< Return to Video

A look into the Mobile Messaging Black Box (33c3)

  • 0:00 - 0:13
    33C3 preroll music
  • 0:13 - 0:18
    Herald: Good morning everyone, thanks for
    showing up in such great numbers, that's
  • 0:18 - 0:24
    always a good thing
    for such an early session.
  • 0:24 - 0:29
    First of all I would like to ask you
    a question, I mean... or
  • 0:29 - 0:34
    let's start like that: Last night I had
  • 0:34 - 0:39
    a weird encounter with a locked door
  • 0:39 - 0:46
    out of the fate that we endured during
    this week we were out of our apartment
  • 0:46 - 0:51
    and the hotel owner let us stay in their
    office, but the guy who stayed there
  • 0:51 - 0:57
    put the dead lock on so we tried to reach
    him. Hmmm, how do you reach them?
  • 0:57 - 1:03
    We thought about maybe he has some
    messaging, maybe he has some mobile number,
  • 1:03 - 1:09
    no landline, landline, they have landline.
    It turned out that the guy
  • 1:09 - 1:14
    was not at the landline, out, exit, and
  • 1:14 - 1:18
    so we looked around in the bar.
    So this wouldn't have happened
  • 1:18 - 1:24
    if he had mobile messaging, so,
    to dive into that, if we could
  • 1:24 - 1:29
    just text him: "Hey, we are at the hotel,
    please open the door" we would have had
  • 1:29 - 1:35
    one hour more sleep tonight.
    So let's dive in
  • 1:35 - 1:41
    with, yeah, the talk of today.
  • 1:41 - 1:46
    So this morning session starts with
    our speakers Roland Schilling
  • 1:46 - 1:49
    and Frieder Steinmetz.
  • 1:49 - 1:56
    applause
  • 1:56 - 2:00
    And they will be talking about...
    they will at first give you a gentle
  • 2:00 - 2:06
    introduction into Mobile Messaging. I have
    nine messaging apps on my phone, no, ten!
  • 2:06 - 2:11
    The organizers forced me to
    install another messaging app.
  • 2:11 - 2:15
    And after that [they] give you a quick
    analysis, or not so quick, I don't know,
  • 2:15 - 2:18
    a deep analysis of the Threema protocol.
  • 2:18 - 2:22
    So let's give another round of
    applause for our speakers!
  • 2:22 - 2:29
    applause
  • 2:29 - 2:34
    Thank you, Thilo. I am Roland,
    this is Frieder, and
  • 2:34 - 2:38
    as, well, as Thilo already introduced
    us we are going to talk about
  • 2:38 - 2:43
    secure messaging. More specifically we are
    trying to give a very broad introduction
  • 2:43 - 2:48
    into the topic because we want to make the
    field that is somewhat complex available
  • 2:48 - 2:54
    to a more broad audience, so as
    to leave our expert bubble
  • 2:54 - 2:58
    and get the knowledge of technology
    that people use every day
  • 2:58 - 3:04
    to these people who are using it.
    To do that we have to start
  • 3:04 - 3:09
    at a very low level which might mean for
    the security and crypto nerds in the room
  • 3:09 - 3:15
    that you will see a lot of things that you
    already know. But bear with us, please,
  • 3:15 - 3:20
    since we are specifically trying, at least
    with the first part of the talk, to convey
  • 3:20 - 3:25
    a few of these mechanisms
    that drive encrypted messaging
  • 3:25 - 3:30
    to people who are new to the field.
    So what we are going
  • 3:30 - 3:35
    to try today is basically three
    things: We are... we will try to
  • 3:35 - 3:40
    outline privacy expectations when we
    communicate. We are going to do that
  • 3:40 - 3:46
    by sketching a communication scenario
    to you guys and identifying
  • 3:46 - 3:50
    what we can derive from that in
    expectations. We are going to find
  • 3:50 - 3:54
    an analogy, or look at an analogy that
    helps us map these expectations to mobile
  • 3:54 - 3:59
    messaging. And then we are going to look
    at specific solutions, technical solutions
  • 3:59 - 4:07
    that make it possible to make mobile
    messaging as secure, and give us the same
  • 4:07 - 4:12
    privacy guarantees that a one-to-one talk
    would, before, in the second part of the
  • 4:12 - 4:17
    talk we move on to look at a specific
    implementation, and it's no secret anymore
  • 4:17 - 4:24
    that we are going to look at the specific
    implementation of Threema. So let's just
  • 4:24 - 4:30
    dive right in.
    You are at a party, a party in a house
  • 4:30 - 4:33
    full of people and a friend approaches
    you wanting to have a private
  • 4:33 - 4:38
    conversation. Now what do you do? You
    ideally would find a place at this party
  • 4:38 - 4:43
    that is, well, private, and in our
    scenario you find a room, maybe the
  • 4:43 - 4:48
    bedroom of the host where nobody's in
    there, you enter the room, you close the
  • 4:48 - 4:52
    door behind you. Meaning you are now
    private, you have a one-on-one,
  • 4:52 - 4:56
    one-to-one session in this room in
    private. And we are going to look at
  • 4:56 - 5:00
    what that means.
  • 5:00 - 5:07
    First of all the most, the most intuitive
    one is what we call confidentiality and
  • 5:07 - 5:11
    that means that since nobody is there in
    the room with you you are absolutely sure
  • 5:11 - 5:16
    that anything you say and anything your
    communication partner says, if you imagine
  • 5:16 - 5:21
    Frieder and me having this conversation,
    can only be heard by the other person.
  • 5:21 - 5:26
    If that is guaranteed we say… we call this
    confidentiality because nobody who's
  • 5:26 - 5:32
    not intended to overhear any of
    the conversation will be able to.
  • 5:32 - 5:38
    The second part… no, the second
  • 5:38 - 5:43
    claim that we make is: if you guys
    know each other, and again,
  • 5:43 - 5:46
    if I had a talk with Frieder I know I've
    been knowing him for a long time,
  • 5:46 - 5:51
    more than five years now, I know what
    his face looks like, I know his voice,
  • 5:51 - 5:56
    I know that if I talk to him I actually
    talk to ‘him’, meaning I know exactly
  • 5:56 - 6:01
    who my communication partner is
    and the same thing goes vice versa,
  • 6:01 - 6:07
    so if this is achieved, if we can say
    I definitely know who I'm talking to,
  • 6:07 - 6:11
    there's no chance that somebody else
    switches in and poses off as Frieder
  • 6:11 - 6:17
    we call this ‘authenticity’.
    Moving on. Integrity.
  • 6:17 - 6:22
    Integrity is a bit… this is where
    the analogy falls short,
  • 6:22 - 6:28
    well, somewhat. But, basically, if I can
    make sure that everything I say
  • 6:28 - 6:32
    reaches Frieder exactly the way I wanted
    to say it and there is no messenger
  • 6:32 - 6:37
    in between, I'm not telling a third friend
    "Please tell Frieder something" and
  • 6:37 - 6:43
    he will then alter the message because
    he remembered it wrong or
  • 6:43 - 6:49
    has malicious intentions. If I can
    make sure that everything I say
  • 6:49 - 6:54
    is received by Frieder exactly the way
    I said it then we have ‘integrity’
  • 6:54 - 6:59
    on our communication channel.
    Okay. The next ones are two ones
  • 6:59 - 7:05
    that are bit hard to grasp at first.
    Therefore we are going to take a few
  • 7:05 - 7:09
    minutes to look at these, and they are
    ‘forward and future secrecy’. Suppose
  • 7:09 - 7:15
    somebody entered the room while we had our
    talk and that person would stay a while
  • 7:15 - 7:21
    overhear some portion of our talk and
    then they would leave the room again. Now
  • 7:21 - 7:25
    if they, if at the
    point where they entered the room they
  • 7:25 - 7:29
    wouldn't learn anything about the
    conversation that we had before, which is
  • 7:29 - 7:32
    intuitive in this scenario which, that's
    why we chose it, they enter the room, and
  • 7:32 - 7:37
    everything that can overhear is only the
    portion of the talk that takes place while
  • 7:37 - 7:41
    they are in the room, they don't learn
    anything about what we said before,
  • 7:41 - 7:47
    meaning we have what we call forward
    security, we'll get back to that, and
  • 7:47 - 7:51
    after they left they wouldn't be able to
    overhear anything, anything more that we
  • 7:51 - 7:56
    say. This is what we call future security.
