Matthew GreenWoohoo! WhatsApp has released key transparency! https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/
So here’s a thread on key transparency, and why this is a big deal. 1/
Most encrypted messaging apps require the user to generate a public/private encryption key. The secret key lives in your device, and the public key gets sent to anyone who wants to message you. In systems like WhatsApp, the distribution of keys is handled by the WhatsApp server. /2
The amazing thing about modern cryptographic protocols is that you can communicate securely with anyone, as long as you (both) know each others’ public keys. The problem in messaging is that a hacked server can give you the wrong public key. /3
All of cryptography basically falls apart in this case, which is called an MITM attack. It’s not that the crypto doesn’t work: you’re still communicating securely. The problem is that you may be communicating securely with the wrong person: an eavesdropper. /4
If the eavesdropper hacks the WhatsApp server, they can give you their own public key (instead of your friend’s key) and then decrypt the messages you think you’re sending to that friend. Then with more work they can *re-encrypt* the messages and send them on to your friend. /5
In messengers like WhatsApp and Signal you can detect this attack by having your friend comparing a security code (safety number) that looks like this, using some other channel.
Almost nobody does this. Even my cryptographer friends are like “nah, let’s YOLO this one.” /6
Anyway: one potential solution to this problem is Key Transparency.
The idea of key transparency is that you (1) publish a single hash that commits to every key/identity in the system at a given time. Then people can (2) compare their hashes… /7
… to make sure the server is being consistent. This means that *I* can verify that the server is linking the expected public key for my identity. And now it will be very hard for the server to say something different (ie offer a different public key for me) to anyone else. /8
Making this work efficiently involves using the magic of Merkle hash trees. This allows anyone to verify that a single (key/identity) pair is contained within the tree, without downloading records for two billion other users, which would be annoying. /9
While these systems mostly use relatively simple tools (hashing, big trees, gossip networking) the engineering is substantial. New users change all the time, so this adds some annoying overhead. Why do it? /10
The reason is simple: encrypted messaging works really, really well. This means that people who want to *eavesdrop* on your encrypted messages may be willing to do things as extreme as MITM attacks. Particularly when we’re talking about state-sponsored attacks. /11
Here is a proposal by two cryptographers working at the UK’s GCHQ (their equivalent of NSA): it doesn’t exactly propose MITM attacks. Instead it suggests something equally forceful: compelling services like WhatsApp to add “ghost users” to your chats. https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate /12
In this scenario, you might think you’re having a conversation with your friends. But quietly, there would be an extra “ghost” in the chat listening in. This would require legal compulsion of the server operator to pull off, but hacking the server could yield a similar result. /13
Proposals like Key Transparency don’t address every one of these attack vectors. But they signal very loudly that developing further attacks in this direction probably is not a great investment. /14
So the major signal we’re getting from WhatsApp (and from Apple, a few months ago) is that they intend to make secure messaging as safe and private as they possibly can. These systems are important, and they will invest in blocking even sophisticated attacks. 14/14 fin
unixsh.it@matthew_d_green how does Signal compare?
@unixsh_it They don’t have this feature yet. Maybe they’ll add it at some point.
Talya (she/her) 🏳️⚧️✡️
Daniel Thomas@matthew_d_green Great that this has happened. Slightly sad that our paper that has been rejected 6 times often for not being a problem worth solving will now be rejected because industry has already deployed another solution to the problem.
TeixiIndeed initial key exchange, as difficult as recovery once in a new device.
All systems have their own turnarounds for these two, so common standardization proposals towards handling these are need!
Orca 🌻 | 🎀 | 🪁 | 🏴🏳️⚧️@matthew_d_green Is that ever going to work if clients cryptographically verifies every membership changes (join/privilege escalation/privilege drop/leave) in a chat/group chat? Or is it forcing the client software to lie to its users? 
B-rad 🏳️🌈👨💻@matthew_d_green Merkle trees, is there anything they can't do
WikinautAgainst this, we here use Shibboleth/s, secrets, which only Alice and Bob know.