Slides 2.3: Cover WhatsApp sender keys
This commit is contained in:
parent
22820fca27
commit
ad1e16fd79
SSH key fingerprint:
SHA256:Wq6s8he3sp5RAhp1LaLtp6R1p/43SZswtuK9csAuVcM
4 changed files with 71 additions and 3 deletions
|
|
@ -1802,7 +1802,7 @@
|
||||||
\begin{frame}{The Group Messaging Problem}
|
\begin{frame}{The Group Messaging Problem}
|
||||||
\begin{columns}[c]
|
\begin{columns}[c]
|
||||||
\begin{column}{0.5\textwidth}
|
\begin{column}{0.5\textwidth}
|
||||||
\textbf{Two-party protocols work great for... two parties}
|
\textbf{Two-party protocols work great for\ldots two parties}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Signal Protocol: Alice $\leftrightarrow$ Bob
|
\item Signal Protocol: Alice $\leftrightarrow$ Bob
|
||||||
\item OTR: Real-time 1-on-1 chat
|
\item OTR: Real-time 1-on-1 chat
|
||||||
|
|
@ -1845,6 +1845,68 @@
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}{WhatsApp's approach: sender keys}
|
||||||
|
\begin{columns}[c]
|
||||||
|
\begin{column}{0.5\textwidth}
|
||||||
|
\textbf{How Sender Keys Work:}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Each group member has a ``sender key''
|
||||||
|
\item Shared with all other members
|
||||||
|
\item One encryption per message (not per recipient!)
|
||||||
|
\end{itemize}
|
||||||
|
\textbf{Sender Key Components:}
|
||||||
|
\begin{itemize}
|
||||||
|
\item $SK = (spk, ck)$
|
||||||
|
\item $spk$: Public signature key
|
||||||
|
\item $ck$: Symmetric chain key
|
||||||
|
\item Chain key ratchets forward
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.5\textwidth}
|
||||||
|
\textbf{Sending a Message:}
|
||||||
|
\begin{enumerate}
|
||||||
|
\item Derive message key: $mk = H_1(ck)$
|
||||||
|
\item Encrypt: $c = \func{enc}{mk, m}$
|
||||||
|
\item Sign: $\sigma = \func{sign}{ssk, c}$
|
||||||
|
\item Erase $mk$ immediately
|
||||||
|
\item Ratchet: $ck_{new} = H_2(ck)$
|
||||||
|
\end{enumerate}
|
||||||
|
\textbf{Benefits:}
|
||||||
|
\begin{itemize}
|
||||||
|
\item $O(1)$ encryptions per message
|
||||||
|
\item Handles out-of-order delivery
|
||||||
|
\item Scales to large groups
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}{WhatsApp's approach: sender keys}
|
||||||
|
\bigimagewithcaption{sender_keys.png}{Source: David Balbás, Daniel Collins and Phillip Gajland, \textit{WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs}, IACR Asiacrypt, 2023.}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}{Sender keys: trade-offs}
|
||||||
|
\begin{columns}[c]
|
||||||
|
\begin{column}{0.5\textwidth}
|
||||||
|
\textbf{What we gain:}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Efficiency}: Single encryption
|
||||||
|
\item \textbf{Scalability}: Works for 256+ members\footnote{Recently increased to 1,024.}
|
||||||
|
\item \textbf{Battery life}: Less crypto work
|
||||||
|
\item \textbf{Bandwidth}: Constant message size
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.5\textwidth}
|
||||||
|
\textbf{What we lose:}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Weaker forward secrecy
|
||||||
|
\item Weaker post-compromise security
|
||||||
|
\item Malicious server can add/remove parties
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}{Enter MLS: Messaging Layer Security}
|
\begin{frame}{Enter MLS: Messaging Layer Security}
|
||||||
\begin{columns}[c]
|
\begin{columns}[c]
|
||||||
\begin{column}{0.5\textwidth}
|
\begin{column}{0.5\textwidth}
|
||||||
|
|
@ -1867,8 +1929,6 @@
|
||||||
\end{columns}
|
\end{columns}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
% Sender keys, etc.
|
|
||||||
|
|
||||||
\begin{frame}{TreeKEM}
|
\begin{frame}{TreeKEM}
|
||||||
\bigimagewithcaption{treekem.pdf}{Source: Joy of Cryptography}
|
\bigimagewithcaption{treekem.pdf}{Source: Joy of Cryptography}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
|
||||||
BIN
slides/images/sender_keys.png
(Stored with Git LFS)
Normal file
BIN
slides/images/sender_keys.png
(Stored with Git LFS)
Normal file
Binary file not shown.
