Researchers have developed a solution to a problem in the field of end-to-end encryption, a technique that ensures only the sender and receiver can read a message.
Current end-to-end encryption allows attackers to compromise a device, put themselves in a position to intercept, read and alter all future communications without the sender or recipient ever knowing.
The new protocol forces attackers to leave evidence of their activity and alters users to take action.
Dr. Jiangshan Yu at the University of Luxembourg, Professor Mark Ryan at the University of Birmingham and Professor Cas Cremers at the University of Oxford were motivated by the discovery of mass software vulnerabilities like the Heartbleed bug, which makes the majority of devices vulnerable to compromise.
Dr. Yu said, “There are excellent end-to-end encryption services out there, but by definition, they rely on your device itself remaining secure; once a device has been compromised there's little we can do. That's the problem we wanted to solve."
After Edward Snowden’s revelations about government mass surveillance, end-to-end encryption is now widely available through services like Facebook’s WhatsApp. This approach uses pairs of cryptographic "keys" for the senders to encrypt and then recipient to decrypt message. To read messages, an attacker first has to hack the phone and steal the latest keys. The attacker then has to perform a "man-in-the-middle" (MITM) attack, like taking control of a WiFi router to intercept messages and use the stolen keys to impersonate the victim.
Current encryption protocols, like Signals used by WhatsApp, make the most of the fact that an MITM attacker can only intercept messages that are sent through a compromised network. A message sent via 3G rather than the compromised WiFi will bypass the attacker, who will no longer be able to act as an intermediary. They lose track of the keys and will be locked out of the conversation.
The solution, called Detecting Endpoint Compromise in Messaging (DECIM), addresses the question of what to do when an attacker is in the position to intercept all messages on a long-term basis. Both the Internet Service Provider and messaging service operator are in these positions; all messages pass through their servers. If they obtained a user's keys, they would never be locked out of a conversation and the victim would never know.
With DECIM, the recipient’s device automatically certifies new key pairs and stores the certificates in a tamper-resistant public ledger.
The team undertook a formal security analysis using a symbolic protocol verification tool, called the "Tamarin prover," which runs millions of possible attack situations, verifying DEVIM’s capabilities. This is a rare step for a messaging protocol and the same analysis for other protocols revealed security flaws.
"There's no silver bullet in the field of end-to-end encryption," said Dr. Yu, "but we hope that our contribution can add an extra layer of security and help to level the playing field between users and attackers."
Prof. Ryan said, "Our Security and Privacy group tries to solve problems that are important to society. Given the prevalence of cyber-attacks on phones and laptops, we are proud of this work on detecting when encryption keys have become compromised. Next, we intend to apply this work on detecting encryption key compromise to applications, for example in blockchain or in internet-based voting."
A paper on this research was published in IEEE Transactions on Information Forensics and Security.