Circumventing Cryptographic Deniability with Remote Attestation

Abstract Deniable messaging protocols allow two parties to have ‘off-the-record’ conversations without leaving any record that can convince external verifiers about what either of them said during the conversation. Recent events like the Podesta email dump underscore the importance of deniable messaging to politicians, whistleblowers, dissidents and many others. Consequently, messaging protocols like Signal and OTR are designed with cryptographic mechanisms to ensure deniable communication, irrespective of whether the communications partner is trusted. Many commodity devices today support hardware-assisted remote attestation which can be used to convince a remote verifier of some property locally observed on the device. We show how an adversary can use remote attestation to undetectably generate a non-repudiable transcript from any deniable protocol (including messaging protocols) providing sender authentication, proving to skeptical verifiers what was said. We describe a concrete implementation of the technique using the Signal messaging protocol. We then show how to design protocols that are deniable even against an adversary capable of attestation, and in particular how attestation itself can be used to restore deniability by thwarting realistic classes of adversary.

[1]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.

[2]  Ian Goldberg,et al.  SoK: Secure Messaging , 2015, 2015 IEEE Symposium on Security and Privacy.

[3]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[4]  Tudor Dumitras,et al.  Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI , 2017, CCS.

[5]  Murray S. Kucherawy,et al.  DomainKeys Identified Mail (DKIM) Signatures , 2011, RFC.

[6]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[7]  Josh Benaloh,et al.  Receipt-Free Secret-Ballot Elections , 1994, STOC 1994.

[8]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[9]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[10]  Ian Goldberg,et al.  Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging , 2018, Proc. Priv. Enhancing Technol..

[11]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[12]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[13]  Juan Caballero,et al.  Certified PUP: Abuse in Authenticode Code Signing , 2015, CCS.

[14]  Ian Goldberg,et al.  Deniable Key Exchanges for Secure Messaging , 2015, CCS.

[15]  Gene Tsudik,et al.  Server-Supported Signatures , 1996, ESORICS.

[16]  Ahmed Serhrouchni,et al.  Intégrationfr de la signature numérique au protocole SSL/TLS , 2006, Ann. des Télécommunications.

[17]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[18]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[19]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[20]  Ahmad-Reza Sadeghi,et al.  Secure Multiparty Computation from SGX , 2017, Financial Cryptography.

[21]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[22]  Yogesh Swami SGX Remote Attestation is not Sufficient , 2017, IACR Cryptol. ePrint Arch..

[23]  Hubert Ritzdorf,et al.  TLS-N: Non-repudiation over TLS Enablign Ubiquitous Content Signing , 2018, NDSS.

[24]  V. Rich Personal communication , 1989, Nature.