    Because those are a bit hard to understand
  • 7:56 - 8:00
    we have made a graphic here. And we are
    going to get back to this graphic when we
  • 8:00 - 8:05
    translate this so I'm going to take a
    minute to introduce it. We have a time
  • 8:05 - 8:09
    line that is blue, goes from left to
    right, and on this time line we have green
  • 8:09 - 8:14
    bar that denotes our secret on our secret
    conversation. The first pink bar there is
  • 8:14 - 8:19
    when the third person enters the room,
    then our secret conversation turns orange
  • 8:19 - 8:23
    because it's no longer secret, it's now
    overheard by the third person and after
  • 8:23 - 8:30
    they left they wouldn't know anything that
    was said after that. So the left part of
  • 8:30 - 8:37
    it meaning the fact that they can't hear
    anything into the past is what we call
  • 8:37 - 8:40
    forward security and if they can't learn
    anything after they left we call it future
  • 8:40 - 8:48
    secure, future secrecy, sorry. Okay, the
    last one that we're going to talk about
  • 8:48 - 8:53
    since we're trying to keep things simple
    is deniability. Since we are only two
  • 8:53 - 8:58
    people in the room and there are no
    witnesses we achieve deniability because
  • 8:58 - 9:02
    after we had this talk we returned to the
    party and people asked us what happened,
  • 9:02 - 9:06
    um, I can always point to Frieder as you
    could to your friend and say he said
  • 9:06 - 9:10
    something. Frieder could always say, no I
    didn't, and it would be my word against
  • 9:10 - 9:17
    his and if this is, you know, if our
    scenario allows for this we have
  • 9:17 - 9:22
    deniability because every one of us can
    always deny having said or not having said
  • 9:22 - 9:28
    something.
    And now we are going to look at messaging.
  • 9:28 - 9:34
    Now in messaging a third player comes into
    the room and this could be your provider
  • 9:34 - 9:40
    if we talk about text messaging like short
    messages that we used to send in the 90s,
  • 9:40 - 9:44
    it could be your messaging provider if you
    use something more sophisticated, it could
  • 9:44 - 9:48
    be WhatsApp for example could be Apple
    depending on what your favorite messenger
  • 9:48 - 9:54
    is but there is always, unless you use,
    like, federated systems, if some some of
  • 9:54 - 9:59
    you guys might think but I'm using Jabber
    I know but we are looking at centralized
  • 9:59 - 10:04
    systems right now and in these there will
    always be one third party that all
  • 10:04 - 10:08
    messages go through, whether you want it
    or not. And whether you're aware of it or
  • 10:08 - 10:17
    not. And this brings us to our second
    analogy which is Postal Services now while
  • 10:17 - 10:20
    messaging feels like you have a private
    conversation with the other person and I
  • 10:20 - 10:24
    think everyone can relate to that you have
    your phone you see you are
  • 10:24 - 10:28
    displayed with the conversation and it
    looks like only you and this other person,
  • 10:28 - 10:32
    in my case Frida, are having this
    conversation we feel like we have a
  • 10:32 - 10:37
    private conversation, while actually our
    messages go through a service provider all
  • 10:37 - 10:43
    the time. Meaning we are now looking
    something at something more akin to postal
  • 10:43 - 10:49
    services. We prepare a message send it
    off, our message provider takes the
  • 10:49 - 10:53
    message, takes a to our intended
    recipient, and they can then read the
  • 10:53 - 11:01
    message. And this is this this applies to
    all the messages we exchange. And to
  • 11:01 - 11:05
    underline that we're going to look at what
    I initially called traditional messaging
  • 11:05 - 11:12
    meaning text messaging, unencrypted SMS
    messaging, and as you may or may not be
  • 11:12 - 11:17
    aware of these messages also go through
    our providers: more than one provider
  • 11:17 - 11:22
    even. Say I'm at Vodafone and Frieder is
    with Verizon, I don't know, I would send
  • 11:22 - 11:26
    my messages to Vodaphone, they would
    forward them to Verizon who would then
  • 11:26 - 11:32
    deliver it to Frieders phone. So since
    both of our providers would know all the
  • 11:32 - 11:36
    messages; they are unencrypted; we would
    have no confidentiality.
  • 11:36 - 11:41
    They could change the messages and these
    things have happened actually. So we
  • 11:41 - 11:44
    don't have any integrity we don't know if
    the messages received are actually the
  • 11:44 - 11:51
    ones that were sent. We also have no
    authentication because phone numbers are
  • 11:51 - 11:57
    very weak for authenticating people, they
    are managed by our providers they don't
  • 11:57 - 12:02
    they are not fixed that there's no fixed
    mapping to our phones or our SIM cards.
  • 12:02 - 12:06
    They can be changed they can be rerouted
    so we don't we never know if the messages
  • 12:06 - 12:11
    we send are actually received by the
    people we intended to: no authenticity and
  • 12:11 - 12:17
    no authentication. Now forward secrecy and
    future secrecy don't even apply because we
  • 12:17 - 12:24
    have no secrecy. We do have some sort of
    deniability but this goes into like
  • 12:24 - 12:33
    philosophically.. Let's do that again:
    philosophical claims of whether when I say
  • 12:33 - 12:37
    I haven't sent anything this must have
    been the provider they can technically,
  • 12:37 - 12:42
    you know, guarantee they did or did not do
    something. So let's not dive too deeply
  • 12:42 - 12:47
    into that discussion, but we can summarize
    that messaging translates, at least
  • 12:47 - 12:51
    traditional messaging, translates very
    badly to our privacy expectations when we
  • 12:51 - 13:00
    think of a communication. Okay, moving on.
    Looking at our postal analogy, actually
  • 13:00 - 13:05
    our messages are more like postcards.
    Because they are plain, our providers can
  • 13:05 - 13:10
    look at them, can change them, you know
    all the things we've just described: just
  • 13:10 - 13:14
    as they would a postcard. They can see the
    intended recipient, they can look at the
  • 13:14 - 13:19
    sender, they can look at the tags, change
    it: postcards. And what we want to achieve
  • 13:19 - 13:25
    now is find a way to wrap these postcards
    and make them more like letters, assuming
  • 13:25 - 13:30
    that postal services don't open letters.
    That's the one the one point with this
  • 13:30 - 13:36
    analogy that we have to like, define. And
    to be able to do that we're going to we're
  • 13:36 - 13:41
    trying to give you the shortest encryption
    to – the shortest introduction to
  • 13:41 - 13:47
    encryption, see I'm confusing myself here,
    that you will ever get. Starting with
  • 13:47 - 13:50
    symmetric encryption.
    Now, encryption, for those of you who
  • 13:50 - 13:56
    don't know, is what we call the
    translation of plain, readable text into
  • 13:56 - 14:00
    text that looks like it's random, but it
    can be reversed and turned back into plain
  • 14:00 - 14:06
    text provided we have the right key for
    that. So to stick with a very simple
  • 14:06 - 14:09
    example please imagine this box that we've
    just labeled crypto, and we are not
  • 14:09 - 14:14
    concerned with what's in the box we just
    imagine it as a machine. Please imagine it
  • 14:14 - 14:18
    as a machine that takes two inputs the
    plaintext and the key, and it produces
  • 14:18 - 14:22
    something that we call ciphertext.
    The ciphertext is undistinguishable from
  • 14:22 - 14:30
    random text, but it can be reversed at the
    recipient side using the same key and
  • 14:30 - 14:35
    basically the same machine just doing the
    operation, you know, in reverse: turning
  • 14:35 - 14:42
    the ciphertext back into plain text. This
    is what we call, sorry, this is what we
  • 14:42 - 14:48
    call symmetric encryption because if you
    imagine a line where the cipher text is
  • 14:48 - 14:53
    you could basically mirror the thing on to
    the other side so it's symmetric at that
  • 14:53 - 15:00
    at that line. And when when there's
    something that is called symmetric there
  • 15:00 - 15:03
    is also something that is called
    asymmetric and asymmetric encryption works
  • 15:03 - 15:09
    relatively the same way, only there are
    now two keys. We have made them a yellow
  • 15:09 - 15:14
    one and a blue one. These keys are called
    a key pair. They are mathematically
  • 15:14 - 15:19
    linked. And the way this works now is that
    anything encrypted with one of these keys
  • 15:19 - 15:27
    can only be decrypted with the other one.
