Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
Extensive efforts are currently put into securing messaging platforms, where a key challenge is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and recent attacks indicate that the security of group messaging is still quite fragile.
We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other’s voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO ’05) and Naor et al. (CRYPTO ’06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it.
Within our framework we establish tight bounds on the tradeoff between the adversary’s success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff.
In particular, considering groups that consist of an administrator and k additional users, for statistically-secure protocols we show that at least \((k+1)\cdot (\log (1/\epsilon ) - \varTheta (1))\) bits must be out-of-band authenticated, whereas for computationally-secure ones \(\log (1/\epsilon ) + \log k\) bits suffice, where \(\epsilon \) is the adversary’s success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
Despite the significant threats posed by man-in-the-middle attacks, research on the security of group messaging has so far assumed an initial authenticated setup phase (e.g., [CGCG+17, RMS18]), and did not address this security-critical assumption.
For example, as specified in WhatsApp’s security whitepaper [Wha, p. 10]: “WhatsApp users additionally have the option to verify the keys of the other users with whom they are communicating so that they are able to confirm that an unauthorized third party (or WhatsApp) has not initiated a man-in-the-middle attack. This can be done by scanning a QR code, or by comparing a 60-digit number. [...] The 60-digit number is computed by concatenating the two 30-digit numeric fingerprints for each user’s Identity Key”.
Clearly, one may consider a less-minimal extension where several users are allowed to send out-of-band authenticated values (i.e., not only the group administrator that we denote as the sender), but as our results show this is in fact not required.
Concretely, when setting the adversary’s forgery probability \(\epsilon \) to \(2^{-30}\) in a group that consists of \(k = 2^{10}\) users, then in any statistically-secure protocol more than \(k \cdot \log (1/\epsilon ) = 2^{10}\cdot 30\) bits must be out-of-band authenticated, whereas in our computationally-secure protocol only \(\log (1/\epsilon ) + \log k = 40\) bits are out-of-band authenticated.
Note that if the adversary’s forgery probability in the group protocol should be at most \(\epsilon \), then the user-to-user protocol should be parameterized, for example, with \(\epsilon /k\) as the adversary’s forgery probability (enabling a union bound over the k executions).
We do not go into details regarding the possible models of insecure communication in this high-level overview, and we refer the reader to Sect. 3 for an in-depth discussion.
A successful forgery also requires that the input message for that particular receiver is different in the two executions, but this has little effect on the probability of forgery when the input messages are not too short.
As a commitment scheme may be interactive, when referring to a commitment, we mean the transcript of the interaction between the committer and the receiver during an execution of the commit phase of the commitment scheme. When the scheme is non-interactive, a commitment is simply a single string sent from the committer to the receiver.