CryptoDB
Analyzing Chat Encryption in Group Messaging Applications
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | Secure group messaging applications have been widely deployed to protect the everyday conversations of billions of users worldwide. These applications use different cryptographic algorithms to provide varying privacy and authenticity guarantees. Due to their widespread use, particularly in sensitive contexts like protests and conflicts, analyzing the security of these applications has been the focus of numerous academic works. Most of these focus on analyzing the more "novel" key agreement primitive. Due to the inherent complexities, few works attempt to rigorously analyze an application as a whole, and even fewer focus on the chat encryption primitive specifically. The latter may be attributed to the assumption that, after decades of cryptographic research, encrypting conversations (using symmetric/asymmetric primitives) is well understood, rendering chat encryption a seemingly trivial or "folklore" primitive. Despite its perceived simplicity, throughout our work across two papers, we find that some widely used group messaging applications implement chat encryption insecurely, potentially exposing them to exploitable attacks. This talk highlights the importance of analyzing the compositions of symmetric encryption and digital signatures used in several group chat encryption algorithms. Isolating chat encryption allows one to systematically identify potential attacks that result from the lack of proper "binding" between the signing and encryption components. This is reflected in our analysis of chat encryption in three widely deployed group messaging applications: Keybase, MLS, and Session. While Keybase had a good intuition for combining symmetric encryption and digital signatures, their solution was brittle; its security relied on non-cryptographic elements such as message serialization formats. MLS and Session did not implement proper binding in their compositions, exposing them to attacks where a group member can impersonate another by replaying their messages. Additionally, Session is susceptible to message re-ordering attacks by non-group members such as the platform server. Independent analysis of chat encryption allowed us to narrowly target the corresponding security goals and specify a set of conditions required for proper binding between the signing and encryption components. Developers of chat encryption algorithms need only check that these conditions are met to ensure that the security goals are achieved. |
| Video: | https://youtu.be/ghtMAmQCa5E |
BibTeX
@misc{rwc-2025-35850,
title={Analyzing Chat Encryption in Group Messaging Applications},
note={Video at \url{https://youtu.be/ghtMAmQCa5E}},
howpublished={Talk given at RWC 2025},
author={Joseph Jaeger and Akshaya Kumar and Igors Stepanovs},
year=2025
}