    You can do it both ways, but the important
  • 15:27 - 15:32
    thing to memorize here is just anything I
    encrypt with the yellow key can only be
  • 15:32 - 15:42
    decrypted with the blue key. Okay, since
    we have that now, let's capitalize on this
  • 15:42 - 15:48
    on this scenario. Imagine each of our
    communication partners now has one of
  • 15:48 - 15:51
    these two keys and we are still talking
    about the same key pair that we've
  • 15:51 - 15:56
    outlined on the previous slide. Now we
    call one of them a secret key and one of
  • 15:56 - 16:04
    them a public key. This is probably known
    to most of you: traditional public key
  • 16:04 - 16:07
    cryptography.
    We've added something that is called an
  • 16:07 - 16:09
    identity in this in this picture: we will
    get back
  • 16:09 - 16:14
    to that in a minute. But the scenario we
    want we want you to envision right now is
  • 16:14 - 16:20
    that both parties would publish their
    public key to the public. And we are going
  • 16:20 - 16:25
    to get back to what that means as well.
    And keep their secret key, as the name
  • 16:25 - 16:30
    says, secret. Some of you might know this
    as a private key: it's the same the same
  • 16:30 - 16:39
    concept applies. We just chose to call it
    secret key. Because it more clearly
  • 16:39 - 16:44
    denotes that it's actually secret and not
    never published. So this would mean any
  • 16:44 - 16:49
    message that would that would be encrypted
    with one of the parties public key could
  • 16:49 - 16:54
    then only be decrypted with that parties
    secret key, putting us in a position where
  • 16:54 - 16:59
    I could take Frieta's public key, encrypt
    my message, send it to him, and I would
  • 16:59 - 17:05
    know that he would be the only one able to
    decrypt the message - as long as his
  • 17:05 - 17:13
    secret key remains his, well, secret.
    And he doesn't doesn't publish it. Well
  • 17:13 - 17:22
    the problem is: it's a very expensive
    scenario. We get something akin to a
  • 17:22 - 17:28
    postal to a postal service where we can
    now encrypt the message and envision it
  • 17:28 - 17:33
    like putting a plain sheet of paper into
    an envelope, seal it, we would put it on
  • 17:33 - 17:38
    the way. Nobody on the line would be able
    to look into the letter. They would of
  • 17:38 - 17:41
    course, well, since there are addresses on
    there, they would see who it is from and
  • 17:41 - 17:48
    who it to - but they couldn't look inside
    the letter: this is achieved. But as I've
  • 17:48 - 17:52
    already said it's a very expensive
    mechanism and by that we mean it is hard
  • 17:52 - 17:59
    to do for devices - especially since you
    are doing mobile messaging on your phones,
  • 17:59 - 18:08
    ideally, especially hard to do on on small
    devices like phones. So while if we had a
  • 18:08 - 18:15
    mechanism that would allow us to combine
    symmetric and asymmetric encryption. And
  • 18:15 - 18:21
    it turns out we do. And we are going to
    keep this very simple by just looking at
  • 18:21 - 18:27
    what is called key establishment, and then
    again also just one particular way of key
  • 18:27 - 18:33
    establishment. We have two new boxes here:
    they are called key generators. And the
  • 18:33 - 18:34
    scheme
    that we are
  • 18:34 - 18:37
    looking at right now works works the
    following way: You can take one of the
  • 18:37 - 18:42
    secret keys, and another part and another
    public key, like the one of the other
  • 18:42 - 18:46
    party, put them into the key generator.
    And remember, these keys are
  • 18:46 - 18:51
    mathematically linked each secret key
    belongs to exactly one public key. And the
  • 18:51 - 18:54
    way this key generator works is that
    through this mathematical this
  • 18:54 - 18:59
    mathematical linking it doesn't matter if
    you take, in this case, let's call them
  • 18:59 - 19:04
    Alice and Bob: if you take Alice's secret
    key and Bob public key, or Bob secret key
  • 19:04 - 19:10
    and Alice's public key, you will always
    come up with the same key. And we call
  • 19:10 - 19:14
    this a shared key. Because this key can
    now be it can be generated independently
  • 19:14 - 19:18
    on both sides and it can then be used for
    symmetric encryption, and as we've already
  • 19:18 - 19:26
    told you symmetric encryption is a lot
    cheaper than asymmetric encryption. So
  • 19:26 - 19:30
    this has one advantage and one
    disadvantage: the advantages I've already
  • 19:30 - 19:36
    said is that it's way cheaper, and the
    fact, well, the advantage is also that we
  • 19:36 - 19:40
    come up with the key on both sides, and
    the disadvantage is that we come up with
  • 19:40 - 19:47
    one key on both sides - because whether or
    not you've realized this by now since this
  • 19:47 - 19:52
    is a very static scheme we always come up
    with the same key. That is going to be a
  • 19:52 - 19:58
    problem in a minute. So let's recap we
    have looked at asymmetric encryption which
  • 19:58 - 20:02
    as I've said gives us IDs, and we're going
    to look at what means. But it is very
  • 20:02 - 20:06
    expensive. We know that symmetric
    encryption is cheap, but we have to find a
  • 20:06 - 20:12
    way to get this key delivered to both
    parties before they can even start
  • 20:12 - 20:17
    encrypting their communication. And we
    have looked at key establishment, which
  • 20:17 - 20:24
    allows us which gives us symmetric keys
    based on asymmetric key pairs. Meaning we
  • 20:24 - 20:28
    have now basically achieved
    confidentiality - we can use these keys
  • 20:28 - 20:32
    put them in the machines with our
    plaintext, get ciphertext, can, you know,
  • 20:32 - 20:37
    we are able to transport it to the other
    side. Nobody can look inside.
  • 20:37 - 20:43
    Confidentiality is achieved.
    Now deniability. Deniability in this
  • 20:43 - 20:48
    scenario would basically mean, if you
    think back at our initial sketch, where we
  • 20:48 - 20:51
    could say I haven't said that, and the
    other guy couldn't prove that we did,
  • 20:51 - 20:57
    would in this case be a letter that was
    sent to both of the participants, and it
  • 20:57 - 21:01
    would be from either of the participants.
    So that when looking at this
  • 21:01 - 21:05
    cryptographically, we couldn't say this
    was sent by me or this was sent by Frieda.
  • 21:05 - 21:10
    You could just see it was sent by, well,
    either of us. And if you think of the
  • 21:10 - 21:14
    scheme that we've just sketched, since
    both parties come up with the same key by
  • 21:14 - 21:20
    using different by using a different set
    of keys to to generate them, basically the
  • 21:20 - 21:25
    same key can be generated on both sides.
    And you can never really say, by just
  • 21:25 - 21:30
    looking at a message, if it was encrypted
    with a shared key generated on one or on
  • 21:30 - 21:36
    the other side since they are the same.
    So, very simply and on a very high level
  • 21:36 - 21:42
    we have now achieved deniability. What
    about forward and future secrecy? You
  • 21:42 - 21:45
    remember this picture? Our overheard
    conversation on the party that we were at
  • 21:45 - 21:53
    at the beginning of the talk? Well, this
    picture now changes to this. And what we
  • 21:53 - 21:58
    are looking at now is something we call
    key compromise and key renegotiation. Key
  • 21:58 - 22:04
    compromise would be the scenario where one
    of our keys were lost. And we are talking
  • 22:04 - 22:08
    about the shared key that we generated
    now. Which, if it would fall into the
  • 22:08 - 22:13
    hands of an attacker, this attacker would
    be able to decrypt our messages because
  • 22:13 - 22:23
    it's the same key that we used for that.
    Now, if if if at the point where the key
  • 22:23 - 22:28
    was compromised they wouldn't be able to
    decrypt anything prior to that point - we
  • 22:28 - 22:33
    would have forward secrecy. And if we had
    a way to renegotiate keys, and they would
  • 22:33 - 22:38
    be different ,completely different, not
    linked to the ones we had before, and then
  • 22:38 - 22:43
    use that in the future, we would have
    future secrecy. But we don't, since as
  • 22:43 - 22:48
    we've already said the keys that we
    generate are always the same. And we want
  • 22:48 - 22:51
    you to keep this in mind because
    we will get
  • 22:51 - 22:54
    back to this
    when we look at Threema in more detail.
