Analysis of Group Instant Messaging Protocols presented at IEEE EuroS&P 2018

17.04.2018 - Paul Rösler

The paper "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema" by Paul Rösler, Christian Mainka, and Jörg Schwenk will be presented at IEEE EuroS&P 2018 next week in London.

This paper proposes a first security model that covers all primary goals of secure (group) instant messaging and thereby combines research from different cryptographic fields such as authenticated key exchange, secure channel protocols, and reliable broadcast. Using this model, they analyzed three major instant messaging apps and revealed that they do not reach this notion of security.

Apart from the paper itself [1], there are two blog posts [2], [3] that describe the contributions plus a list of various newspaper articles [4], [5], [6], [7], [8], [9].

[1]https://eprint.iacr.org/2017/713.pdf
[2]https://web-in-security.blogspot.de/2017/07/insecurities-of-whatsapps-signals-and.html
[3]https://web-in-security.blogspot.de/2018/01/group-instant-messaging-why-baming.html
[4]https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/
[5]https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats/
[6]https://www.schneier.com/blog/archives/2018/01/whatsapp_vulner.html
[7]https://www.heise.de/security/meldung/WhatsApp-und-Signal-Forscher-beschreiben-Schwaechen-verschluesselter-Gruppenchats-3942046.html
[8]http://www.spiegel.de/netzwelt/apps/whatsapp-gruppenchats-schwachstelle-im-verschluesselungs-protokoll-a-1187338.html
[9]http://www.sueddeutsche.de/digital/it-sicherheit-wie-fremde-sich-in-whatsapp-gruppenchats-einladen-koennen-1.3821656

tags: conference, end-to-end, EuroS&P, group, ieee, instant messaging