 Yeah. Thank you for the introduction. So as my talk is about the end to end security of group chats, especially in instant messaging, and this is joint work together with Christian Meinke and Jörg Schwenk. So last year at Real World Crypto there was a talk on the provable security of the signal key exchange. And since WhatsApp implements the signal key exchange, the result was that what WhatsApp is doing is good. And in contrast to this, what we kind of found out about the group communication protocol in WhatsApp and also partially in signal was at least not as secure as we expected. So if you talk about group chats, we talk about dynamic groups of users. So users can be added to groups to become members, but they can also leave groups. And all users of one protocol are assumed to communicate via one central server. So this is motivated by the fact that modern instant messaging protocols are structured in this architecture. And we call group instant messaging secure if not only attackers on the network are defended by transport layer protection, but also the layer among the users from one end to another is protected such that potentially malicious servers are defended. So the outline for this talk is I first present the security model containing the security goals which we require to be achieved and the attackers which we regard. Then I will sketch the protocols that we analyzed. These are signal and WhatsApp. And due to the time restrictions, I will exclude three more. And after sketching them, I will describe weaknesses regarding traceable delivery and closeness which are the security goals which I will focus on during this talk. And after describing the weaknesses, I will explain the underlying problems and propose possible solutions to enhance the protocols respectively. So the security goals which we regard can be split into confidentiality goals and integrity goals. And I guess the first two are commonly known here. So message confidentiality means that only the communicating parties know the messages that are communicated and message authentication means that the messages are neither forged nor manipulated in transmission. And both of these goals can be applied to the two-party scenario as well as the group scenario. And this also holds for the next two reliability goals, node application and traceable delivery. Node application means that if a message is sent once, then it's at most received once by its receivers. And traceable delivery, which is one of the focus goals, means that so you probably know these checkmarks and WhatsApp and signal. And traceable delivery requires that these checkmarks are valid. So a receipt is only indicated if all the receivers receive the respective message. To capture the group setting, we add these following two security goals, closeness and no creation. I first explained no creation. No creation means that only members of a group can communicate among each other. So outsiders cannot contribute to the conversation within the group if they're not a member. And closeness, which is the second focus of this talk, means that only the members of a group or if there exists an administrator, then only the administrator can decide who becomes a member of a group. So outsiders cannot join a group if they were not invited and thereby were not added by one of these either members or administrator. And we want these goals to be achieved against the following two attackers. The first one is the malicious server. And the malicious server is defined to be able to decrypt the transport layer protection and thereby manipulate or drop messages without the transport layer protection being applied. And, yeah, practical examples are the instant messaging provider itself or someone who is, for example, able to forge TLS certificates on the network. And what my presentation will, yeah, kind of show is that traceable delivery is neither reached by signal nor by WhatsApp. So that means that these checkmarks can be forged by the malicious server such that drop messages can be dropped without being detected by a user. And in addition to that, WhatsApp does not reach closeness. And this means that the WhatsApp server can add herself to the group without being invited to the group. The second attacker which we regard is the compromising attacker. And the compromising attacker has the ability to obtain secrets for a short time frame from the users that communicate. And this motivated by, for example, me losing my smartphone and thereby someone who finds the smartphone, obtains the secrets that are stored on the smartphone, or someone installing a virus on my smartphone that leaks the secrets towards the attacker, or someone brute forcing certain secrets that I used for a short time frame. Yeah, and thereby these secrets are leaked. And linked to this attacker, the following two advanced security goals, forward secrecy and future secrecy. Forward secrecy means that if I communicate today with my smartphone, and tomorrow my smartphone is stolen, then the secrets that are stored on my smartphone and thereby obtained by the attacker cannot be used to gain any information on my previous communication. So somehow, the secrets that are used for communication today are invalidated on the smartphone such that past communication stays secure. Future secrecy, which is also known as post-compromise security, or backward secrecy means that if I, for example, check in at the airport, and thereby I have to hand over my smartphone to the police, and the police makes a copy of the secrets, and I get back my smartphone and start communicating again, then somehow the protocol recovers into a secure mode such that future communication becomes secure again. And even though the signal protocol reaches future secrecy in the two-party scenario, which was shown by the work last year, we show that signal does not reach closeness against the compromising