Signal, the encrypted messaging platform, is planning to launch an upgraded secure group messaging and communities function.
Signal’s groups are private, meaning that the service itself doesn’t keep a record of a user’s group memberships, group titles, group avatars or group attributes. But the way the privacy controls have been implemented have raised a few usability issues, including users having access to disparate “group states” (i.e., versions of a group’s information), and it precludes role-based access control.
“Every group member in Signal has the same permissions because what you learn about the group is only what other people tell you,” the company explained in a posting on its upgrade efforts this week. “Their group state may not be accurate, or they could claim to be a role they really aren’t.”
Signal’s soon-to-be-released upgrade aims to solve these issues.
In order for a messaging server to effectively enforce access control (verifying that users do indeed belong to a group they’re trying to access), and to ensure that all users are seeing the latest version of the group’s information, the typical method is by keeping a plaintext database on a server that can be queried via a basic API, according to the company. But that means the server (and hackers who attack it) can “see” all of the group information stored there. In Signal’s case, this clearly violates its privacy mandate.
“The server knows everything about all groups, and it can also surreptitiously modify group membership and other group attributes. This isn’t what we wanted for Signal,” the company noted.
So, Signal took a different approach, using pairwise encrypted channels that are already used in one-on-one Signal conversations.
“Clients send group messages to each other tagged with a Group ID (a random 128-bit secret that cannot be guessed), and they also exchange group state updates – such as the group’s name, attributes and membership – via the same method,” according to the posting. “Clients never tell the service which messages are group messages or individual messages, or who is in the group. Instead, clients tell each other what they need to know.”
However, this distributed approach doesn’t allow for a centralized, authoritative of group data that clients can easily reference – arising to the aforementioned usability problems.
Going forward, Signal said that it has worked with Melissa Chase and Greg Zaverucha from Microsoft Research to extend their keyed-verification anonymous credentials concept.
“The inherent contradiction is that the service needs to authenticate whether a membership record corresponds to the user making a request, but the user doesn’t want the service to know who they are,” explained Signal.
To solve this, group members will be issued authentication credentials (AuthCredentials) by the service for their user identity (UID), and can then authenticate by proving to the server they have an authentication credential issued over the same UID that was included in a previous encrypted group membership entry. This is done without revealing the UID itself.
“With an anonymous credential scheme, the service could issue authentication credentials to clients. Those clients could later prove possession of a credential, as well as facts about attributes bound into the credential, without revealing anything else,” according to Signal.
From a technical standpoint, clients will have to prove that their credential matches some ciphertext before they’re allowed to download the it; and, that same UID must always encrypt to the same ciphertext within a group, so the client can recreate their ciphertext without fetching it, and servers can easily detect and reject duplicate entries.
“Suppose Alice has an AuthCredential for her UID, and a GroupMasterKey (only known by group members, not the server) for some particular group,” according to the posting. “The server stores an encrypted membership list for the group. Each entry in the membership list is an encryption of some UID with the GroupMasterKey. To add Bob to the group, Alice must first prove to the server that she is allowed to make this change. Alice provides a zero-knowledge proof to the server that she possesses an AuthCredential matching some particular entry.”
After Alice proves to the server that she matches an entry, she sends the server a new entry encrypting Bob’s UID. Alice also sends Bob the GroupMasterKey via an encrypted Signal message (technical details on all of the cryptographics are available here).
“Groups are inherently social, and Signal is a social app,” the firm noted. “Whether you’re planning a surprise party, discussing last night’s book club meeting, exchanging photos with your family, or organizing something important, group messaging has always been a key feature of Signal. We’re moving into the future while keeping what we loved about the past.”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.