,et al.  More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[27]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature, Revisited , 2011, IACR Cryptol. ePrint Arch..

[28]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[29]  Matthew Green,et al.  Forward Secure Asynchronous Messaging from Puncturable Encryption , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  Kenneth G. Paterson,et al.  ASICS: Authenticated Key Exchange Security Incorporating Certification Systems , 2013, ESORICS.

[31]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[32]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[33]  Kenneth G. Paterson,et al.  Modular Security Proofs for Key Agreement Protocols , 2005, ASIACRYPT.

[34]  Ian Goldberg,et al.  Deniable Key Exchanges for Secure Messaging , 2015, CCS.

[35]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[36]  Yael Tauman Kalai,et al.  Cryptographic Assumptions: A Position Paper , 2016, TCC.

[37]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[38]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature in EMV , 2012, CT-RSA.

[39]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[40]  Ueli Maurer,et al.  (De-)Constructing TLS 1.3 , 2015, INDOCRYPT.

[41]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[42]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[43]  Matthew Green,et al.  Downgrade Resilience in Key-Exchange Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[45]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[46]  Srdjan Capkun,et al.  SoK: Secure Data Deletion , 2013, 2013 IEEE Symposium on Security and Privacy.

[47]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[48]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[49]  Cas J. F. Cremers,et al.  One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability , 2011, IACR Cryptol. ePrint Arch..

[50]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[51]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[52]  Marc Fischlin,et al.  PRF-ODH: Relations, Instantiations, and Impossibility Results , 2017, CRYPTO.

[53]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[54]  Ueli Maurer,et al.  Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging , 2019, IACR Cryptol. ePrint Arch..

[55]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).