attacker, and thereby somehow confidentiality is not really reached against the compromising attacker. In order to understand the weaknesses that I just sketched, I first present you the protocols. First of all, the signal protocol. So if a user, Alice, wants to send a message M to group G, of which she and Bob, Charlie, and Dave are members, she encrypts this message together with a timestamp and the static group ID and encrypts these three values to each of the three remaining members. And therefore, Alice will use the communication channels for direct communication, and this communication channel has forward and future secrecy as properties. And thereby the group ID kind of serves as a proof of membership. So if Bob, Charlie, and Dave receive the ciphertext and decrypted, they will check if the group ID matches the group, and if this is the case, they will accept it as a group message. And after doing so, Bob, Charlie, and Dave will reply with an acknowledgment that contains the sender ID, the receiver ID, and the message timestamp. And this acknowledgment or these acknowledgments are then sent back to Alice, and as soon as Alice received all acknowledgments, the receipt of the message will be indicated. If Alice, instead of sending a content message, wants to send a group update message, so she wants, for example, to add a new user, Eve, to group G, she encodes this information within the message and then encrypts this information again together with a timestamp and the group ID to each respective member of the group, and as soon as they will decrypt the message or the ciphertext, they will accept the new user Eve as new group member of group G. So the first weakness that I present starts with the malicious server dropping the ciphertext to Dave. Now Dave will of course not reply with an acknowledgment, and therefore Alice will not indicate the message to be received. But since the acknowledgment only contains information that the malicious server knows, namely the sender ID, the receiver ID, and the message timestamp, the server can directly forge this acknowledgment and send it to Alice such that Alice will indicate the receipt, even though the ciphertext and thereby the message was never seen by user Dave. And consequently traceable delivery is not reached in signal against the malicious server. The second weakness starts with a compromise of one of the group users, in this case Alice. And thereby among other secrets, the group ID of group G is leaked towards the attacker. Now the attacker can use this group ID to create the following group message that says that a user S, which is in this case the server, is added to the group G. Now this information of adding S together with the timestamp and the group ID is now encrypted by user S to every remaining member of the group. Now since the group ID is correct, Alice, Bob, Charlie and Dave will receive the ciphertext encrypted and accept it as a correct group update message and thereby the server will become a member of the group without being invited by one of the group members. So consequently, closeness is not reached against the compromising attacker in signal. The next slide aims to somehow explain the differences between the WhatsApp protocol and the signal protocol and there are two major differences. The first one is that instead of encrypting a group message to every remaining member of a group separately in WhatsApp, the message only needs to be encrypted once and this is because every group member maintains a group sender state and this group sender state is created once and then distributed to all remaining members and since this sender state is symmetric, Alice can use it for encryption and the remaining users can use it for decryption. So consequently only one ciphertext is sent by Alice instead of three. The second difference is that group updates are not encrypted but send plain to the server and then the server will forward the information of a group update. Now since the acknowledgments and the group updates are not protected, they can both be forged such that traceable delivery and closeness are both not reached against the malicious server in WhatsApp. So what are the underlying problems? The first problem for not reaching traceable delivery is that the acknowledgments in both protocols are not authenticated but there exist two ways within the protocol that protocols that could be used for authentication. So the first one is simply treating the acknowledgments as normal content messages and thereby encrypting them and since the protocols implement authenticated encryption these acknowledgments would be authenticated directly. A second way would be in WhatsApp using the signature key pairs that every group member in the WhatsApp protocol maintains so thereby authenticity would again be reached. Now what we propose is enhancing the protocols and making them more effective by using the properties of the signal key exchange that is both implemented by signal and WhatsApp and thereby using the key streams that are thereby implied. So if Alice and Bob communicate in WhatsApp or signal, they have both an established state that also contains a key k0 that is equal for both users. So if Alice wants to send a message m1 she first derives a k1 from k0 and uses this k1 for encryption to obtain ciphertext1. Then Alice will send the ciphertext1 together with the information which Kishi was using which is in this case k1. Now Bob will derive the same k1 from k0 and use it for decryption and to obtain message1. Now suppose Alice wants to send a message m2 she will repeat these steps derive a k2 and use it for encryption but now assume that the ciphertext that is the result of this is dropped on the network and never forwarded to Bob. Now if Alice wants to send a third message she again repeats it derives k3 from k2 and uses it for encryption and sends the ciphertext to Bob. Now Bob of course