A group of academic security researchers has reviewed the security of the Signal protocol, which is used in the Signal encrypted messaging app as well as in many third-party apps, and found that it is both secure and resistant to attack.
The review, conducted by researchers from universities in the U.K., Canada, and Australia, looked at the cryptographic underpinnings of Signal and found no serious security problems and pronounced the protocol to be sound and resilient, even in the face of compromise. Signal, developed by Open Whisper Systems several years ago, is designed to provide encrypted messaging and it is used in many high-profile apps, including WhatsApp, Facebook, and Google Allo.
The researchers from the University of Oxford, Queensland University, and McMaster University too an in-depth look at the intricacies of the Signal protocol, its cryptographic foundation, and the ways in which it is implemented. They came away generally impressed with what they found.
“First, our analysis shows that the cryptographic core of Signal provides useful security properties. These properties, while complex, are encoded in our security model, and which we prove that Signal satisfies under standard cryptographic assumptions. Practically speaking, they imply secrecy and authentication of the message keys which Signal derives, even under a variety of adversarial compromise scenarios such as forward security (and thus ‘future secrecy’). If used correctly, Signal could achieve a form of post-compromise security, which has substantial advantages over forward secrecy,” the researchers say in their paper, “A Formal Security Analysis of the Signal Messaging Protocol”.
This audit is the first full-scale public investigation of the security of Signal, a protocol that many cryptographers and security experts have praised. The researchers conducted the assessment of Signal’s security using the assumption that the network the device is using is hostile and controlled by an adversary. They found Signal’s approach to the protection of keys to be well done.
“Signal’s mechanisms suggest a lot of effort has been invested to protect against the loss of secrects used in specific communications. If the corresponding threat model is an attacker gaining (temporary) access to the device, it becomes crucial if certain previous secrets and decrypted messages can be accessed by the attacker or not: generating new message keys is of no use if the old ones are still recoverable. This, in turn, depends on whether deletion of messages and previous secrets has been effective. This is known to be a hard problem, especially on flash-based storage media , which are commonly used on mobile phones,” the paper says.
The team also said that there are some areas in which Signal could improve its security.
“One can imagine strengthening the protocol further. For example, if the random number generator becomes fully predictable, it may be possible to compromise communications with future peers. We have pointed out to the developers that this can be solved at negligible cost by using constructions in the spirit of the NAXOS protocol or including a static-static DH shared secret in the key derivation,” they say.