How Secure is TextSecure?

Instant Messaging has gained popularity by users for both private and business communication as low-cost short message replacement on mobile devices. However, before releases about mass surveillance performed by intelligence services such as NSA and GCHQ and Facebook's acquisition of WhatsApp, most mobile messaging apps did not protect confidentiality or integrity of the messages. A messaging app that claims to provide secure instant messaging and has attracted a lot of attention is TextSecure. Besides numerous direct installations, its protocol is part of Android's most popular aftermarket firmware Cyanogen-Mod. TextSecure's successor Signal continues to use the underlying protocol for text messaging. In this paper, we present the first complete description of TextSecure's complex cryptographic protocol, provide a security analysis of its three main components (key exchange, key derivation and authenticated encryption), and discuss the main security claims of TextSecure. Furthermore, we formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.

[1]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[2]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[3]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[4]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[5]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[6]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[7]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[8]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[9]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[10]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[11]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[12]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[14]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[15]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[16]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[17]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[18]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[19]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[20]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[21]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[22]  V. Shoup,et al.  Information technology-Security techniques-Encryption algorithms-Part 2 : Asymmetric Ciphers , 2004 .

[23]  Hugo Krawczyk,et al.  Secure off-the-record messaging , 2005, WPES '05.

[24]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[25]  Paul C. van Oorschot,et al.  A Protocol for Secure Public Instant Messaging , 2006, Financial Cryptography.

[26]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[27]  Donald E. Eastlake,et al.  US Secure Hash Algorithms (SHA and HMAC-SHA) , 2006, RFC.

[28]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[29]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[30]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[31]  Zhang Ya-juan,et al.  An identity-based key-exchange protocol , 2008, Wuhan University Journal of Natural Sciences.

[32]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[33]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[34]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[35]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification , 2010, RFC.

[36]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[37]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[38]  Marc Fischlin,et al.  Random Oracles with(out) Programmability , 2010, ASIACRYPT.

[39]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[40]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[41]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[42]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2012, ESORICS.

[43]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[44]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[45]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[46]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.

[47]  Tongxin Li,et al.  Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services , 2014, CCS.

[48]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Authentication , 2014, RFC.

[49]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[50]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[51]  Tibor Jager,et al.  One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model , 2015, Public Key Cryptography.