Auditable messages with hash chain in instant messaging apps
Resumo
Instant messaging applications have been used as corporate tools, so the messages exchanged in these systems have been used as negotiation records. However, by design, most of such apps do not provide any verification feature to confirm the integrity of the conversations. Analyses show that it is possible to surreptitiously modify records in popular apps like WhatsApp and Telegram. Aiming this issue, this work proposes a message structure based on hash chain, to ensure the integrity and the possibility to audit conversations. Besides, we propose a design with selective disclosure to improve privacy during audits, and this solution is architecture-independent, so it can be integrated with any instant message app.Referências
A. Mcgrew, D. and Viega, J. (2004). The galois/counter mode of operation (GCM).
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., and Stebila, D. (2017). A formal security analysis of the signal messaging protocol. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pages 451–466.
Funk, M., Cunningham, C., Kanver, D., Saikalis, C., and Pansare, R. (2020). Usable and acceptable response delays of conversational agents in automotive user interfaces. In 12th International Conference on Automotive User Interfaces and Interactive Vehicular Applications, AutomotiveUI ’20, page 262–269, New York, NY, USA. Association for Computing Machinery. Available at: DOI: 10.1145/3409120.3410651. Accessed June 2022.
Gultsch, D. (2014). Conversations. Available at: [link]. Accessed Aug. 2021.
Hu, Y.-C., Jakobsson, M., and Perrig, A. (2005). Efficient constructions for one-way hash chains. In Proc. of the 3rd Int. Conf. on Applied Cryptography and Network Security (ACNS’05), pages 423–441, Berlin, Heidelberg. Springer-Verlag.
Keates, S. (2016). Measuring acceptable input: What is “good enough”? page 713–723. Universal Access in the Information Society volume 16. Available at: DOI: 10.1007/s10209-016-0498-4. Accessed June 2022.
Komo, A. E. (2023). An efficient method to provide auditable messages exchanged in instant messaging applications. Dissertation (Master of Science) - Corrected version, Universidade de São Paulo. Available at: DOI: 10.11606/D.3.2022.tde-22052023-143703. Accessed May 2023.
Komo, A. E., Arakaki, B. O., Simplicio Jr., M. A., and Levy, M. R. (2018). Aplicativo de troca de mensagens instantâneas utilizando comunicação P2P. In Anais Estendidos do XVIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 65–72, Porto Alegre, RS, Brasil. SBC. Available at: [link]. Accessed Jan. 2019.
Komo, A. E. and Simplicio Jr., M. A. (2019). Solução para habilitar conversas integras e auditáveis em aplicativos de troca de mensagens instantâneas. In Anais do XIX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, Porto Alegre, RS, Brasil. SBC. Available at: [link]. Accessed Jan. 2020.
LaMacchia, B., Lauter, K., and Mityagin, A. (2007). Stronger security of authenticated key exchange. In Susilo, W., Liu, J. K., and Mu, Y., editors, Provable Security, pages 1–16, Berlin, Heidelberg. Springer Berlin Heidelberg.
Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. [link].
Rogers, M., Saitta, E., Grote, T., Dehm, J., Erlingsson, E., Tyers, B., and Grigg, J. (2018). Briar [online]. [link].
Rösler, P., Mainka, C., and Schwenk, J. (2018). More is less: On the end-to-end security of group chats in Signal, WhatsApp, and Threema. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 415–429.
Schliep, M. and Hopper, N. (2018). End-to-end secure mobile group messaging with conversation integrity and deniability. Cryptology ePrint Archive, Report 2018/1097. [link].
Schliep, M., Kariniemi, I., and Hopper, N. (2017). Is Bob sending mixed signals? In Proc. of the 2017 on Workshop on Privacy in the Electronic Society, WPES ’17, pages 31–40, New York, NY, USA. ACM.
Simplicio, M., Oliveira, B., Margi, C., Barreto, P., Carvalho, T., and Näslund, M. (2013). Survey and comparison of message authentication solutions on wireless sensor networks. Ad Hoc Networks, 11(3):1221–1236.
Simplicio, M., Santos, M., Leal, R., Gomes, M., and Goya, W. (2014). SecureTCG: a lightweight cheating-detection protocol for P2P multiplayer online trading card games. Security and Communication Networks, 7(12):2412–2431.
Telegram (2019). MTProto mobile protocol [online]. [link].
Torvalds, L. (2005). Git [online]. [link].
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., and Stebila, D. (2017). A formal security analysis of the signal messaging protocol. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pages 451–466.
Funk, M., Cunningham, C., Kanver, D., Saikalis, C., and Pansare, R. (2020). Usable and acceptable response delays of conversational agents in automotive user interfaces. In 12th International Conference on Automotive User Interfaces and Interactive Vehicular Applications, AutomotiveUI ’20, page 262–269, New York, NY, USA. Association for Computing Machinery. Available at: DOI: 10.1145/3409120.3410651. Accessed June 2022.
Gultsch, D. (2014). Conversations. Available at: [link]. Accessed Aug. 2021.
Hu, Y.-C., Jakobsson, M., and Perrig, A. (2005). Efficient constructions for one-way hash chains. In Proc. of the 3rd Int. Conf. on Applied Cryptography and Network Security (ACNS’05), pages 423–441, Berlin, Heidelberg. Springer-Verlag.
Keates, S. (2016). Measuring acceptable input: What is “good enough”? page 713–723. Universal Access in the Information Society volume 16. Available at: DOI: 10.1007/s10209-016-0498-4. Accessed June 2022.
Komo, A. E. (2023). An efficient method to provide auditable messages exchanged in instant messaging applications. Dissertation (Master of Science) - Corrected version, Universidade de São Paulo. Available at: DOI: 10.11606/D.3.2022.tde-22052023-143703. Accessed May 2023.
Komo, A. E., Arakaki, B. O., Simplicio Jr., M. A., and Levy, M. R. (2018). Aplicativo de troca de mensagens instantâneas utilizando comunicação P2P. In Anais Estendidos do XVIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 65–72, Porto Alegre, RS, Brasil. SBC. Available at: [link]. Accessed Jan. 2019.
Komo, A. E. and Simplicio Jr., M. A. (2019). Solução para habilitar conversas integras e auditáveis em aplicativos de troca de mensagens instantâneas. In Anais do XIX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, Porto Alegre, RS, Brasil. SBC. Available at: [link]. Accessed Jan. 2020.
LaMacchia, B., Lauter, K., and Mityagin, A. (2007). Stronger security of authenticated key exchange. In Susilo, W., Liu, J. K., and Mu, Y., editors, Provable Security, pages 1–16, Berlin, Heidelberg. Springer Berlin Heidelberg.
Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. [link].
Rogers, M., Saitta, E., Grote, T., Dehm, J., Erlingsson, E., Tyers, B., and Grigg, J. (2018). Briar [online]. [link].
Rösler, P., Mainka, C., and Schwenk, J. (2018). More is less: On the end-to-end security of group chats in Signal, WhatsApp, and Threema. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 415–429.
Schliep, M. and Hopper, N. (2018). End-to-end secure mobile group messaging with conversation integrity and deniability. Cryptology ePrint Archive, Report 2018/1097. [link].
Schliep, M., Kariniemi, I., and Hopper, N. (2017). Is Bob sending mixed signals? In Proc. of the 2017 on Workshop on Privacy in the Electronic Society, WPES ’17, pages 31–40, New York, NY, USA. ACM.
Simplicio, M., Oliveira, B., Margi, C., Barreto, P., Carvalho, T., and Näslund, M. (2013). Survey and comparison of message authentication solutions on wireless sensor networks. Ad Hoc Networks, 11(3):1221–1236.
Simplicio, M., Santos, M., Leal, R., Gomes, M., and Goya, W. (2014). SecureTCG: a lightweight cheating-detection protocol for P2P multiplayer online trading card games. Security and Communication Networks, 7(12):2412–2431.
Telegram (2019). MTProto mobile protocol [online]. [link].
Torvalds, L. (2005). Git [online]. [link].
Publicado
16/09/2024
Como Citar
KOMO, Andrea E.; SIMPLICIO JR., Marcos A..
Auditable messages with hash chain in instant messaging apps. In: CONCURSO DE TESES E DISSERTAÇÕES - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 25-32.
DOI: https://doi.org/10.5753/sbseg_estendido.2024.241723.