Automatic Detection of Fake Key Attacks in Secure Messaging

by   Tarun Kumar Yadav, et al.

Popular instant messaging applications such as WhatsApp and Signal provide end-to-end encryption for billions of users. They rely on a centralized, application-specific server to distribute public keys and relay encrypted messages between the users. Therefore, they prevent passive attacks but are vulnerable to some active attacks. A malicious or hacked server can distribute fake keys to users to perform man-in-the-middle or impersonation attacks. While typical secure messaging applications provide a manual method for users to detect these attacks, this burdens users, and studies show it is ineffective in practice. This paper presents KTACA, a completely automated approach for key verification that is oblivious to users and easy to deploy. We motivate KTACA by designing two approaches to automatic key verification. One approach uses client auditing (KTCA) and the second uses anonymous key monitoring (AKM). Both have relatively inferior security properties, leading to KTACA, which combines these approaches to provide the best of both worlds. We provide a security analysis of each defense, identifying which attacks they can automatically detect. We implement the active attacks to demonstrate they are possible, and we also create a prototype implementation of all the defenses to measure their performance and confirm their feasibility. Finally, we discuss the strengths and weaknesses of each defense, the overhead on clients and service providers, and deployment considerations.


page 1

page 2

page 3

page 4


Mobile Encryption Gateway (MEG) for Email Encryption

Email cryptography applications often suffer from major problems that pr...

BliMe: Verifiably Secure Outsourced Computation with Hardware-Enforced Taint Tracking

We present Blinded Memory (BliMe), a way to realize efficient and secure...

You have been warned: Abusing 5G's Warning and Emergency Systems

The Public Warning System (PWS) is an essential part of cellular network...

Efficient and Secure Flash-based Gaming CAPTCH

With the growth of connectivity to smart grids, new applications, and th...

Detecting Forged Kerberos Tickets in an Active Directory Environment

Active Directory is the most popular service to manage users and devices...

The Effect of Length on Key Fingerprint Verification Security and Usability

In applications such as end-to-end encrypted instant messaging, secure e...

EthClipper: A Clipboard Meddling Attack on Hardware Wallets with Address Verification Evasion

Hardware wallets are designed to withstand malware attacks by isolating ...

Please sign up or login with your details

Forgot password? Click here to reset