Abstract
Modern smartphone messaging apps now use end-to-end encryption to provide authenticity, integrity and confidentiality. Consequently, the preferred strategy for wiretapping such apps is to insert a ghost user by compromising the platform's public key infrastructure. The use of warning messages alone is not a good defence against a ghost user attack since users change smartphones, and therefore keys, regularly, leading to a multitude of warning messages which are overwhelmingly false positives. Consequently, these false positives discourage users from viewing warning messages as evidence of a ghost user attack. To address this problem, we propose collecting evidence from a variety of sources, including direct communication between smartphones over local networks and CONIKS, to reduce the number of false positives and increase confidence in key validity. When there is enough confidence to suggest a ghost user attack has taken place, we can then supply the user with evidence to help them make a more informed decision.
Original language | English |
---|---|
Title of host publication | 27th International Workshop on Security Protocols |
Place of Publication | Cambridge |
Pages | 245-257 |
Number of pages | 12 |
DOIs | |
Publication status | Published - 24 Jun 2019 |
Event | 27th International Workshop on Security Protocols - Trinity College, Cambridge, United Kingdom Duration: 10 Apr 2019 → 12 Apr 2019 https://www.cl.cam.ac.uk/events/spw/2019/ |
Conference
Conference | 27th International Workshop on Security Protocols |
---|---|
Abbreviated title | SPW |
Country/Territory | United Kingdom |
City | Cambridge |
Period | 10/04/19 → 12/04/19 |
Internet address |
Keywords
- trust establishment
- public key evidence
- end-to-end encryption
- secure messaging
- security usability
- informed consent