  • 22:59 - 23:07
    yeah, if we had a way to dump keys after
    having used them, we could achieve forward
  • 23:07 - 23:14
    and future secrecy. Since we don't, we
    can't right now. Okay, next recap our key
  • 23:14 - 23:17
    establishment protocol gives us
    confidentiality, deniability, and
  • 23:17 - 23:23
    authenticity. We don't have forward and
    future secrecy. And if you've stuck with
  • 23:23 - 23:28
    us you would realize we are omitting
    integrity here - that is because we don't
  • 23:28 - 23:32
    want to introduce a new concept right now
    but we will get back to that, and you will
  • 23:32 - 23:39
    see that when we look at Threema it
    actually does have integrity. Now,
  • 23:39 - 23:43
    basically you could think we fixed all
    the-- well, we fixed everything, but you
  • 23:43 - 23:48
    heard us talk about things like IDs, and
    we said we haven't really lost a few words
  • 23:48 - 23:53
    about them lost many words about them and
    we're going to look at that now. And we
  • 23:53 - 23:57
    are going to start with a quote by my very
    own professor - don't worry you don't have
  • 23:57 - 24:01
    to read that, I'm going to do it for you.
    My professor says, "cryptography is
  • 24:01 - 24:05
    rarely, if ever, the solution to a
    security problem. Cryptography is a
  • 24:05 - 24:09
    translation mechanism, usually converting
    a communications security problem into a
  • 24:09 - 24:16
    key management problem." And if you think
    of it, this is exactly what we have now,
  • 24:16 - 24:20
    because I know that Frieder has a private
    key, a secret key I'm sorry, and a public
  • 24:20 - 24:25
    key. He knows that I have a secret key and
    a public key. How does I know which one of
  • 24:25 - 24:30
    those public keys that are in the open is
    actually his? How would I communicate to
  • 24:30 - 24:37
    him what my public key is? Those of you
    who've used PGP for example and then the
  • 24:37 - 24:42
    couple in the last couple of decades know
    what I'm talking about. And we have the
  • 24:42 - 24:46
    same problem everywhere where public key
    cryptography is used, so we also have the
  • 24:46 - 24:53
    same problem in mobile messaging. To the
    rescue comes our messaging server -
  • 24:53 - 24:57
    because, since we have a central instance
    inbetween us, we can now query this
  • 24:57 - 25:02
    instance: I can now tell my public key; I
    can now take my public key and my identity,
  • 25:02 - 25:04
    tell the messaging server, "
    Hey messaging server - this is my
  • 25:04 - 25:07
    identity. Please store it for me." So that
    Frieda, who has
  • 25:07 - 25:14
    some well some kind of information to
    identify me can then query, you, get my
  • 25:14 - 25:19
    public key back. This of course assumes
    that we trust the message messaging
  • 25:19 - 25:26
    server. We may or may not do that. But for
    now we have a way to at least communicate
  • 25:26 - 25:32
    our our public keys to other parties. Now
    what can we use as identities here? In
  • 25:32 - 25:37
    our, like, now a figure here it's very
    simple: Alice just goes to the messaging
  • 25:37 - 25:41
    server and says, "Hey, what's the public
    key for Bob?" And the messaging server
  • 25:41 - 25:46
    magically knows who Bob is, and what his
    public key is. And the same thing where I
  • 25:46 - 25:52
    work works the other way. What would; the
    question now is what is a good ID in this
  • 25:52 - 25:57
    scenario. Remember we are on phones, so we
    could think of using phone numbers, we
  • 25:57 - 26:02
    could think of using email addresses, we
    could think of something else. And
  • 26:02 - 26:07
    something else will be the interesting
    part, but let's look at the other parts
  • 26:07 - 26:11
    one by one.
    Phone numbers can identify users - you
  • 26:11 - 26:14
    remember that you rely on your providers
    for the mapping between phone numbers and
  • 26:14 - 26:19
    SIM cards, so you have to trust another
    instance in this situation. We're going to
  • 26:19 - 26:23
    ignore that completely because we find
    that phone numbers are personal
  • 26:23 - 26:28
    information, and I for one my phone
    number. And I mean the same phone number
  • 26:28 - 26:32
    I've had it for like 18 years now. I
    wouldn't want that to get into the wrong
  • 26:32 - 26:40
    hands. And by using it to identify me as a
    person, or, you know, my cryptographic
  • 26:40 - 26:45
    identity that is bound to my to my keys: I
    wouldn't necessarily want to use that,
  • 26:45 - 26:49
    because I wouldn't be able to change it or
    I would want to change it if it ever got
  • 26:49 - 26:55
    compromised. Now something else comes to
    mind: e-mail addresses. E-mail addresses
  • 26:55 - 27:01
    basically are also personal information.
    They are a bit shorter lived, as we would
  • 27:01 - 27:05
    argue, than phone numbers. But, and you
    can use temporary e-mails, you can do a
  • 27:05 - 27:10
    lot more you are way more flexible with
    e-mails. But ideally we want to have
  • 27:10 - 27:15
    something that is that we call dedicated
    IDs, meanings something that identifies me
  • 27:15 - 27:18
    only within the bounds of the service that
    we use.
  • 27:18 - 27:24
    So that's what we want to have we are
    going to show you how this might work but
  • 27:24 - 27:30
    we still have to find a way to verify
    ownership, because this is a scenario that
  • 27:30 - 27:36
    is more or less likely to happen. I am
    presented with a number of public keys to
  • 27:36 - 27:42
    an identity that I know - and I have to
    verify a way to, well, I have to find a
  • 27:42 - 27:46
    way to verify which one is maybe the right
    one, maybe the one that is actually used,
  • 27:46 - 27:51
    maybe Frieda has used quite a number of
    public keys - he's a lazy guy. He forgets
  • 27:51 - 27:55
    to, you know, take his keys from one
    machine to the other: he just, you know,
  • 27:55 - 27:59
    buys a new laptop sets up a new public
    key: bam, he has two - which one am I
  • 27:59 - 28:04
    supposed to read to use right now. Now
    remember that we are looking at the
  • 28:04 - 28:10
    messenger server for, you know, key
    brokerage, and we are now going to add a
  • 28:10 - 28:19
    third line here and that is this one.
    Basically we introduce a way to meet in
  • 28:19 - 28:24
    person, and again PGP veterans will know
    what I'm talking about, and verify our
  • 28:24 - 28:29
    keys independently. We've chosen QR codes
    here - free mail uses QR codes, many other
  • 28:29 - 28:33
    messengers and do as well, and we want to
    like tell you why this is an important
  • 28:33 - 28:40
    feature to be able to to verify our public
    keys independently of the messaging
  • 28:40 - 28:44
    server. Because once we did that we no
    longer have to trust the messaging server
  • 28:44 - 28:48
    to tell us or - we don't have longer we no
    longer have to trust his promise that this
  • 28:48 - 28:54
    is actually the key we are looking for. We
    have verified that independently. Okay, we
  • 28:54 - 29:00
    have basically solved our authenticity
    problem. We know that we can identify
  • 29:00 - 29:04
    users by phone numbers and emails, and you
    remember our queries to the server for
  • 29:04 - 29:08
    Bob: we can still use phone numbers for
    that if we want to. We can use emails for
  • 29:08 - 29:13
    that if we want to. We don't have to. We can
    use our ids anonymously. But we have a way
  • 29:13 - 29:18
    to verify them independently. The
    remaining problem is users changing their
  • 29:18 - 29:24
    IDs - that is where we have to verify
    again. And we also get back to that later,
  • 29:24 - 29:28
    but I want to look at something else
    first, and that is the handling of
  • 29:28 - 29:31
    metadata.
    Now, we know that an attacker can no
  • 29:31 - 29:36
    longer look inside our messages. They can,
    however, still see the addressee, who the
  • 29:36 - 29:40
    message is from, and they can see how
    large the message is, they can see they
  • 29:40 - 29:45
    can look at timestamps and stuff like
    that. And since we are getting a bit tight
  • 29:45 - 29:51
    on the clock I'm going to try to
    accelerate this a bit. Metadata handling:
  • 29:51 - 29:56
    we want to conceal now who a message is
    from, who a message is to. And we are
  • 29:56 - 30:01
    doing this by taking the envelope that
    we've just generated, wrapping it into a
  • 30:01 - 30:05
    third envelope, and then sending that to
    the messenger server first. And the
  • 30:05 - 30:12
    messenger server gets a lot of envelopes.
