With the right set of skills, messaging security can fairly easily be penetrated, but a team of researchers has developed a solution to this problem that will keep conversations between sender and recipient completely private.
Current end-to-end encryption technology contains vulnerabilities that allow attackers to gain access to conversations, allowing them to intercept, read, and alter future messages without either party knowing. However, the newly developed system, known as Detecting Endpoint Compromise in Messaging (DECIM), forces the attacker to leave evidence of their presence, while also alerting the sender and recipient so they can act as quickly as possible.
In a practical scenario explained by the University of Birmingham, the recipient’s device would certify an encryption key, then publish the certificate in the ledger; the sender’s device would then retrieve the encryption key and use it to send a message, which the recipient would access using a corresponding decryption key.
If an outside party wanted to intercept messages, they would need to pretend to be the recipient’s device and forge an encryption key. However, DECIM ensures that the ledger can’t be tampered with, and if the original recipient’s device notices the forgery, it essentially confirms an outside attacker.
Dr. Jiangshan Yu of the University of Luxembourg, Professor Mark Ryan of the University of Birmingham, and Professor Cas Cremers of the University of Oxford all worked on the project, each motivated by the discovery of numerous vulnerabilities in software. Their work detailing the protocol has been published in the journal IEEE Transactions on Information Forensics and Security.
“There are excellent end-to-end encryption services out there, but by definition they rely on your device itself remaining secure,” said Dr. Yu. “Once a device has been compromised there’s little we can do. That’s the problem we wanted to solve.”
To test DECIM’s capabilities, the team decided to put it through a formal analysis using a security protocol verification tool known as Tamarin Prover, which runs millions of attack scenarios. Messaging security protocols typically skip this step in development and it shows; when other protocols were put through Tamarin Prover, several security flaws were identified.
“Our Security and Privacy group tries to solve problems that are important to society,” explained Professor Ryan. “Given the prevalence of cyber-attacks on phones and laptops, we are proud of this work on detecting when encryption keys have become compromised.”
Now that DECIM has proven itself and its effectiveness, the team wants to apply it to blockchains, internet-based voting, and more. With the rising popularity of both forms of the technology, they’ll need additional security to make them more appealing to businesses and consumers.