SLIDE 1
A look into the Mobile Messaging Black Box
33rd Chaos Commmunication Congress #33c3
Roland Schilling
@NerdingByDoing
Frieder Steinmetz
@twillnix
December 27, 2016
Hamburg University of Technology Security in Distributed Applications
SLIDE 2 Messaging – Identifying Our Expectations
You’re at a party
- Friend approaches you and needs to tell you something in private
- What do you expect when you say private?
- You enter a separate room, you trust the location
- What does a separate room offer you?
party
SLIDE 3 A Private Room
You are now alone in a closed room with your Friend
- Both of you have absolute Confidentiality that you are alone
- Nobody can overhear your talk
- Your exchange is completely private
We call this confidentiality
SLIDE 4 You Know Each Other
Since you’re long-time friends, you’re absolutely sure, whom you’re talking to
- Nobody can impersonate your friend or you, without the other noticing
- You’re talking directly, without a phone or webcam in between
We call this authenticity
SLIDE 5 In Sight of Each Other
The room you’re in is small enough that you can always see each other
- You know that the words you speak are received just as you spoke them
- There is no way either of you hears something other than the other says
We call this integrity
SLIDE 6 It’s a One-Time Talk
Suppose somebody steps into the room
- They could overhear your conversation
- They would only learn the contents of this particular conversation
- They would not learn anything about past conversations you had
We call this forward secrecy → After leaving they would not be able to listen to any future conversations you might have We call this future secrecy
SLIDE 7 It’s a One-Time Talk
Forward- and Future Secrecy
third person enters room Forward Secrecy
timeline
third person leaves room
secret conversation
conversation
Future Secrecy
SLIDE 8 It’s a One-Time Talk Between Only You Two
There are no witnesses in the room
- Either of you can later deny to other having made any statement
- Neither of you can prove to other that any of you have made a particular
statement We call this deniability
SLIDE 9
Messaging – Reality Check
SLIDE 10 Messaging – A More Technical Analogy
We started with a conversation analogy to identify our expectations of messaging → Actually postal services are better to look at messaging from a technical point
= >
From: Alice To: Bob
SLIDE 11 Example: Traditional Messaging
What if our party conversation had taken place via SMS? Your providers (and other people on the same network)
- would know the contents of your exchange: no confidentiality
- could change the contents of your exchange: no integrity
- could reroute your messages and impersonate either of you: no
authentication
- do not guarantee any secrecy, so we have neither forward secrecy nor future
secrecy → We could argue having deniability though. → Messaging translates badly to our offline communication expectation
SLIDE 12
From Postcards to Letters
SLIDE 13
From Postcards to Letters
SLIDE 14 The Shortest Introduction to Encryption You Will Ever Get
Symmetric Encryption:
→ Encryption and decryption with the same key
Crypto
plain text ciphertext Key
Asymmetric Encryption:
Encryption and decryption with different keys
SLIDE 15 The Shortest Introduction to Encryption You Will Ever Get
Symmetric Encryption:
→ Encryption and decryption with the same key
Crypto
plain text ciphertext Key
Crypto
plain text Key
Asymmetric Encryption:
Encryption and decryption with different keys
SLIDE 16 The Shortest Introduction to Encryption You Will Ever Get
Symmetric Encryption:
→ Encryption and decryption with the same key
Crypto
plain text ciphertext Key
Crypto
plain text Key
Asymmetric Encryption:
→ Encryption and decryption with different keys
Crypto
plain text ciphertext Key
Crypto
plain text Key
SLIDE 17 The Shortest Introduction to Encryption You Will Ever Get
Symmetric Encryption:
→ Encryption and decryption with the same key
Crypto
plain text ciphertext Key
Crypto
plain text Key
Asymmetric Encryption:
→ Encryption and decryption with different keys
Crypto
plain text ciphertext Key
Crypto
plain text Key
key pair
SLIDE 18 Public-Key Cryptography – In a Nutshell
Secret Key Identity Public Key Secret Key Identity Public Key Secret Key Identity Public Key
- Both parties publish their identities and public keys
- Any message can be encrypted with anyone’s public key and only be
decrypted with its corresponding secret key
SLIDE 19 Public-Key Cryptography – In a Nutshell
Secret Key Identity Public Key Secret Key Identity Public Key Secret Key Identity Public Key
Crypto
plain text ciphertext Key
Crypto
plain text Key
key pair
- Both parties publish their identities and public keys
- Any message can be encrypted with anyone’s public key and only be
decrypted with its corresponding secret key
SLIDE 20 Public-Key Cryptography – In a Nutshell
Crypto Crypto
Bob Public Key Bob Secret Key
?
Bob
- Both parties publish their identities and public keys
- Any message can be encrypted with anyone’s public key and only be
decrypted with its corresponding secret key
SLIDE 21 Key Establishment
.
Secret Key Identity Public Key Secret Key Identity Public Key Secret Key Identity Public Key
Key Generator Key Generator
Bob Public Key Alice Public Key Key
SLIDE 22 Recap
Asymmetric Encryption gives us IDs but is very ex- pensive.
Crypto
plain text ciphertext Key
Crypto
plain text Key
key pair
Symmetric Encryption is cheap, but a key has to be shared by all participants before communica- tion starts.
Crypto
plain text ciphertext Key
Crypto
plain text Key
Key Establishment allows us to create symmetric keys based on asymmetric key pairs.
Secret Key Identity Public Key Secret Key Identity Public Key Secret Key Identity Public Key
Key Generator Key Generator
Bob Public Key Alice Public Key Key
But there’s more…
SLIDE 23 Confidentiality
Crypto
plain text ciphertext Key
Crypto
plain text Key
?
SLIDE 24
Deniability
From: either of us To: both of us
SLIDE 25 But What About Forward- and Future Secrecy? third person enters room Forward Secrecy
timeline
third person leaves room
secret conversation
conversation
Future Secrecy
SLIDE 26
But What About Forward- and Future Secrecy? key compromise Forward Secrecy
timeline
key renegotiation
secret messages compromised messages
Future Secrecy
SLIDE 27 But What About Forward- and Future Secrecy?
Crypto Crypto
Bob
Key Key
SLIDE 28 But What About Forward- and Future Secrecy?
Crypto Crypto
Bob
Key Key
Key
SLIDE 29 Recap
Our key establishment protocol gives us:
- Confidentiality
- Deniability
- Authenticity
We don’t have:
- Forward Secrecy
- Future Secrecy
→ We are ignoring Integrity here, but we have that, too.
SLIDE 30
Key and ID Management
Cryptography is rarely, if ever, the solution to a security problem. Cryptography is a translation mechanism, usually converting a communications security problem into a key management problem. —Dieter Gollmann
SLIDE 31 Key and ID Management
Secret Key Identity Public Key Secret Key Identity Public Key Bob Public Key Alice Public Key
Messenger Server
Bob? B
P u b l i c K e y Alice? Alice Public Key
SLIDE 32 Key and ID Management
We can ask for IDs, but what is an ID?
Can identify a user. But is also considered personal information.
Same thing as with phone number. But a temporary email can be used.
Dedicated IDs offer anonymous usage, but ID ownership must be verifyable. Dedicated IDs are preferrable. But only if we find a way to verify ID ownership
SLIDE 33 Key and ID Management
We can ask for IDs, but what is an ID?
→ Can identify a user. But is also considered personal information.
Same thing as with phone number. But a temporary email can be used.
Dedicated IDs offer anonymous usage, but ID ownership must be verifyable. Dedicated IDs are preferrable. But only if we find a way to verify ID ownership
SLIDE 34 Key and ID Management
We can ask for IDs, but what is an ID?
→ Can identify a user. But is also considered personal information.
→ Same thing as with phone number. But a temporary email can be used.
Dedicated IDs offer anonymous usage, but ID ownership must be verifyable. Dedicated IDs are preferrable. But only if we find a way to verify ID ownership
SLIDE 35 Key and ID Management
We can ask for IDs, but what is an ID?
→ Can identify a user. But is also considered personal information.
→ Same thing as with phone number. But a temporary email can be used.
→ Dedicated IDs offer anonymous usage, but ID ownership must be verifyable. Dedicated IDs are preferrable. But only if we find a way to verify ID ownership
SLIDE 36 Key and ID Management
We can ask for IDs, but what is an ID?
→ Can identify a user. But is also considered personal information.
→ Same thing as with phone number. But a temporary email can be used.
→ Dedicated IDs offer anonymous usage, but ID ownership must be verifyable. → Dedicated IDs are preferrable. But only if we find a way to verify ID ownership
SLIDE 37 Key and ID Management
How does Alice know which is Bob’s public key?
Bob Public Key Bob Public Key Bob Public Key Bob Public Key Bob Public Key
??
?
SLIDE 38 Mobile Messaging Key Management
Secret Key Identity Public Key Secret Key Identity Public Key Bob Public Key Alice Public Key
Messenger Server
Bob? B
P u b l i c K e y Alice? Alice Public Key
SLIDE 39 Mobile Messaging Key Management
Secret Key Identity Public Key Secret Key Identity Public Key Bob Public Key Alice Public Key
Messenger Server
Bob? B
P u b l i c K e y Alice? Alice Public Key
SLIDE 40 Authenticity
We have now solved the Authentiticy problem
- User can be identified by their phone number or email address
→ But they have dedicated IDs. → Personal verification is possible. The remaining unsolved problem is a user changing their ID. → At this point, the problem starts anew. → We will get back to that later.
SLIDE 41 Metadata Handling
Everybody on the network can see:
- the sender of the message
- the intended receiver of the message
?
Alice From Bob
SLIDE 42 Metadata Handling
Solution: wrap encrypted message in a second layer of encryption and address it
- nly to the message server.
Msngr
!
SLIDE 43
Metadata Handling
SLIDE 44
Metadata Handling
A l i c e
SLIDE 45
Metadata Handling
The message server will remove the outer layer and add a new one, targeted at the receiver.
Alice
!
From Msngr
!
SLIDE 46
Metadata Handling
This leaves us with an encrypted end-to-end tunnel, transmitted through two transport layer encryption tunnels. The message server still knows both communication partners!
SLIDE 47
Metadata Handling
We can obfuscate the size of a message with padding
SLIDE 48
Metadata Handling
We can obfuscate the size of a message with padding Message Padding Size of encrypted Message
=
SLIDE 49
Threema
SLIDE 50 Threema’s Architecture
Messaging Server Media Server Directory Server
Bob Public Key Alice Public Key
SLIDE 51 Threema Fingerprints
Threema offers dedicated IDs
- Users may provider their phone number and email.
- If provided, phone number and email are used for
identification with the directory server.
- If no additional data is provided, IDs can only be
exchanged manually.
- In either case, manual verification using QR codes is
encouraged.
- The app permanently tracks the verification status
- f each peer ID.
SLIDE 52 NaCl and Threema
Public Key Secret Key
ECDH HSalsa20
Nonce
Random Generator XSalsa20 Poly1305
Key plain text
Nonce Cipertext MAC
SLIDE 53 NaCl and Threema
NaCl
Public Key Secret Key
ECDH HSalsa20
Nonce
Random Generator XSalsa20 Poly1305
Key plain text
Nonce Cipertext MAC
SLIDE 54 Threema’s Handshake Between the App and the Messaging Server
Threema App Threema Messaging Server Client Hello Server Hello Client Auth Pkt Server Ack
Exchange a set of ephemeral keys and verify each
- thers long term identity keys.
SLIDE 55 Threema’s Handshake Between the App and the Messaging Server
Threema App Threema Messaging Server Client Hello Server Hello Client Auth Pkt Server Ack
Client Hello Packet
Client Hello
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Ephemeral Client Public Key Client Nonce Prefix
- Client generates a ephemeral key pair
- Client generates random nonce prefix
SLIDE 56 Threema’s Handshake Between the App and the Messaging Server
Threema App Threema Messaging Server Client Hello Server Hello Client Auth Pkt Server Ack
Server Hello Packet
Server Hello
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Server Nonce Prefix Ephemeral Server Public Key Client Nonce Prefix
Ciphertext
- Server generates ephemeral key pair
- Server generates random nonce
- Ciphertext encrypted with Server Nonce, Client
Ephemeral Key and Server Long-Term Key
SLIDE 57 Threema’s Handshake Between the App and the Messaging Server
Threema App Threema Messaging Server Client Hello Server Hello Client Auth Pkt Server Ack
Client Authentication Packet
Client Authentication Packet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Threema ID User Agent String Server nonce Prefix Random Nonce Ciphertext (Ephemeral Client Public Key)
Ciphertext
- Outer Encryption with ephemeral Keys
- Ciphertext links clients ephemeral key pair to it’s
long term key pair
SLIDE 58 Threema’s Handshake Between the App and the Messaging Server
Threema App Threema Messaging Server Client Hello Server Hello Client Auth Pkt Server Ack
Server Acknowledgement Packet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Zeros
}
Ciphertext
- Server comfirms everything worked fine by
encrypting something with both ephemeral keys
- We have established a forward secure channel
between app and messaging server.
SLIDE 59
A 2-Layer Tunnel
Has Forward Secrecy Doesn't have Forward Secrecy
SLIDE 60 Threema Packet Format
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header Ciphertext
SLIDE 61 Threema Text Messages
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header
0x01
Text Variable-length Padding
Ciphertext
SLIDE 62 Threema Image Messages
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header
0x43
Blob ID Size Key Variable-length Padding
Ciphertext
SLIDE 63 Sending an Image Message
Messaging Server Media Server Directory Server
Bob Public Key Alice Public Key
SLIDE 64 Sending an Image Message
Messaging Server Media Server Directory Server
Bob Public Key Alice Public Key
Blob
Blob ID
SLIDE 65 Sending an Image Message
Messaging Server Media Server Directory Server
Bob Public Key Alice Public Key
Blob
Blob ID
SLIDE 66 Sending an Image Message
Messaging Server Media Server Directory Server
Bob Public Key Alice Public Key
Blob
Blob ID
SLIDE 67 Sending an Image Message
Messaging Server Media Server Directory Server
Bob Public Key Alice Public Key
Blob
Blob ID Blob ID
Blob
SLIDE 68
Recap
Basic messaging functionality achieved.
SLIDE 69 Group Messages
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x41
Creator ID Group ID Text Variable-length Padding
Ciphertext
SLIDE 70 Group Management Messages
Group creation message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x4A
Group ID Member IDs Variable-length Padding
Ciphertext
SLIDE 71 Group Management Messages
Group rename message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x4B
Group ID Group Name Variable-length Padding
Ciphertext
SLIDE 72 Implementation of Addon Features
Captions in Image Messages
JPEG Image Exif Data
..x...1}....y....l.a.. e}...q.Gy....w.m....w. ......p8..H....x..I.! Greetings from Iceland ....." ..,...{.]...... ..G..8....O<R.....x.\.
Image data
SLIDE 73 Implementation of Addon Features
Quoted Messages
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
0x01
> 1EE733C3: I’m a quoted message. And I’m a comment! Variable-length Padding
SLIDE 74 Our Library
Our reverse-engineering efforts led to a re-implementation of Threema’s API.
- Fully Threema-compatible
- Almost feature-complete
- Completely undocumented (yet)
You can find the repositories at this location: https://github.com/o3ma
SLIDE 75 Done!
Thank You!
Roland Schilling
schilling@tuhh.de @NerdingByDoing
Frieder Steinmetz
frieder.steinmetz@tuhh.de @twillnix
Beamer Theme: Metropolis by Matthias volgelsang Color Theme: Owl by Ross Chirchley Icons: The BIG collection by Sergey Demushkin Foundation Icon Fonts 3 by ZURB NaCl slide was adapted from a figure in Threema’s Cryptography Whitepaper Threema Screenshots taken from the Threema press package Thanks to Jan Ahrens and Philipp Berger – their work has made ours somewhat easier Thanks to Maximilian Köstler for his initial work on Threema
SLIDE 76 Appendix Message Packet (Threema Protocol Layer)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header Ciphertext
- Only the MSB of Flags is used
SLIDE 77 Appendix Message Packet on the Wire
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Length
Threema Client-to-Server Ciphertext
SLIDE 78 Appendix Text Message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header
0x01
Text Variable-length Padding
Ciphertext
SLIDE 79 Appendix Image Message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header
0x43
Blob ID Size Key Variable-length Padding
Ciphertext
- Blob is symmetrically encrypted using Key and uploaded to asset server.
- Image captions are stored inside the image’s EXIF data. These data leak upon creating such an image
while the “save media to gallery” option is enabled.
SLIDE 80 Appendix Audio Message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header
0x02
D u r a t i
Blob ID Size Key Variable-length Padding
Ciphertext
SLIDE 81 Appendix Group Message Packet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x41
Creator ID Group ID Text Variable-length Padding
Ciphertext
SLIDE 82 Appendix Group Image Message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x41
Creator ID Group ID Blob ID Size Key Variable-length Padding
Ciphertext
SLIDE 83 Appendix Group Picture Update
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
80
Group ID Blob ID Size Symmetric key Variable-length Padding
SLIDE 84 Appendix Create/Update Group (members)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
74
Group ID Group Members
SLIDE 85 Appendix Acknowledgement Packet to Server
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Length
Pkt Type
Sender Message ID ← − Length − →
SLIDE 86 Appendix Client-Server Handshake
Client Hello
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Ephemeral Client Public Key Client Nonce Prefix
Server Hello
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Server Nonce Prefix Ephemeral Server Public Key Client Nonce Prefix
Ciphertext
SLIDE 87 Appendix
Client Authentication Packet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Threema ID User Agent String Server nonce Prefix Random Nonce Ciphertext (Ephemeral Client Public Key)
Ciphertext
Server Acknowledgement
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Zeros
}
Ciphertext
SLIDE 88
Appendix PKCS7 Padding
03 03 03 04 04 04 04 08 08 08 08 08 08 08 08 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 05 05 05 05 05 06 06 06 06 06 06
SLIDE 89 Appendix Group Management Message - Add Users
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x4A
Group ID Member IDs Variable-length Padding
Ciphertext
SLIDE 90 Appendix Group Management Message - Rename Group
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Message Header
0x4B
Group ID Group Name Variable-length Padding
Ciphertext
SLIDE 91 Appendix Quoted Text Message
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Pkt Type
Sender Recipient Message ID Time Flags Public Nickname (string) Nonce
Header
0x01
> 1EE733C3: I’m a quoted message. And I’m a comment! Variable-length Padding
Ciphertext