    They are all just addressed to the
  • 30:12 - 30:16
    messenger server, so anyone on the network
    would basically see there's there's one
  • 30:16 - 30:20
    party sending a lot of messages to the
    messenger server; maybe there are a lot of
  • 30:20 - 30:25
    parties. But they couldn't look at they
    couldn't look at the end-to-end, we call a
  • 30:25 - 30:30
    channel, that's seeing what the address is
    on each internal envelope are. The
  • 30:30 - 30:36
    messaging server, however, can. They would
    open the other-- the outer envelope, look
  • 30:36 - 30:41
    at the inside, see , "Okay this is a
    message directed at Alice," wrap it into
  • 30:41 - 30:44
    another envelope - that would just say,
    "This is the message from the messaging
  • 30:44 - 30:50
    server and it is directed to Alice." Who
    would then be able to, you know, open the
  • 30:50 - 30:54
    outer envelope, open the inner envelope,
    see this is actually a message from Bob.
  • 30:54 - 31:00
    And what we have thereby achieved is a to
    where two layer end to end communication
  • 31:00 - 31:06
    tunnel as we call it, where the purple and
    the blue bar are encrypted channels
  • 31:06 - 31:13
    between both communication partners and
    the messaging server, and they carry an
  • 31:13 - 31:19
    encrypted tunnel between both partners,
    you know, both communication partners,
  • 31:19 - 31:25
    directly. But, and we've had this caveat
    before, the messaging server still knows
  • 31:25 - 31:29
    both communication partners, they still
    know the times that the messages were
  • 31:29 - 31:34
    sent. And they also know the size of the
    message. But we can do something against
  • 31:34 - 31:39
    that. And we what we do is introduce
    padding - meaning,
  • 31:39 - 31:42
    in the inner envelope we
    just stick a bunch of extra
  • 31:42 - 31:47
    pages so the envelope looks a bit thicker.
    And we do that by just appending random
  • 31:47 - 31:52
    information to the actual message before
    we encrypt it. So anything looking at the
  • 31:52 - 31:56
    encrypted message would just see a large
    message. And, of course, that should be
  • 31:56 - 32:00
    random information every time - it should
    have should never have the same length
  • 32:00 - 32:06
    twice. But if we can achieve that, we can
    at least conceal the size of the message.
  • 32:06 - 32:13
    Now so much for our gentle introduction to
    mobile messaging. And for those those of
  • 32:13 - 32:19
    you stuck around, we are now moving on to
    analyze Threema. Now I want to say a few
  • 32:19 - 32:24
    things before we do that - we are not
    affiliated with Threema, we don't, we are
  • 32:24 - 32:31
    not here to recommend that the the app to
    you or the service. We didn't do any kind
  • 32:31 - 32:35
    of formal analysis. There will be no
    guarantees. We will not be quoted with
  • 32:35 - 32:42
    saying, "use it or don't use it." What we
    want to do is make more people aware of
  • 32:42 - 32:48
    the mechanisms that are in use and we have
    chosen basically a random message provider
  • 32:48 - 32:52
    - we could have chosen anyone. We chose
    Threema for the fact that they do offer
  • 32:52 - 32:57
    dedicated IDs. That they don't bind keys
    to phone numbers, which many messengers
  • 32:57 - 33:04
    do. Those of you who use WhatsApp know
    what I'm talking about. And well, since it
  • 33:04 - 33:09
    is closed source we found it interesting
    to look at what is actually happening inside
  • 33:09 - 33:14
    the app and make that publicly aware. Now
    we are not the only ones we've done this,
  • 33:14 - 33:19
    we are also not the first ones who've done
    this, and we don't claim we are. But we
  • 33:19 - 33:24
    are here now and we want to try to make
    you aware of the inner workings of the app
  • 33:24 - 33:33
    as far as we have understood it. And with
    that I hand the presenter over to Frieda.
  • 33:33 - 33:43
    Applause
  • 33:43 - 33:46
    Frieda: So I'll be presenting to you our
  • 33:46 - 33:52
    understanding of the Threema protocol and
    how the application works as we deduced
  • 33:52 - 33:59
    from mostly reverse engineering the
    Android app. And so this won't be a
  • 33:59 - 34:04
    complete picture, but it will it will be a
    picture presenting to you the most
  • 34:04 - 34:09
    essential features and how the protocol
    works. And I'll start by giving you a
  • 34:09 - 34:17
    bird's eye look at the overall
    architecture and why Roland was giving you
  • 34:17 - 34:21
    this abstract introduction to mobile
    messaging, there was also always this
  • 34:21 - 34:27
    third party - this messaging provider.
    And this now became actually three
  • 34:27 - 34:34
    entities because Threema has three
    different servers, mostly, doing well,
  • 34:34 - 34:41
    very different stuff for for the apps
    working. And I'll start with the directory
  • 34:41 - 34:49
    server in orange at the bottom, because
    that is the server you most likely will be
  • 34:49 - 34:55
    contacted contacting first if you want to
    engage in any conversation with someone
  • 34:55 - 35:00
    you never talked to before. Because this
    is the server that handles all the
  • 35:00 - 35:06
    identity public key related stuff that
    Roland was talking about so much. This is
  • 35:06 - 35:12
    the server you'll be querying for whose
    public key - I have this Threema ID,
  • 35:12 - 35:17
    what's the corresponding public key, for
    example stuff like that. Above that there
  • 35:17 - 35:23
    is the messaging server, which is kind of
    the core central entity in this this whole
  • 35:23 - 35:30
    scenario because it's task is relaying
    messages from one communication partner to
  • 35:30 - 35:35
    another. And above that we have the media
    server, and I'll be talking about that
  • 35:35 - 35:43
    later. In short, its its task, its
    purpose, is storing large media files like
  • 35:43 - 35:49
    images and videos you send to your
    communication partners. But as I said I
  • 35:49 - 35:54
    want to start with the directory server,
    and in the case of Threema, this directory
  • 35:54 - 36:02
    server is offers a REST API so
    communication with this server happens
  • 36:02 - 36:12
    via HTTP. It is HTTPS actually so it's
    TLS encrypted. And this encryption is also
  • 36:12 - 36:19
    fulfills all the requirements you would
    have to to to a proper TLS connection and,
  • 36:19 - 36:22
    so, if you if you want to communicate with
    the new person and you have
  • 36:22 - 36:23
    their phone
    number or
  • 36:23 - 36:27
    the email address or Threema ID. You'll be
    asking your app will be asking the
  • 36:27 - 36:31
    directory server, "Hey, I have this phone
    number, do you have a corresponding
  • 36:31 - 36:37
    Threema account and public key." And the
    response will hopefully be, "Yes, I do -
  • 36:37 - 36:41
    that's a public key that's the Threema ID:
    go ahead."
  • 36:41 - 36:51
    And as Ron said we kind of chose Threema
    for the arbitrary use of IDs and
  • 36:51 - 36:57
    especially for the system of verifying
    fingerprints in person by scanning QR
  • 36:57 - 37:06
    codes and because this is something
    Threema has and other messengers do not
  • 37:06 - 37:12
    have I want to talk a little bit about
    that, because if you just ask the
  • 37:12 - 37:17
    directory server "hey I have a threema ID
    what is the corresponding public key?" the
  • 37:17 - 37:21
    threema location will say "ok I got an
    answer from from the directory server I
  • 37:21 - 37:26
    have a public key but I have very little
    trust, that you actually know who the real
  • 37:26 - 37:29
    person behind this threema account is,
    we're not quite sure about that", so it'll
  • 37:29 - 37:37
    mark this contact with one red dot and if
    you had a phone number or an email address
  • 37:37 - 37:41
    and asked the directory server, "hey
    what's the corresponding threema account
  • 37:41 - 37:46
    and public key?" the app will say, "ok we
    still have to trust the directory server,
  • 37:46 - 37:52
    but we're a little bit more confident that
    the person on the other hand is actually
  • 37:52 - 37:55
    who you think they are because you have a
    phone number probably linked to a real
  • 37:55 - 38:00
    person and you have a better idea who
    you're talking to but still we rely on the
  • 38:00 - 38:07
    threema server", so it'll knock a contact
    like that with two orange dots and then
  • 38:07 - 38:11
    there is the final stage if you met
    someone in person and scan their, their
  • 38:11 - 38:17
    public key and threema ID in form of a QR
    code such a contact will be marked with
  • 38:17 - 38:23
    three green dots and in that case the app
    says "We're 100% confident we're talking
  • 38:23 - 38:30
    to the person we want to talk to and we
    have the proper keys." So right now we're
  • 38:30 - 38:36
    at if we think of engaging a conversation,
    we were at the point where we do have all
  • 38:36 - 38:41
    necessary details to start encrypting our
    communication, but question remains, how
  • 38:41 - 38:46
    do we encrypt our communication,
    in case of threema.
