Are Our Messages Private? WhatsApp End-to-End Encryption
2y ago
94 Views
1 Downloads
1.47 MB
40 Pages
Report/dmca
Download PDF

Transcription

WhatsApp End-to-End Encryption:Are Our Messages Private?Research project by:Pavlos LontorfosTom CarpaijSupervisors:Ruben De VriesSoufiane el Aissaoui1

Introduction2

Introduction 1.5 billion users“Black box” applicationSecurity vs. end-to-end encryptionCan we trust Facebook's claim of End-to-Endencryption?3

Research questionsIs user-to-user message exchange via WhatsApp End-to-Endencrypted? What are the algorithms used to create the Signal protocol?What are the differences between Signal and WhatsApp network traffic?To what extent are WhatsApp messages encrypted to the Signal protocolspecifications?4

Literature review Breach of End-to-End encryption in group messages [1]Non-blocking WhatsApp implementation [2]Voicemail account verification hijack [3]Signal protocol papers [4] [5]WhatsApp End-to-End encryption implementation whitepaper [6]Formal proof of Signal protocol security [7]5

Background: Extended Triple Diffie-Hellman (X3DH)X3DH illustration. From Open Whisper Systems, by Marlinspike and Perrin, 2016.Retrieved from https://signal.org/docs/specifications/x3dh/6

Background: Single ratchet algorithmSingle ratchet illustration. From Open Whisper Systems, by Perrin and Marlinspike , 2016.Retrieved from et/7

Background: Double ratchet algorithmDouble ratchet illustration. From Open Whisper Systems, by Perrin and Marlinspike , 2016.Retrieved from et/Set3 2.png8

Blocking-Non blocking mechanismSignal: Blocking Mechanism No message retransmissionSmaller User BaseSecureWhatsApp: Non-blocking Mechanism Messages are retransmittedFriendly user experience/ convenienceSecurity issues - Attack scenario9

MethodsAssumptions made: If Signal is implemented correctly, the protocol is secureSignal Application implements their protocol correctlyWhatsApp is proprietary softwareAndroid version was analyzed. Protocol implementation remains the samefor IOSLatest available version of WhatsApp(2.18.380) and Signal(4.32.8)10

Experiments11

Experiment: Traffic comparison12

Results: Traffic comparison13

Experiment: Packet decryption14

Results: Packet decryption15

Results: Packet decryption16

Results: Packet decryptionUnfortunately no packets captured from WhatsAppNoise Pipes : Custom protocol instead of TLSBurp Suite couldn’t recognise those packets17

Experiment: Basic blocking18

Experiment: Basic blocking19

Experiment: Basic blocking20

Experiment: Basic blocking21

Experiment: Basic blocking22

Experiment: Basic blocking23

Experiment: Basic blocking24

Results: Basic blocking25

Experiment:Sender offline blocking26

Experiment:Sender offline blocking27

Experiment:Sender offline blocking28

Experiment:Sender offline blocking29

Experiment:Sender offline blocking30

Results: Sender offline blocking31

Experiment:Sender offline blocking32

Experiment: Sender offline blocking33

Results: Sender offline blocking34

Experiment: Sender migration blocking35

Results: Sender migration blocking36

Discussion We expected the traffic of both applications to be more similarDecryption could verify the correct use of the Signal protocol37

Future work Key extraction and message decryption (reverse engineering)Phone call verification abuseMetadata collectionWhatsApp, Instagram and Messenger integration38

Conclusion What are the algorithms used to create the Signal protocol?What are the differences between Signal and WhatsApp networktraffic?To what extent are WhatsApp messages encrypted to the Signalprotocol specifications?Is user-to-user message exchange via WhatsApp end-to-endencrypted? Probably yes39

References [1] P. R ̈osler, C. Mainka, and J. Schwenk, “More is less: On the end-to-end security ofgroup chats in signal, whatsapp, and threema,” 2018. [2] M. Marlinspike, “ There is no WhatsApp ’backdoor’),” 2017, last accessed 22 January2019. [Online]. Available: oor/ [3] M. Vigo, “Compromising online accounts by cracking2018, last accessed 21 January 2019. [Online]. ker/ [4] K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, “A formal securityanalysis of the signal messaging protocol,” in Security and Privacy (EuroS&P), 2017 IEEEEuropean Symposium on. IEEE, 2017, pp. 451–466. [5] WhatsApp, “Whatsapp encryption overview,” April 5, 2016, p. 12.voicemail systems),”40

WhatsApp is proprietary software Android version was analyzed. Protocol implementation remains the same for IOS Latest available version of WhatsApp(2.18.380) and Signal(4.32.8) 10

Related Books

WhatsApp Network Forensics: Discovering the Communication .

WhatsApp Network Forensics: Discovering the Communication .

Private & Confidential PRIVATE PLACEMENT MEMORANDUM

Private & Confidential PRIVATE PLACEMENT MEMORANDUM

1.1 Worksheet - Our World, Our Music

1.1 Worksheet - Our World, Our Music

Our Journey, Our Progress - Accenture

Our Journey, Our Progress - Accenture

Our Voices, Our Community

Our Voices, Our Community

How our technology-related insight helps our . - Gartner

How our technology-related insight helps our . - Gartner

CONTINUING OUR COMMITMENT LIFTING UP OUR

CONTINUING OUR COMMITMENT LIFTING UP OUR

SUMMER 2017 Our Community Our Hospital

SUMMER 2017 Our Community Our Hospital

2020 SCRIPTING GUIDE - Marketing Messages

2020 SCRIPTING GUIDE - Marketing Messages

Angel Guidance - Messages of Love and Healing

Angel Guidance - Messages of Love and Healing

CERC: Messages and Audiences - CDC

CERC: Messages and Audiences - CDC

Messages and Codes - IBM

Messages and Codes - IBM

PopularTags

Recent Views