Secure Messaging Authentication against Active Man-in-the-Middle Attacks

Abstract

Modern messaging applications often rely on out-of-band communication to achieve entity authentication, with human users verifying and attesting to long-term public keys. This is done primarily to reduce reliance on trusted third parties by replacing that role with the user. Despite a great deal of research focusing on analyzing the confidentiality aspect of secure messaging, the entity authenticity aspect of it, which relies on the user mediation, has been largely assumed away. Consequently, while many existing protocols provide some confidentiality guarantees after a compromise, such as post-compromise security (PCS), authenticity guarantees are generally lost, especially against an active attacker. This leads to potential man-in-the-middle (MitM) attacks. In this work, we address this gap by proposing a model to formally capture user-mediated entity authentication, as used by real-world protocols, that can be composed with any ratcheted key exchange. Our threat model captures active post-compromise entity authentication security. We demonstrate that the Signal application's user-mediated authentication protocol cannot be proven secure in this model and suggest a straightforward fix for Signal that allows the detection of an active adversary. Our results have direct implications for other existing and future ratcheted secure messaging applications.