  • 38:46 - 38:52
    Threema uses a library called salt has
    been developed by Daniel Bernstein and he
  • 38:52 - 39:00
    called it salt but it's spelled NaCl so
    I'm sorry for for the play on words, but
  • 39:00 - 39:07
    if you see NaCl its salt so this is a
    library specifically designed for the
  • 39:07 - 39:12
    encryption of
    messages and it's supposed to be very
  • 39:12 - 39:21
    simple in use and give us all the the
    necessary features we wanted and this is
  • 39:21 - 39:25
    Salt's authenticated encryption giving us
    all the features Roland was talking about
  • 39:25 - 39:30
    in abstract before. It gives us integrity,
    it gives us authenticity, it gives us
  • 39:30 - 39:40
    confidentiality and just a quick look and
    on how this this library would be used is,
  • 39:40 - 39:45
    as you can see up there like everything in
    the grey box is, what the library does and
  • 39:45 - 39:50
    we only need our secret key, if we want to
    encrypt something to someone, the
  • 39:50 - 39:59
    recipients public key, our message. So far
    very obvious and the library also requires
  • 39:59 - 40:05
    a nonce, which is something that should be
    only used once, that's actually yeah part
  • 40:05 - 40:09
    of the definition, so we generate
    something random and include that in the
  • 40:09 - 40:13
    process of encrypting the message this is
    just so that if we encrypt the same
  • 40:13 - 40:19
    content same message twice, we do not get
    the same ciphertext. This is not nothing
  • 40:19 - 40:23
    secret because as you can see at the
    output the library actually gives us
  • 40:23 - 40:28
    ciphertext, Roland talked a bit about that
    what it is and it'll also give you it was
  • 40:28 - 40:33
    a MAC and I'll just stick with a very
    simple definition of what that is, it is
  • 40:33 - 40:38
    something that ensures that there's kind
    of a checksum so someone getting looking
  • 40:38 - 40:43
    at the cipher text and the MAC can ensure
    no one tampered with the cipher text so
  • 40:43 - 40:50
    the cipher text is still in the state when
    it was, when we sent it and if we want to
  • 40:50 - 40:55
    transmit our message now in encrypted form
    to someone, we have to include the nonce,
  • 40:55 - 40:58
    the nonce is not secret, we can just send
    it along with the cipher text, but to
  • 40:58 - 41:05
    decrypt we need the nonce and well so this
    is what we might use for encryption, but
  • 41:05 - 41:07
    as you might remember from Roland's
    introduction, this scheme
  • 41:07 - 41:17
    does not offer us any forward or future
    secrecy and we can still try to to add
  • 41:17 - 41:24
    some form of forward to future secrecy to
    this scheme and this is usually done,
  • 41:24 - 41:30
    sorry for skipping with a, with something
    something called a handshake and
  • 41:30 - 41:36
    handshakes are a system of discarding old
    keys and agreeing agreeing a new keys,
  • 41:36 - 41:43
    this is usually what we do with the
    handshake and scenarios like this and
  • 41:43 - 41:48
    doing a handshake with someone that is not
    online at the moment is pretty difficult
  • 41:48 - 41:53
    there are protocols to do that; the signal
    messaging for app, app for example does
  • 41:53 - 41:57
    something like that but it's kind of
    complicated and threema's protocol spares
  • 41:57 - 42:02
    the effort and only does this kind of
    handshake with the Threema servers because
  • 42:02 - 42:07
    they are always online, we can always do a
    handshake with them, so Threema has some
  • 42:07 - 42:13
    form of forward secrecy on this connection
    to the messaging server and how this is
  • 42:13 - 42:20
    achieved, I'll try to present to you right
    now and we walk through this handshake
  • 42:20 - 42:28
    step by step and I try to put some focus
    on what every step tries to achieve, so if
  • 42:28 - 42:31
    we initiate a connection, if we start
    sending a message the threema app will
  • 42:31 - 42:35
    connect to the to the messaging server and
    start the connection by sending a client
  • 42:35 - 42:43
    hello, this is a very simple packet. It is
    only there to communicate the public key
  • 42:43 - 42:48
    we from now on intend to use
    and a nonce prefix in this case
  • 42:48 - 42:54
    notice it is I'd say half a nonce and the
    other part is some some kind of a counter
  • 42:54 - 43:02
    that will during the ongoing communication
    always be increased by one. So but it'll
  • 43:02 - 43:08
    do no harm if you just see it as a nonce
    right now, so we start the conversation by
  • 43:08 - 43:13
    saying "hey, we want to use a new key pair
    from now on and this is our public key,
  • 43:13 - 43:17
    please take note" and the server will
    react by saying "okay, I need a fresh key
  • 43:17 - 43:24
    pair as well then", generate a fresh key
    pair and let us know what it's public key
  • 43:24 - 43:33
    from now on is. The only thing to note is,
    I mean as you can see there is, there's
  • 43:33 - 43:39
    not much more than then the things
    the client sent
  • 43:39 - 43:43
    corresponding things from the server side,
    but there's also the client nonce
  • 43:43 - 43:48
    included, so so as we can we can see this
    is actually a response to our client hello
  • 43:48 - 43:54
    we just sent, not something that got, I
    don't know redirected to us on accident,
  • 43:54 - 44:00
    whatever. And as you can see the latter
    part of the message including the server's
  • 44:00 - 44:06
    public key is encrypted that's what what
    this bracket saying ciphertext says and it
  • 44:06 - 44:13
    is encrypted with the server's long-term
    secret key and our ephemeral temporary key
  • 44:13 - 44:18
    and by doing so, the server does something
    only the person in possession of the
  • 44:18 - 44:23
    service long-term secret key can do and
    proves to us, this public key we just
  • 44:23 - 44:28
    received from the server, in this server
    "hello", has actually been been sent by
  • 44:28 - 44:32
    the proper threema server, no one can
    impersonate the threema server at that
  • 44:32 - 44:42
    point, so, after that we are at a point
    where the client application knows, this
  • 44:42 - 44:46
    is the public key threema server wants to
    use and it's actually the threema server,
  • 44:46 - 44:50
    not someone impersonating it, the server
    know was there is someone who wants to
  • 44:50 - 44:55
    talk to me using this public key, but
    knows nothing else it doesn't know who's
  • 44:55 - 44:59
    actually talking to him and this is going
    to change with the next packet, because
  • 44:59 - 45:06
    the threema app is going to, to now send a
    client authentication packet, we call it
  • 45:06 - 45:11
    that way, which includes information about
    the client, the first thing is the threema
  • 45:11 - 45:18
    ID , the threema IDs are eight character
    strings, it's just uppercase letters and
  • 45:18 - 45:25
    numbers and what follows is a user agent
    string which is not technically necessary
  • 45:25 - 45:29
    for the protocol, it's something the
    threema app sends, it includes the threema
  • 45:29 - 45:35
    version, your system; Android iOS and
    your, in case of Android, the Android
  • 45:35 - 45:42
    version and stuff like that so it's very
    similar to user agent in web browsers,
  • 45:42 - 45:50
    yeah. I don't know why they sent it, but
    they do and the rest of it is nonces.
  • 45:50 - 45:54
    Let's get skip over them, but also the
    client's ephemeral public key we already
  • 45:54 - 45:58
    sent in the client hello but this time
    encrypted
  • 45:58 - 46:02
    with our long-term secret key, so we just
    repeat what the server just did, proving
  • 46:02 - 46:06
    by encrypting with our long-term key,
    proving that we are, who we claim to be
  • 46:06 - 46:12
    and that we vouch that we really want to
    use this, this temporal key and after that
  • 46:12 - 46:17
    happens each party knows, what public key
    what new keypair the other party wants to
  • 46:17 - 46:23
    use from now on and that the other party
    is actually who they claim to be and so
  • 46:23 - 46:26
    the handshake is just concluded
    by the server
  • 46:26 - 46:30
    sending a bunch of zeros and grouped
    encrypted with the newly exchanged key
  • 46:30 - 46:35
    pairs. This is just so the client can
    decrypt it, see it as a bunch of zeros,
  • 46:35 - 46:41
    everything worked out, we have a working
    connection now so if we've done that we
  • 46:41 - 46:47
    have this, we have, if you remember this
    picture, we have established forward
  • 46:47 - 46:52
    secrecy in the paths between the app and
    the server we do not have established
  • 46:52 - 46:56
    anything for the inner crypto layer, which
    is in case of threema, just taking
  • 46:56 - 47:00
    messages encrypting them with the salt
    library and sending them over the wire.
