A Comparison of Secure Messaging Protocols and Implementations
In recent years, it has come to attention that governments have been doing mass surveillance of personal communications without the consent of the citizens. As a consequence of these revelations, developers have begun releasing new protocols for end-to-end encrypted conversations and then commonly used chat applications have been updated with implementations of these protocols. New applications have also been developed to support these types of protocols with security in mind from the beginning. These usually contain existing and audited algorithms to ensure the encryption between participants is up to its standards.
This thesis investigates protocols for end-to-end encrypted instant messaging, focusing on the existing implementations of one of the recent and popular such protocols, called Signal. The first protocol studied is the Off-the-Record (OTR) protocol, since it was the first such protocol introduced ten years ago, and which most recent protocols are based on, or take inspiration from. Then a large part of the thesis carefully goes through the inner workings of the Signal protocol, which itself is based on OTR. The documentations of three secure messaging protocols is studied to find what types of security and privacy properties they provide. The study of the protocol properties is also based on recent academic articles. The conclusions are summarized and explained with the purpose to be used in the rest of the thesis.
A second major part of the document is devoted to analyzing the most used secure messaging applications. A series of experiments is then conducted on these implementations to find out which types of security and usability properties each application provides. Six applications are tested. A major concern is about what kind of information the application gives to the users when cryptographic keys change during conversations, as well as how users can verify the identities of each other. The results of the experiment show that the apps have variations of usability and security properties regarding the user’s account. The apps give different amounts of information to the user about potential security attacks. While some gave enough for the user to know when cryptographic keys change, others do not provide any information.
The thesis also gives proposals for improving each application wrt. security, privacy, and usability. Hopefully, the users find the information in this research useful in choosing a particular application, and positively, encourages other researchers to look more carefully into usability and security challenges of secure messaging applications.