Security Analysis Of Signal Messenger
Dipyaman Roy / February 2022 (1951 Words, 11 Minutes)
In this article we’ll be looking at the security of the instant messenger Signal. For this I’ll be referring to Signal’s third-party audits, research papers and articles concerning the protocol and applications.
Contents
- Messaging protocol
- Extended triple Diffie-Hellman (X3DH) key agreement
- Double ratchet algorithm
- Conclusion
- Other areas
- Contact discovery
- Database protection
- Closing thoughts
Messaging protocol
The Signal protocol is secure instant messaging protocol used by many applications including WhatsApp, Skype and Messages by Google. It is based on two underlying protocols, the extended triple Diffie-Hellman (X3DH) key agreement and the Double Ratchet protocol. It’s primary aim is to keep eavesdroppers with mallicious intent like Mallory from decrypting messages while in transit.
The first formal security audit was done by Cohn-Gordon et al. in 20161 and states the following:
[…] Our analysis proves that several standard security properties are satisfied by the protocol, and we have found no major flaws in its design, which is very encouraging.
However, a lot more research has been done since then on the underlying cryptographic protocols mentioned earlier. A few of those papers will be discussed in the following sections.
Extended triple Diffie-Hellman (X3DH) key agreement
The Extended triple Diffie-Hellman (X3DH) key agreement, as the name states, is an extended form of an established encryption protocol, called the Diffie-Hellman (DH) protocol. It creates a shared secret key between two parties who then mutually authenticate each other based on their public keys. Writing this one line doesn’t do justice to it’s elegance, so here are two videos by Dr Mike Pound from Numberphile which explain DH and here’s a Medium article by Prof Bill Buchanan OBE explaining X3DH and highlights the nuances between it and simple DH.
A Bachelor thesis by van der Have (2021)2 claims to establish some security goals of the X3DH protocol:
In this thesis, we have considered X3DH in the Signal protocol, and derived a proof of security. From the proof it follows that X3DH provides secrecy and authentication.
However, one limitation to the above paper is that the author only proves DH’s integrity against classical (realistic in the current timeframe) threats, which is well researched. Another is that they were unable to test out-of-order decryption, meaning forward secrecy might not be preserved during the interval when the message has been received but has not been decrypted due to say, lack of network availability. Forward secrecy, very briefly, means that even if the private keys are compromised, the session keys won’t be and the channel created to communicate will remain intact.
Currently, in order to break DH, Mallory needs to solve a discrete log problem. This employs extreme computation with expenses on the order of millions of dollars, something that is only feasible for government agencies3. Even then, the benefits of this are limited, as forward secrecy ensures that keys are generated with every new message sent. Thus, there won’t be a sustained compromise in the communication process, and Mallory would only a single message.
However, in a post-quantum scenario, X3DH, in its current form, would be breached. This is the subject of a research paper by Hashimoto et al. (2021)4 where the authors aim to improve forward secrecy, deniability5 and establish post-quantum integrity. They summarise as follows:
[…] This results in the first post-quantum secure replacement of the X3DH protocol.
Although this research wasn’t able to improve upon forward secrecy much, but the other areas received signifiant leaps in security.
Such studies could improve Signal’s existing security massively, and we’ll see some more examples of post-quantum research being done on the protocol in the following section.
Double ratchet algorithm
The Double ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. The parties will use some key agreement protocol (such as X3DH) to agree on the shared secret key. Following this, the Double Ratchet will be used to send and receive encrypted messages. Like X3DH, this explainer does not suffice, so I leave Dr Mike Pound’s video again.
A paper presented at EIConRusNW by IEEE (2020) by Bobrysheva and Zapechnikov6 concludes the following:
[…] The Double Ratchet algorithm is an elegant and straightforward protocol for providing classical security in messaging systems, although we can’t use it in post-quantum systems.
In another paper, presented at EUROCRYPT 2019, the researchers Alwen et al.7 state that Singal’s elegance comes from the fact that Forward secrecy and Post-compromise security (PCS) are not only achieved together, but also without sacrificing immediate decryption and message-loss resilience (MLR). Although Forward secrecy was looked into before, a few other terms require an explainer at this stage. They are as follows:
- Post-compromise security (PCS): Once the communication channel, which was leaking secrets so to speak, has stopped doing so, the security is restored.
- Immediate decryption: As it sounds, immediate decryption aims to decrypt messages upon being delivered with no-delay.
- Message-loss resilience (MLR): The communication channel should be functional and secure even if a few messages were lost in transit.
This paper went further, quite like the paper by Hashimoto et al. mentioned above, to create a generalized double ratchet protocol, which ensures post-quantum integrity. In the introduction, the authors say the following:
As a result, in addition to instantiating our framework in a way resulting in the existing, widely-used Diffie-Hellman based Signal protocol, we can easily get post-quantum security and not rely on random oracles in the analysis.