  • 47:00 - 47:05
    There's nothing more to it, it's just as I
    showed you the scheme before, used in a
  • 47:05 - 47:12
    very simple way so we now have channels
    established and we can communicate via
  • 47:12 - 47:18
    those and the next step I want to look at,
    what we are actually sending via this
  • 47:18 - 47:24
    channels and so I'm introducing the
    threema packet format and this is the
  • 47:24 - 47:29
    format packets do have, that your
    application sends to the threema service,
  • 47:29 - 47:36
    this is what if what the threema server
    sees, in this case it is the form a packet
  • 47:36 - 47:43
    has if it's something I want to send to a
    communication partner, for example, the
  • 47:43 - 47:46
    content could be a text message
    I want to send to someone.
  • 47:46 - 47:50
    There are different looking messages for,
    for management purposes, for exchanges
  • 47:50 - 47:55
    with the server, that will never be
    relayed to someone else, but this is the
  • 47:55 - 48:01
    the most basic format we use when sending
    images, text to, to communication parts
  • 48:01 - 48:07
    and as you can see there's a packet type,
    its purpose is kind of obvious and what
  • 48:07 - 48:12
    follows is the fields on the envelope as
    Roland introduced, it's saying "this is a
  • 48:12 - 48:17
    message from me"
    from Alice to Bob and so you recall the
  • 48:17 - 48:21
    server can see that, what follows is a
    message ID this is just a random ID
  • 48:21 - 48:28
    generated when sending a message, follows
    a timestamp so the server knows this is a
  • 48:28 - 48:33
    recent message that has been stuck in
    transit for a long time, whatever.
  • 48:33 - 48:39
    What follows is some things to threema
    specific, threema does have public
  • 48:39 - 48:45
    nicknames, it's just an alias for, for
    your account you can set that in the app
  • 48:45 - 48:50
    and if you do it actually gets transmitted
    with every message you send, so if you
  • 48:50 - 48:56
    change it, your name will change at your
    communication partners phone with the
  • 48:56 - 49:05
    first message you sent to them and what
    follows is a nonce and that is the nonce
  • 49:05 - 49:09
    used to encrypt the cypher text as
    follows, the cypher text you see down
  • 49:09 - 49:15
    below is the inner envelope, as in
    Roland's earlier pictures and we're now
  • 49:15 - 49:22
    going to look at what is in this envelope,
    how do the messages look we transmitted to
  • 49:22 - 49:29
    our end-to-end communication partners and
    the most simple thing we could look at is
  • 49:29 - 49:36
    a text message and you can see grayed out
    above, still all the stuff from the outer
  • 49:36 - 49:41
    envelope and down below it's very simple,
    we have a message type it's just one byte
  • 49:41 - 49:47
    indicating in this case that it is a text
    message and what follows is text.
  • 49:47 - 49:55
    It's nothing more, it's just plain plain
    text and after that, noteworthy maybe is
  • 49:55 - 50:01
    padding and this padding is as you can see
    in the most inner encryption layer so the
  • 50:01 - 50:06
    threema server does not know how big your
    your actual messages are, this is kind of
  • 50:06 - 50:11
    useful because there's stuff like typing
    notifications you send to your
  • 50:11 - 50:19
    communication partners, which are always
    the same size and to make this, to hide
  • 50:19 - 50:24
    this from the threema servers, we have
    this padding in the inner crypto layer.
  • 50:24 - 50:33
    Next I want to look at a other message
    type, like I'd say the most, yeah, I think
  • 50:33 - 50:38
    one of the basic message types most people
    use with instant messaging app is image
  • 50:38 - 50:42
    messages, I want to send someone an image,
    this is something we do regularly and this
  • 50:42 - 50:49
    looks a little bit weird in the first on
    the first look; because it has a message
  • 50:49 - 50:53
    type, we know that, we know what what it's
    burst with the purposes follows a blob
  • 50:53 - 51:00
    ID, what a blob ID is, I'm going to
    explain in a minute. Follows the size is
  • 51:00 - 51:04
    very basic, it's just the size of the image
    just should be transmitted and what
  • 51:04 - 51:10
    follows is a key and the mandatory
    padding, so, the questions are, what is
  • 51:10 - 51:16
    this blob ID what is the key ID and what
    is this key and this is where the media
  • 51:16 - 51:23
    server comes into the picture. The media
    server is, well I'll show you what happens
  • 51:23 - 51:28
    if you send an image message. Your app
    will take the image you want to send,
  • 51:28 - 51:35
    generate a random key, encrypt this image
    with this key and send it to the media
  • 51:35 - 51:39
    server and the media server will say "okay
    I'll store this under the following blob
  • 51:39 - 51:44
    ID" and your app takes note of this blob
    ID and then, we'll send this kind of image
  • 51:44 - 51:49
    message I just showed to you to the
    messaging server via the messaging server
  • 51:49 - 51:54
    to your communication partner, your
    communication partner opens up the message
  • 51:54 - 51:59
    looks at it sees a blob ID sees the key
    and goes to the media server and says "hey
  • 51:59 - 52:04
    do you have a blob ID, something stored
    under this blob ID?" and the media server
  • 52:04 - 52:10
    will respond "yes I do, here's the encrypted
    stuff" and your communication partner
  • 52:10 - 52:16
    can take this encrypted stuff, decrypt it
    with the key you sent and look at your image.
  • 52:16 - 52:22
    This is how image sending works. So right
    now we do have the basic the basics of
  • 52:22 - 52:26
    modern instant messaging, we can send
    text, we can send images, this is the
  • 52:26 - 52:35
    simple stuff and what I want to look at
    next is something that most people would
  • 52:35 - 52:41
    want a modern messenger to have as well
    and that is group conversations.