knows that k2 will not be usable to decrypt ciphertext3 to obtain message3. So first of all k2 is derived from k1 and then k3 is obtained by deriving it from k2 and this k3 can then be used for decryption but the problem of the both protocols is that the information that k2 was never used for decryption is simply ignored. So what we propose is first of all acknowledging the latest in order received message and this is in this case message1 and this information this acknowledgement does not need to be sent explicitly but could also be embedded within the next content message and thereby the message complexity of the protocols would be reduced. The second thing which we propose is that some kind of a negative acknowledgement is sent back to the original sender as soon as a key was derived and the previous key which was also derived was not used for decryption so this information that a message was possibly dropped is used by the protocols. Yeah so this one is then sent back to Alice and Alice would know that she has to resend message2. In order to understand the problems why closeness is not reached in the protocols first it needs to be understood how the protocols treat group messages and this there are two different approaches we call them the guest list approach and the ticket approach and the guest list approach which is implemented by whatsapp means that every group member maintains a list of the remaining group members and as soon as a member receives a group message this list of members is checked for the sender and if the sender is on this group list this message is accepted as a group message and signal in contrast to this the ticket approach is used so this means the group ID serves like a ticket that proves that the sender is in the group so if the group and thereby the ticket is correct then the message is accepted as a group message but the problems are that the guest list and whatsapp is manipulable by the server and the problem in signal is that the group ID is static and thereby future secrecy cannot be reached by the protocol so what we propose in order to reach closeness is first of all authenticating the group update messages in whatsapp and there are plenty ways as I said for the acknowledgments and traceable delivery in addition to that some kind of guarantees on the termination of group updates or group update operations needs to be given for the sender or someone else who is responsible for observing what happens in the group and therefore we kind of need causality but as we discussed with moxi malin spike during our responsible disclosure we of course want that in instant messaging messages are instantly delivered so independent of in which order they were sent they need to be distributed to the receiver so reordering delay or loss of messages is accepted as normal operations so causality as a ordering goal cannot be yeah cannot be required in instant messaging but therefore we at least require traceable delivery since therefore the sender or yeah in a generic protocol someone would be informed just yeah reliably on the termination of a group update operation the same needs to hold for the ticket approach but in addition to that uh the yeah the group secret or in the signal protocol the group ID needs to be updated such that future secrecy can be reached and there is work on this and in the group key exchange literature and I yeah I added there two papers and what I saw on the train to Zurich is that the results of the second paper um yeah were recently published on github by the facebook research team so I think there is progress in the right direction uh to summarize and yeah our this this talk and our contributions um first we present and yeah worked out a model for group instant messaging that covers both security and reliability and since we focus on the instant messaging so the instant delivery of messages this model can be used for developing and analyzing real world protocols then we describe three major instant messaging protocols of which two are closed source software and none of them was formally described in yeah in a way so this required some reverse engineering and finally we applied this model to these three protocols and revealed that at least what we were requiring and what we were expecting was not reached um by these protocols and this is some kind of a sketch of our results and uh of the weaknesses that we found so the full work can be found uh on e-print and of course you can contact me so thank you very much for the attention thank Paul okay questions for Paul okay I'll start um so in the attack where the server was adding themselves can you pop back to that slide I try to yeah signal I guess this one yes so the notation E sub s that means s is doing the encryption yes with authentication like that's a ad yes so all the clients know that s sent it yes that's true hopefully ignore that fact so when we were analyzing the protocol there was no information on who uh was initiating the group update operation so it was just an information that someone added eave or in this case s to the group but currently this is indicated in the protocol but since messages can be dropped on the network yeah the information or the communication can be kind of disrupted such that maybe not all of the members will understand what happened right what what if what if alice sends a message to the like bc and d saying to add herself to a group like alice bob charlene dave are part of a group but bc and d are also part of another group alice isn't part of and then alice sends that very message but adding herself would that yeah for this of course she has to know the the group idea of the other group of which he's not a member so she again needs to compromise one of the the other group members the group ID is a big random nonce it's not yes true okay okay good any other questions anyone up top no all right let's thank paul again