WhatsApp End-to-End Encrypted Backup Protocol Security Analysis

Slide Note
Embed
Share

This security analysis delves into the WhatsApp end-to-end encrypted backup protocol, highlighting the potential risks associated with chat history backups. It discusses the dangers of password guessing, the vulnerabilities of cloud providers, and proposes solutions for a more secure backup system to protect user data.


Uploaded on Sep 07, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Security Analysis of the Security Analysis of the WhatsApp End WhatsApp End- -to to- -End Encrypted Backup Protocol Backup Protocol End Encrypted Gareth T. Davies, Sebastian Faller, Kai Gellert, Tobias Handirk, Julia Hesse, M t Horv rth, Tibor Jager 1

  2. 2

  3. Over 100 million users! We analysed this protocol 3

  4. How (not) to Backup Chat Histories Chat history lost when device is lost Backup Store Backup Choose random key Backup = Enc( , chat_history) Store key WhatsApp E2EE Backups 4

  5. 5

  6. WhatsApp E2EE Backups 6

  7. How (not) to Back Up Chat Histories Offline attackable: Backup Store Backup = Hash(pwd123) Backup = Enc( , chat_history) Guess password is pwd123 WhatsApp E2EE Backups 7

  8. Password Guessing Is Dangerous 100 million users if 80% use one of the 10 000 most used passwords and Cloud provider guesses 100 times for each user gets 8 million backup keys! roughly the population of Switzerland 111111 WhatsApp E2EE Backups 8

  9. How (not) to Backup Chat Histories Cloud Provider and WhatsApp can collude: No E2EE anymore! Backup Store Backup WhatsApp Server Choose random key Backup = Enc( ,chat_history) Store WhatsApp E2EE Backups 9

  10. 10

  11. Can We Have Best of Both Worlds? WhatsApp must not see the backup key Google/Apple must not see the backup key pwd User just remembers a password Idea: Use password-based cryptography! WhatsApp E2EE Backups 11

  12. Password-Authenticated Key Exchange OPAQUE [JKX18] Password Initialization: Key Exchange: Password and client file Per-Client seed Server Client export key and shared key export key store file for client shared key If password correct: server does not see the password in the clear! shared key = shared key and export key = export key WhatsApp E2EE Backups 12

  13. Sketch of WhatsApps Protocol Storing backup key at WhatsApp: Chooses password OPAQUE Init Backup Store Backup WhatsApp gets export key from OPAQUE c = Enc( , ) c stores c for client WhatsApp E2EE Backups 13

  14. Sketch of WhatsApps Protocol Guess password is pwd123 Retrieve backup key from WhatsApp: Chooses password Backup OPAQUE KE Store Backup WhatsApp gets export key and shared key from OPAQUE Problem: Server can still guess the password gets shared key from OPAQUE retrieve stored c e = Enc( , c) e c = Dec( ,e) = Dec( ,c) WhatsApp E2EE Backups 14

  15. Sketch of WhatsApps Protocol Retrieve backup key from WhatsApp: Chooses password Backup OPAQUE KE Store Backup WhatsApp HSM gets export key and shared key from OPAQUE gets shared key from OPAQUE retrieve stored c e = Enc( , c) e c = Dec( ,e) = Dec( ,c) WhatsApp E2EE Backups 15

  16. Intuitive Security Requirements = Verifiability of backup key High entropy of the backup key Secrecy of backup key Hard limit on attempts with wrong password WhatsApp E2EE Backups 16

  17. Our work shows: = Verifiability of backup key High entropy of the backup key Secrecy of backup key Hard limit on attempts with wrong password WhatsApp E2EE Backups 17

  18. Getting More than Ten Guesses +1 484 1234 Change pwd Delete old record of Client Create record for Client WhatsApp Server Client HSM record for , guesses: 10, (protected with pwd 1) (protected with pwd 1) record for , guesses: 10, (protected with pwd 2) record for , guesses: 10, WhatsApp E2EE Backups 18

  19. Getting More than Ten Guesses Change pwd Create record for Client WhatsApp Server Client HSM guess any of these record for , guesses: 10, (protected with pwd 1) (protected with pwd 1) record for , guesses: 10, (protected with pwd 2) record for , guesses: 10, (protected with pwd 3) record for , guesses: 10, WhatsApp E2EE Backups 19

  20. Conclusion Confirmed strong guarantees of WhatsApp s E2EE chat backups Malicious server gets more than ten password guesses Still good protocol when used with strong passwords Future work Consider HSM corruption Optimize protocol design Efficiency Hard limit on guesses Post-quantum Check out: https://github.com/facebook/voprf, https://github.com/facebook/opaque-ke WhatsApp E2EE Backups 20

More Related Content