Real World Crypto 2021 - Session 2: Group Messaging
RWC2021 · Real World Crypto
Session video
Lenka Marekova (RHUL) / Mesh Messaging in Large-scale Protests: Breaking Bridgefy / paper video slides
Bridgefy is a mesh-networked offline messaging app based on BT (classic, or BLE). Despite not being designed for use in a protest setting, that is how it has been adopted, eg. in BLM protests, and democracy protests in Hong Kong.
Analysis required reverse-engineering of Android app. This revealed numerous poor design decisions. Oops, it used RSA & PKCS#1v1.5 (deprecated) in ECB fashion. When combined with Gzip a padding oracale was available, Bleichenbacher attack w/ 2^17 msgs. Also users social graphs can be extracted, and log-ins MITMed.
The attacks were verified using Frida.
Open questions: can security even be achieved in the mesh setting? And what security needs do protesters have?
Antonio Marcedone (Zoom Video Comms) / E2E Encryption and Identity Properties for Zoom Meetings paper video
Various similarities to Key Transparency / CONIKS / Keybase for identity
Paul Rosler (Ruhr Uni) / Resolving Concurrency in Group Ratcheting Protocols paper video slides
PCS = Post-compromise security
- how a multi-participant messaging protocol recovers after an attacker gains one of the encryption keys
IETF working in this area, defining MLS (messaging layer security)