|
|
@ -241,6 +241,7 @@
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti and Pierre-Yves Strub, <a href="papers/#triple-handshakes"><em>Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS</em></a>, IEEE Symposium on Security and Privacy, 2014.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti and Pierre-Yves Strub, <a href="papers/#triple-handshakes"><em>Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS</em></a>, IEEE Symposium on Security and Privacy, 2014.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, <a href="papers/#triple-ratchet"><em>Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol</em></a>, IACR Eurocrypt, 2025.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, <a href="papers/#triple-ratchet"><em>Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol</em></a>, IACR Eurocrypt, 2025.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Bruno Blanchet and Nadim Kobeissi, <a href="papers/#tls13-verif"><em>Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate</em></a>, IEEE Symposium on Security and Privacy, 2017.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Bruno Blanchet and Nadim Kobeissi, <a href="papers/#tls13-verif"><em>Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate</em></a>, IEEE Symposium on Security and Privacy, 2017.</li>
|
||||||
|
<li><i class="icon ph-duotone ph-scroll"></i>David Balbás, Daniel Collins and Phillip Gajland, <a href="papers/#sender-keys"><em>WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs</em></a>, IACR Asiacrypt, 2023.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Scott Fluhrer, Istik Mantin and Adi Shamir, <a href="papers/#rc4-ksa"><em>Weaknesses in the Key Scheduling Algorithm for RC4</em></a>, Selected Areas in Cryptography, 2001.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Scott Fluhrer, Istik Mantin and Adi Shamir, <a href="papers/#rc4-ksa"><em>Weaknesses in the Key Scheduling Algorithm for RC4</em></a>, Selected Areas in Cryptography, 2001.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Alma Whitten and J. D. Tygar, <a href="papers/#johnny-cant"><em>Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0</em></a>, Security and Usability: Designing Secure Systems that People Can Use, O'Reilly, 2005.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Alma Whitten and J. D. Tygar, <a href="papers/#johnny-cant"><em>Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0</em></a>, Security and Usability: Designing Secure Systems that People Can Use, O'Reilly, 2005.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons, <a href="papers/#johnny-still"><em>Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client</em></a>, arXiv, 2015.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons, <a href="papers/#johnny-still"><em>Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client</em></a>, arXiv, 2015.</li>
|
||||||
|
|
@ -523,6 +524,7 @@
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen and Igors Stepanovs, <a href="papers/#telegram-exchange"><em>Analysis of the Telegram Key Exchange</em></a>, IACR Eurocrypt, 2025.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen and Igors Stepanovs, <a href="papers/#telegram-exchange"><em>Analysis of the Telegram Key Exchange</em></a>, IACR Eurocrypt, 2025.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Benjamin Dowling and Daniel Jones, <a href="papers/#whatsapp-groups"><em>Formal Analysis of Multi-Device Group Messaging in WhatsApp</em></a>, IACR Eurocrypt, 2025.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Benjamin Dowling and Daniel Jones, <a href="papers/#whatsapp-groups"><em>Formal Analysis of Multi-Device Group Messaging in WhatsApp</em></a>, IACR Eurocrypt, 2025.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Paul Rösler, Christian Mainka and Jörg Schwenk, <a href="papers/#group-chats"><em>More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema</em></a>, IEEE European Symposium on Security and Privacy, 2018.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Paul Rösler, Christian Mainka and Jörg Schwenk, <a href="papers/#group-chats"><em>More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema</em></a>, IEEE European Symposium on Security and Privacy, 2018.</li>
|
||||||
|
<li><i class="icon ph-duotone ph-scroll"></i>David Balbás, Daniel Collins and Phillip Gajland, <a href="papers/#sender-keys"><em>WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs</em></a>, IACR Asiacrypt, 2023.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Felix Linker, Ralf Sasse and David Basin, <a href="papers/#pq3-analysis"><em>A Formal Analysis of Apple’s iMessage PQ3 Protocol</em></a>, USENIX Security Symposium, 2025.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Felix Linker, Ralf Sasse and David Basin, <a href="papers/#pq3-analysis"><em>A Formal Analysis of Apple’s iMessage PQ3 Protocol</em></a>, USENIX Security Symposium, 2025.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Théophile Wallez, <a href="papers/#wallez-thesis"><em>A Verification Framework for Secure Group Messaging</em></a>, PSL Université Paris, 2025.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Théophile Wallez, <a href="papers/#wallez-thesis"><em>A Verification Framework for Secure Group Messaging</em></a>, PSL Université Paris, 2025.</li>
|
||||||
<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, <a href="papers/#pqxdh-analysis"><em>Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging</em></a>, USENIX Security Symposium, 2024.</li>
|
<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, <a href="papers/#pqxdh-analysis"><em>Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging</em></a>, USENIX Security Symposium, 2024.</li>
|
||||||
|
|
|
||||||
BIN
website/papers/sender-keys.pdf
(Stored with Git LFS)
Normal file
BIN
website/papers/sender-keys.pdf
(Stored with Git LFS)
Normal file
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue