Defending Against Attack on the Cloned: In-Band Active Man-in-the-Middle Detection for the Signal Protocol

With Signal's position as one of the most popular secure messaging protocols in use today, the threat of government coercion and mass surveillance, i.e., active Man-in-the-Middle (MitM) attacks, are more relevant than ever. On the other hand, studies [29, 33, 37, 38] have shown that user awareness is very poor when it comes to authenticating keys in instant messaging applications, e.g., comparing key fingerprints out-of-band. The ideal solution to this problem should not require the active participation of the users. Our solution to active MitM attacks builds directly on Signal. We automate the process of key confirmation without relying on the intervention of users, and without using an out-of-band communication channel, at the cost of slightly altered trust assumptions on the server. We consider a powerful active MitM that not only controls the communication channel, but also has (one time) access to all secrets on one of the clients, i.e., can perform a key compromise attack. Our solution utilises the server to keep track of the changes in the clients key fingerprint as ratcheting is performed. Given that the server can keep a message log already, we find that any impact on deniability is minimal in practice. We present our detailed modifications to Signal, and document the new security guarantees while preserving the existing security guarantees of Signal. Our proof-of-concept implementation, which is based on the open-source Signal library used in real-world instant messaging applications, shows that our solution is practical and integrates well with the library. Our experimental results further show that our solution only has a tiny performance overhead when compared to Signal.