Deniable Key Exchanges for Secure Messaging

In the wake of recent revelations of mass government surveillance, secure messaging protocols have come under renewed scrutiny. A widespread weakness of existing solutions is the lack of strong deniability properties that allow users to plausibly deny sending messages or participating in conversations if the security of their communications is later compromised. Deniable authenticated key exchanges (DAKEs), the cryptographic protocols responsible for providing deniability in secure messaging applications, cannot currently provide all desirable properties simultaneously. We introduce two new DAKEs with provable security and deniability properties in the Generalized Universal Composability framework. Our primary contribution is the introduction of Spawn, the first non-interactive DAKE that offers forward secrecy and achieves deniability against both offline and online judges; Spawn can be used to improve the deniability properties of the popular TextSecure secure messaging application. We also introduce an interactive dual-receiver cryptosystem that can improve the performance of the only existing interactive DAKE with competitive security properties. To encourage adoption, we implement and evaluate the performance of our schemes while relying solely on standard-model assumptions.

[1]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[2]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[3]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[4]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[5]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  Changji Wang,et al.  An Efficient and Provable Secure Revocable Identity-Based Encryption Scheme , 2014, PloS one.

[7]  Robert Morris,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM 2001.

[8]  Don Davis,et al.  Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML , 2001, USENIX Annual Technical Conference, General Track.

[9]  Tal Malkin,et al.  Improved Non-committing Encryption with Applications to Adaptively Secure Protocols , 2009, ASIACRYPT.

[10]  Roger Dingledine,et al.  A Practical Congestion Attack on Tor Using Long Paths , 2009, USENIX Security Symposium.

[11]  Chung-Huang Yang,et al.  Design and Implementation of a Secure Instant Messaging Service based on Elliptic-Curve Cryptography , 2007 .

[12]  Bin Wang,et al.  A non-interactive deniable authentication scheme based on designated verifier proofs , 2009, Inf. Sci..

[13]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[14]  Ben Laurie,et al.  Forward Secrecy Extensions for OpenPGP , 2001 .

[15]  Jacques Traoré,et al.  A fair and efficient solution to the socialist millionaires' problem , 2001, Discret. Appl. Math..

[16]  Matthew K. Franklin,et al.  Practical Dual-Receiver Encryption - Soundness, Complete Non-Malleability, and Applications , 2014, IACR Cryptol. ePrint Arch..

[17]  George Danezis,et al.  DP5: A Private Presence Service , 2015, Proc. Priv. Enhancing Technol..

[18]  Simson L. Garfinkel,et al.  How to make secure email easier to use , 2005, CHI.

[19]  Nick Mathewson,et al.  The pynchon gate: a secure method of pseudonymous mail retrieval , 2005, WPES '05.

[20]  Bonnie E. John,et al.  Evaluating a Multimedia Authoring Tool with Cognitive Walkthrough and Think-Aloud User Studies , 1997 .

[21]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[22]  Christian Grothoff,et al.  On the Feasibility of a Censorship Resistant Decentralized Name System , 2013, FPS.

[23]  David Wolinsky,et al.  Dissent in Numbers: Making Strong Anonymity Scale , 2012, OSDI.

[24]  A. W. Roscoe,et al.  Usability and security of out-of-band channels in secure device pairing protocols , 2009, SOUPS.

[25]  Georg Carle,et al.  Investigating the OpenPGP Web of Trust , 2011, ESORICS.

[26]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[27]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[28]  Jon Callas,et al.  ZRTP: Media Path Key Agreement for Unicast Secure RTP , 2011, RFC.

[29]  Dalit Naor,et al.  Broadcast Encryption , 1993, Encyclopedia of Multimedia.

[30]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[31]  David Wolinsky,et al.  Proactively Accountable Anonymous Messaging in Verdict , 2012, USENIX Security Symposium.

[32]  Hai-Tao Lin,et al.  Design of an Instant Messaging System Using Identity Based Cryptosystems , 2013, 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies.

[33]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[34]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[35]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[36]  Adrian Perrig,et al.  SafeSlinger: easy-to-use and secure public-key exchange , 2013, MobiCom.

[37]  Kenneth G. Paterson,et al.  Modular Security Proofs for Key Agreement Protocols , 2005, ASIACRYPT.

[38]  Wilfried N. Gansterer,et al.  Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP , 2008, J. Univers. Comput. Sci..

[39]  Christopher C. D. Head,et al.  Anonycaster : Simple , Efficient Anonymous Group Communication , 2012 .

[40]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[41]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[42]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[43]  Ian Goldberg,et al.  Adding query privacy to robust DHTs , 2011, ASIACCS '12.

[44]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[45]  Carl M. Ellison,et al.  Establishing identity without certification authorities , 1996 .

[46]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[47]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[48]  Benoît Libert,et al.  Adaptive-ID Secure Revocable Identity-Based Encryption , 2009, CT-RSA.

[49]  Benjamin Fuller,et al.  GROK: A Practical System for Securing Group Communications , 2010, 2010 Ninth IEEE International Symposium on Network Computing and Applications.

[50]  Nitesh Saxena,et al.  Wiretapping via Mimicry: Short Voice Imitation Man-in-the-Middle Attacks on Crypto Phones , 2014, CCS.

[51]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.

[52]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[53]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[54]  Ian Goldberg,et al.  Multi-party off-the-record messaging , 2009, CCS.

[55]  Vitaly Shmatikov,et al.  Security Analysis of Voice-over-IP Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[56]  Quynh Dang Randomized Hashing for Digital Signatures , 2009 .

[57]  Birgit Pfitzmann,et al.  The Dining Cryptographers in the Disco - Underconditional Sender and Recipient Untraceability with Computationally Secure Serviceability (Abstract) , 1990, EUROCRYPT.

[58]  Changhoon Lee,et al.  An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes , 2011, Comput. Commun..

[59]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[60]  Michael J. Freedman,et al.  CONIKS: A Privacy-Preserving Consistent Key Service for Secure End-to-End Communication , 2014, IACR Cryptol. ePrint Arch..

[61]  Ian Goldberg,et al.  KleeQ : Asynchronous Key Management for Dynamic Ad-Hoc Networks , 2007 .

[62]  Bryan Ford,et al.  Dissent: accountable anonymous group messaging , 2010, CCS '10.

[63]  Christian Grothoff,et al.  A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System , 2014, CANS.

[64]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[65]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[66]  Peter Saint-Andre Extensible Messaging and Presence Protocol (XMPP): Core , 2011, RFC.

[67]  Ian Goldberg,et al.  Improved user authentication in off-the-record messaging , 2007, WPES '07.

[68]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[69]  Ian Goldberg,et al.  A user study of off-the-record messaging , 2008, SOUPS '08.

[70]  Marc Fischlin,et al.  Completely Non-malleable Schemes , 2005, ICALP.

[71]  Paul C. van Oorschot,et al.  A Protocol for Secure Public Instant Messaging , 2006, Financial Cryptography.

[72]  Yevgeniy Dodis,et al.  Enhanced Security Models for Network Protocols , 2007 .

[73]  Jörg Schwenk,et al.  How Secure is TextSecure? , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[74]  Vipul Goyal,et al.  Identity-based encryption with efficient revocation , 2008, IACR Cryptol. ePrint Arch..

[75]  Umit Topaloglu,et al.  Off-the-Record Instant Messaging for Group Conversation , 2007, 2007 IEEE International Conference on Information Reuse and Integration.

[76]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[77]  Ari Juels,et al.  Dining Cryptographers Revisited , 2004, EUROCRYPT.

[78]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[79]  Matt Blaze,et al.  Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System , 2011, USENIX Security Symposium.

[80]  Zhang Bin,et al.  Design and Implementation of Secure Instant Messaging System Based on MSN , 2008, 2008 International Symposium on Computer Science and Computational Technology.

[81]  Carmine Ventre,et al.  Completely Non-malleable Encryption Revisited , 2008, Public Key Cryptography.

[82]  Hong Liu,et al.  Improved group off-the-record messaging , 2013, WPES.

[83]  Xukai Zou,et al.  Secure Group Instant Messaging Using Cryptographic Primitives , 2005, ICCNMC.

[84]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[85]  David Wolinsky,et al.  Security Analysis of Accountable Anonymity in Dissent , 2014, TSEC.

[86]  Hovav Shacham,et al.  Efficient Ring Signatures Without Random Oracles , 2007, Public Key Cryptography.

