People are leaving WhatsApp for Signal and Telegram. Privacy becomes important more than ever. Have we ever stepped back and rethought carefully how these applications handle end-users’ privacy? Is that a myth; a promise; or back-up by some scientific evidence? How can we, as an end-user, can verify and make sure these claims?
This presentation will explain the history of the development of Signal and Telegram; and how they handle user’s data privacy under the technical microscope.
Prerequisites: Some fundamental knowledge about cryptography: symmetric encryption; asymmetric encryption; public key; private key;
33. MAC - Message Authentication Code
Encryption ensures the con
fi
dentiality, but not the integrity.
Question: If an attacker changes any byte of encrypted text, decrypted value becomes useless. Why is encryption
algorithm not enough?
Answer: Some encryption algorithms allow to change some bytes, which can be used to change the semantic of the
meaning.
There are 2 possible ways to
fi
x
• Using class of “Authenticated encryption algorithm”: encrypt and authenticate at the same time. Example: OCB
Mode or GCM Mode
• Using class of MAC algorithms for integrity and authentication. Example: HMAC
42. Design
Signal will treat group chat as 1-1 chat between multiple people
• Keep all advantages of the developed private chat protocol
• Signal doesn’t aware about the group -> maintain the secrecy about group membership
unencrypted message sending
f
low
Signal: fan-out model
43. Group metadata management
At old design, Signal doesn’t store any information about group’s metadata. Disadvantages:
- No role system: All users will have a same role in the group (because individual can claims they’re the group
leader)
- Update same resource (group information / avatar / …): race condition -> must developed an asynchronous
communication consensus. Not a trivial task because some devices can go of
fl
ine at any time.
44. Group metadata management
New version: Signal stored encrypted group information on server using MasterKey from clients.
Question: All data are encrypted (even Signal doesn’t know), how can Signal authenticate users?
58. Signal group metadata management
Alice is the member of the group -> Alice has GroupMasterKey (Signal doesn’t hold this key).
Alice will come to the server, using the Zero Knowledge Proof to prove with Signal server that Alice can decrypt this
information without revealing any information about the group.
Alice adds Bob to the group:
She sends the server a new entry encrypting Bob’s UID. Alice also sends Bob the GroupMasterKey via an encrypted
Signal message.
Now that Bob is a member of the group, he’d like to learn who’s in the group. He can prove he is a member using his
AuthCredential, then download all the entries and decrypt them with the GroupMasterKey. If he has been granted the
appropriate role, Bob could also add Charlie to the group, just like Alice added him.