Academics from three different continents recently audited the popular end-to-end encryption app Signal and their findings, for the most part, are encouraging.

The protocol, which boasts over a billion users, including those via apps such as Facebook, WhatsApp and Google’s Allo services, has no major flaws, according to the researchers.

The academics, which include four from UK’s University of Oxford, Queensland University of Technology in Australia, and Canada’s McMaster University, claim the paper they co-authored is the first in-depth analysis on the platform’s cryptographic core.

Researchers also concluded that Signal satisfies several standard security protocols and can stand pat in the face of compromise, according authors Katriel Cohn-Gordon, Cas Cremers , Benjamin Dowling, Luke Garratt, and Douglas Stebila.

“Derived session keys should remain secret under a variety of compromise scenarios, including if a long-term secret has been compromised but a medium or ephemeral secret has not (forward secrecy) or if state is compromised and then an uncompromised asymmetric stage later occurs,” according to the paper which was released last month.

Cryptographically speaking, forward secrecy is a property which protects past sessions against future compromises of secret keys or passwords.

Since its inception, Signal has prided itself as a “ratcheting forward secrecy protocol” that works in synchronous and asynchronous messaging environments. The “ratcheting forward secrecy” concept, which makes it so session keys are updated with every message sent, dates back to OTR messaging, which Signal is based on. The technology, developed by Open Whisper Systems, continuously ratchets key material forward during the course of a session.

The researchers evaluated Signal alongside their own multi-stage key exchange security model. At least according to their analysis of the protocol’s cryptographic capabilities, Signal is secure. The researchers crafted their model around the idea that Signal is a collection of algorithms, and then observed how an adversary would interact with the scenario. In this model environment, the network is fully adversarially-controlled, but the researchers determined they could still prove the secrecy and authentication of message keys.

“Our analysis shows that the cryptographic core of Signal provides useful security properties. These properties, while complex, are encoded in our security model, and which we prove that Signal satisfies under standard cryptographic assumptions. Practically speaking, they imply secrecy and authentication of the message keys which Signal derives, even under a variety of adversarial compromise scenarios such as forward security (and thus “future secrecy”). If used correctly, Signal could achieve a form of post-compromise security, which has substantial advantages over forward secrecy.”

Developers could bolster the security around protocol in the future if they wanted – perhaps by borrowing elements from the NAXOS protocol, researchers say. Developers could also include a “static-static DH shared secret in the key derivation,” to avoid Signal’s random number generator being guessed, according to the paper.

The quintet said using “constructions in the spirit” of NAXOS – an authenticated key exchange protocol first introduced by Microsoft researchers back in 2007 – could prevent Signal’s random number generator from becoming too predictable.

While the audit, “A Formal Security Analysis of the Signal Messaging Protocol,” (.PDF) looked at the protocol’s code it did not review any third-party implementations of the protocol.

The popular chat app WhatsApp began rolling out Signal protocol support earlier this year. According to Moxie Marlinspike, Open Whisper Systems’ founder, the version is similar to what’s deployed in the Signal app, which means WhatsApp cannot decrypt its users’ communications.

Google embedded the Signal protocol in its Allo messaging app in May but the company caught flak after it was reported the functionality wouldn’t be turned on by default, and only be active in incognito mode sessions.

Categories: Cryptography, Mobile Security, Privacy

Comments (3)

  1. Kormat

    What I don’t like about Signal is that it forces you to use GCM. And you also have to disclose your phone number. I use Threema for those reason. It isn’t free, though.

Comments are closed.