[87]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[88]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[89]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[90]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[91]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[92]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[93]  Apu Kapadia,et al.  Halo: High-Assurance Locate for Distributed Hash Tables , 2008, NDSS.

[94]  Matthew Green,et al.  Forward Secure Asynchronous Messaging from Puncturable Encryption , 2015, 2015 IEEE Symposium on Security and Privacy.

[95]  Kouichi Sakurai,et al.  Universally composable non-committing encryptions in the presence of adaptive adversaries , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[96]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[97]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[98]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[99]  Scott Ruoti,et al.  Confused Johnny: when automatic encryption leads to confusion and mistakes , 2013, SOUPS.

[100]  Markus Jakobsson,et al.  Proving Without Knowing: On Oblivious, Agnostic and Blindolded Provers , 1996, CRYPTO.

[101]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[102]  D. Burns,et al.  End To End , 2015 .

[103]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[104]  Matthew Smith,et al.  Helping Johnny 2.0 to encrypt his Facebook conversations , 2012, SOUPS.

[105]  Melanie Volkamer,et al.  Why Doesn't Jane Protect Her Privacy? , 2014, Privacy Enhancing Technologies.

[106]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[107]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[108]  Moni Naor,et al.  Deniable Ring Authentication , 2002, CRYPTO.

[109]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[110]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[111]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[112]  Diana K. Smetters,et al.  Secret handshakes from pairing-based key agreements , 2003, 2003 Symposium on Security and Privacy, 2003..

[113]  Min Xie,et al.  One-Round Deniable Key Exchange with Perfect Forward Security , 2014, IACR Cryptol. ePrint Arch..

[114]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[115]  Yunlei Zhao,et al.  Deniable Internet Key Exchange , 2010, ACNS.

[116]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[117]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[118]  Kenneth G. Paterson,et al.  Key Agreement Using Statically Keyed Authenticators , 2004, ACNS.

[119]  Shohachiro Nakanishi,et al.  Secure instant messaging protocol preserving confidentiality against administrator , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[120]  Ian Goldberg,et al.  SoK: Secure Messaging , 2015, 2015 IEEE Symposium on Security and Privacy.

[121]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[122]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[123]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[124]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[125]  Jeffrey H. Meyerson,et al.  The Go Programming Language , 2014, IEEE Softw..

[126]  Brian W. Kernighan,et al.  The Go Programming Language , 2015 .

[127]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[128]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[129]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[130]  Jakob Nielsen,et al.  Finding usability problems through heuristic evaluation , 1992, CHI.

[131]  Emin Gün Sirer,et al.  Herbivore: A Scalable and Efficient Protocol for Anonymous Communication , 2003 .

[132]  Cas J. F. Cremers,et al.  One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability , 2011, IACR Cryptol. ePrint Arch..

[133]  Yunlei Zhao,et al.  OAKE: a new family of implicitly authenticated diffie-hellman protocols , 2013, CCS.

[134]  Dirk Grunwald,et al.  Low-resource routing attacks against tor , 2007, WPES '07.

[135]  Johan A. Pouwelse,et al.  The Bittorrent P2P File-Sharing System: Measurements and Analysis , 2005, IPTPS.

[136]  Jianfeng Ma,et al.  Universally composable one-time signature and broadcast authentication , 2010, Science China Information Sciences.

[137]  Nikita Borisov,et al.  Octopus: A Secure and Anonymous DHT Lookup , 2012, 2012 IEEE 32nd International Conference on Distributed Computing Systems.

[138]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[139]  Mark Ryan,et al.  Enhanced Certificate Transparency and End-to-End Encrypted Mail , 2014, NDSS.

[140]  David Pointcheval,et al.  Flexible Group Key Exchange with On-demand Computation of Subgroup Keys , 2010, AFRICACRYPT.

[141]  Roumen Dimitrov Off-the-record communication , 2017 .

[142]  M. Gundy,et al.  OldBlue : Causal Broadcast In A Mutually Suspicious Environment ( Working Draft ) , 2012 .

[143]  Ross J. Anderson,et al.  Two remarks on public key cryptology , 2002 .

[144]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[145]  Ivan Damgård,et al.  Improved Non-committing Encryption Schemes Based on a General Complexity Assumption , 2000, CRYPTO.