Conclusion
If you’ve read this article thus far, you’d have seen that the Signal protocol fends off the current classical threats effectively. And seeing as quantum computers won’t become mainstream in at least the next decade (or two), I think Signal is safe. And papers cited above have highlighted how the protocol can be strengthened to preserve it’s integrity in a post quantum world.
Other areas
Contact discovery
We have seen that the Signal protocol keeps you safe from eavesdroppers. But Signal’s contact discovery has serious privacy concerns which might lead to widespread user tracking. This was demonstrated in the 2021 research paper by Hagen et al. 8 who write:
Our script for Signal uses 100 accounts over 25 days to check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture.
Thus, using their script, the authors managed to find every Signal user registered in the US less than a month. However, as much as this result looks alarming, Signal fairs much better at protecting user privacy from contact discovery than alternatives like WhatsApp and Telegram. Unlike WhatsApp and Telegram who store contact information on their servers, Signal chooses not to. Also Signal only gives away a user’s phone number while other platforms may give away profile pictures, about information and other additional data.
This paper has not only highlighted the concerns, it has improved upon the methodology of contact discovery, which makes such data gathering much more difficult and not feasible for a threat actor. The authors also reached out to Signal who acknowledged that this was an issue inherent to contact discovery itself, but they made necessary changes which would make the methodology used by the authors a lot more time consuming. They also set-up “further defenses”.
Database protection
A 2019 paper by Kaczyński9 highlights a different issue. One where a malicious actor has access to your device physicially. In such a situation, the conclusion is rather glaring:
The research conducted and presented in this paper indicates the presence of many threats to the Signal users who currently do not have any mechanisms to protect the stored data, except those offered by the operating systems. This situation allows not only for reconstructing the history of conversations but also for impersonating one of the users participating in the communication using the application. Such an attack will not be detected by the other side, because common identifiers will not change.
Delving deeper, I found this related to a recent saga between Signal’s developer, Moxie Marlinspike and Cellbrite, as mentioned in the paper, a tool which the malicious actor would use to extract data in this case. This blog post by Riana Pfefferkorn of Stanford details all that unfolded. The way Signal claims to throw off Celbrite is by injecting a potential exploit or noise in every local Signal databse. This is all based on an assumption from Marlinspike’s reveal of the matter as Pfefferkorn states. Cellbrite has apparently pushed an update to mitigate this sort of a ‘reverse-hack’.
I reached out to the author of the earlier paper for comment if these vulnerabilities still existed, and his answer was ‘to my best knowledge - they are still there’.
Another paper by Son et al. (2022)10, provides a proof of work based on the aforementioned concept. The authors demonstrate how data can be scraped using a decryption script which they published here. They state the following:
As a result, we could decrypt all encrypted database, multimedia, log, and preferences files of Signal, Wickr, and Threema.
Closing thoughts
Thus, upon delving into Signal’s security, I came away with the following:
-
It has got the best privacy practices of any mainstream instant messenger.
-
Signal protocol is one of the most secure instant messaging security protocols currently available. And with certain changes, it can be made post-quantum secure. Multiple messages in transit cannot be interepted currently, even by governmental agencies, and likely never will be feasible in the future.
-
Despite the flaws mentioned in Other areas, having physical access to your device and a malicious actor trying to extract data from a sole application is beyond what most of our threat models call for.
-
Signal has been making parts of their source code private lately, or pushing updates late11 12 as highlighted by Kaczyński in our conversation, which is not a good look. The justificiation provided by the developers are upto the end user to accept. Since, this article wasn’t meant to be a discussion on open-source, I will refrain from making a comment on this. However, alternative apps like Molly aim to improve upon Signal’s shortcomings while also allowing you to contact all Signal users.
-
For casual communication, it is still the best instant messenger to have.
Footnotes
-
A Formal Security Analysis of the Signal Messaging Protocol - Cohn-Gordon et al. (2016) ↩
-
The X3DH Protocol: A Proof of Security - van der Have (2021) ↩
-
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice - Adrian et al. (2015) ↩
-
An Efficient and Generic Construction for Signal’s Handshake (X3DH):Post-Quantum, State Leakage Secure, and Deniable - Hashimoto et al. (2021) ↩
-
Further reading: On the Cryptographic Deniability of the Signal Protocol - Vatandas et al. (2020) ↩
-
Post-Quantum Security of Messaging Protocols: Analysis of Double Ratcheting Algorithm - Bobrysheva and Zapechnikov (2020) ↩
-
The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol - Alwen et al. (2019) ↩
-
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers - Hagen et al. (2021) ↩
-
SECURITY ANALYSIS OF SIGNAL ANDROID DATABASE PROTECTION MECHANISMS - Kamil Kaczyński (2019) ↩
-
Forensic analysis of instant messengers: Decrypt Signal, Wickr, and Threema - Son et al. (2022) ↩