  • 52:41 - 52:46
    Group conversations essentially in threema
    do work not very different from other from
  • 52:46 - 52:54
    other method messages because if you send
    something to a group your app will just
  • 52:54 - 52:58
    encrypt the message several times for
    every communication partner involved and
  • 52:58 - 53:03
    send it to them, but your communication
    partners need to know, well this is a
  • 53:03 - 53:09
    group message and it belongs to this and
    that group and to do so threema has group
  • 53:09 - 53:16
    packets and they include exactly that
    information, they include a creator ID
  • 53:16 - 53:22
    which is the threema ID of the person who
    created the group and a group ID which is
  • 53:22 - 53:28
    something randomly generated when creating
    a group and after that folIows a regular
  • 53:28 - 53:33
    packet format; in this case a text message,
    if it were an image message you would see
  • 53:33 - 53:38
    exactly the same stuff as shown in the
    Image message before so this is how group
  • 53:38 - 53:43
    messages look, but we need a way to
    introduce new groups to change names and
  • 53:43 - 53:51
    for that there are special packets and
    this for example is a group "set members
  • 53:51 - 53:55
    message", which tells everybody there is
    this new group and it has the following
  • 53:55 - 54:01
    members as you can see here there is
    only a group ID, there is no longer a
  • 54:01 - 54:04
    group creator ID included and that is
    because a threema group management
  • 54:04 - 54:10
    is very static, there can only be one person
    managing a group and that is the person
  • 54:10 - 54:15
    who created the group. So only the person
    who created the group can send this kind
  • 54:15 - 54:21
    of messages, saying there is a new member
    in the group for example and therefore the
  • 54:21 - 54:28
    group creator is implicit in this case, it
    is the sender of the message, so this is
  • 54:28 - 54:33
    kind of annoying because you cannot have
    a group where everybody can have members for
  • 54:33 - 54:40
    example and stuff like that. Just if you
    set a name for a group, the message looks
  • 54:40 - 54:48
    very similar it just doesn't include a
    member list, but a name field. So, what I
  • 54:48 - 54:52
    want to talk about next is something that
    happens above all the stuff I talked
  • 54:52 - 54:57
    about right now, because now I show you
    there are different kinds of packets doing
  • 54:57 - 55:01
    all that stuff, there there are lots of
    more packages for all your messages for
  • 55:01 - 55:07
    example they look very similar to the
    image messages, because they just I mean
  • 55:07 - 55:11
    we have a blob ID for the audio file and
    stuff like that but what is kind of
  • 55:11 - 55:18
    interesting I thought, we thought, is that
    above this layer of packet formats,
  • 55:18 - 55:24
    there's, there's also some additional stuff
    happening and a good example for that is
  • 55:24 - 55:30
    how Threema handles subtitles for images,
    you can I think a lot of modern messengers
  • 55:30 - 55:36
    support that at some some kind of text to
    an image and Threema doesn't have a packet
  • 55:36 - 55:42
    format of a field in some kind of image
    message for that, but they just embed the
  • 55:42 - 55:48
    subtitle of the image, in the actual image
    and the acts of data of the image and send
  • 55:48 - 55:55
    it along. This has the advantage of being
    compatible with Threema versions not aware
  • 55:55 - 55:59
    of this feature, because they can just
    happily ignore this exif data, you won't
  • 55:59 - 56:04
    see the subtitle but it won't break
    anything. It is though kind of wonky because
  • 56:04 - 56:08
    it's not actually a feature which is not
    reflected in the actual packet format and
  • 56:08 - 56:13
    this is also very similar happening with
    quotes, you can quote other people in
  • 56:13 - 56:18
    Threema you can like, mark your message
    and say I want to quote that and in the
  • 56:18 - 56:23
    app it looks like like some kind of fixed
    feature, yeah, you have this message you
  • 56:23 - 56:29
    quoted, included in your new message and
    it looks like like it's somehow linked to
  • 56:29 - 56:36
    the old message, but in reality it's just
    a text message, including some markdown,
  • 56:36 - 56:42
    which if you're Threema version supports
    this this kind of stuff, is rendered
  • 56:42 - 56:47
    nicely as is shown below, but if your
    version doesn't support it, you'll just
  • 56:47 - 56:51
    see the plain text.
    So again, being compatible with versions
  • 56:51 - 57:01
    that don't have it introduces some, yeah,
    weird layer. And with that, I'll stop
  • 57:01 - 57:08
    showing you all the features Threema has.
    There's certainly more to talk about, but
  • 57:08 - 57:17
    I think you should have an idea how how it
    works in basic terms. What it does; all
  • 57:17 - 57:22
    the other stuff is kind of similar to what
    I showed you and differs in
  • 57:22 - 57:28
    particularities which aren't so important
    I think and I'll just hand over to Roland
  • 57:28 - 57:34
    who'll be wrapping up our talk and say
    something about the results of our reverse
  • 57:34 - 57:36
    engineering.
  • 57:36 - 57:45
    Applause
  • 57:45 - 57:50
    Roland: Okay, we told you we reversed the
    app and we told you we weren't the first
  • 57:50 - 57:59
    ones and this is all true. But we came
    here to tell you guys or to make you guys
  • 57:59 - 58:05
    aware of things you can expect from
    messaging apps, and we hope that by using
  • 58:05 - 58:10
    Threema as an example we have we have
    shown you how you can relate your own
  • 58:10 - 58:14
    privacy expectations to different apps and
    we also hope we gave you enough
  • 58:14 - 58:21
    terminology and explanation to that so you
    can make a more more competent decision
  • 58:21 - 58:28
    next time you look at a messenger and look
    at what its promises are. Since we
  • 58:28 - 58:34
    reversed it anyway and we did a lot of
    coding to do that what we did is put it in
  • 58:34 - 58:40
    a library. Now, I don't know how many of
    you guys know the term academic code
  • 58:40 - 58:46
    Laughter
    We are of course we are of course I'm
  • 58:46 - 58:51
    working at a university, so we've been
    doing this on and off for for quite some
  • 58:51 - 58:55
    time. We started roughly two years ago,
    did it for a couple of days then left it
  • 58:55 - 59:01
    lying around. Eventually we had the whole
    thing lying in a drawer for about a year
  • 59:01 - 59:06
    before we decided to finish it so we we
    didn't we never actually put a lot of
  • 59:06 - 59:10
    effort into the code. We are not
    proficient programmers. But we still
  • 59:10 - 59:15
    wanted to we still wanted to publish what
    we did with the hopes that a small
  • 59:15 - 59:22
    community might form around this, maybe
    extend it, help us you know fix the few
  • 59:22 - 59:26
    things that we didn't do so well, help us
    document it - you don't have to take
  • 59:26 - 59:33
    photographs by the way will will upload
    the slides. So these repositories they
  • 59:33 - 59:38
    exist we push to them we made a GitHub
    organization that we push to them
  • 59:38 - 59:43
    yesterday. If you wanted to look if you
    wanted to start coding right away, say if
  • 59:43 - 59:47
    you wanted to write a bot, we'd recommend
    you wait a few weeks say two to three
  • 59:47 - 59:52
    because we still want it like, fix a few
    of the kinks in there. Everyone else we
  • 59:52 - 59:57
    hope will just look at it, maybe this will
    help your understanding of what actually
  • 59:57 - 60:04
    does. And also the activists in us hope
    that this might get the people at Threema
  • 60:04 - 60:08
    to open-source their code because no
    matter what we tell you here, and no
  • 60:08 - 60:12
    matter what they tell you how their their
    app actually works - and this is always
  • 60:12 - 60:16
    true for non open-source software, there
    will never be true transparency: you will
  • 60:16 - 60:20
    never be able to prove that what runs on
    your phone is actually implemented the
  • 60:20 - 60:26
    same way we've shown you. With our library
    you would have these guarantees, you can
  • 60:26 - 60:30
    actually you can definitely use it to
    write bots if you ever wanted to do that.
  • 60:30 - 60:35
    Or if you just want to understand how it
    works please go ahead and dive right into
  • 60:35 - 60:44
    there. Well, with that said, we thank you
    for your attention.
  • 60:44 - 60:59
    Applause
    Herald: Okay, thank you very much, Roland,
  • 60:59 - 61:06
    Frieder, we only have time for one
    question, so who has a super eager
  • 61:06 - 61:12
    question - the signal angel is signalling.
    Signal Angel: There's a couple of
  • 61:12 - 61:17
    questions, but I will pick the best one.
    The best one was from alien: could you use
  • 61:17 - 61:23
    captions to inject malicious Exif data
    into the images?
  • 61:23 - 61:30
    Frieder: What is malicious Exif data?
    Signal Angel: Well some data that probably
  • 61:30 - 61:37
    the image passing library.
    Frieder: What we did not do was have
  • 61:37 - 61:43
    looked very particular at security
    problems in the implementation of Threema.
  • 61:43 - 61:48
    I could, like, and I would say this falls
    into this department: there's also a
  • 61:48 - 61:52
    library handling the gif display meant and
    stuff like that. We could have looked at
  • 61:52 - 61:57
    is this broken, maybe. We did not. We
    looked at the protocol from a higher level
  • 61:57 - 62:01
    and, so I cannot say anything about it.
    Signal Angel: Okay and another question
  • 62:01 - 62:08
    was when an non-group originating user
    sends the group update message, what
  • 62:08 - 62:14
    happens?
    Frieder: The thing is, Threema group IDs
  • 62:14 - 62:20
    aren't globally unique. A Threema group ID
    only refers to a particular group together
  • 62:20 - 62:27
    with the group creator's ID. So if you
    send an update group message from your
  • 62:27 - 62:31
    account, the app would look for a
    different group than you intended. Because
  • 62:31 - 62:37
    your group ID would say I'm I'm trying to
    update a group created by me with this and
  • 62:37 - 62:44
    that ID. So it won't be the group
    you want to hijack.
  • 62:44 - 62:47
    Herald: Okay, very well. Another round
    of applause for our speakers!
  • 62:47 - 62:57
    applause
  • 62:57 - 63:13
    postroll music
  • 63:13 - 63:20
    Subtitles created by c3subtitles.de
    in the year 2018
Title:
A look into the Mobile Messaging Black Box (33c3)
Description:

more » « less
Video Language:
English
Duration:
01:03:20

English subtitles

Revisions