ESORICS 2022 – Continuous Authentication in Secure Messaging

Conferences are in person once again, so I could go to Danemark to present my work on secure messaging schemes at the ESORICS conference.

ESORICS has been evaluated as an A-level conference and is seen as a leading European conference in security. In 2022 it has seen a record paper submission, with an acceptance rate of around 18%.

 

The paper

Secure messaging schemes such as the Signal protocol rely on out-of-band channels to verify the authenticity of long-running communication.

Such out-of-band checks however are only rarely actually performed by users in practice.

In this paper, we propose a new method for performing continuous authentication during a secure messaging session, without the need for an out-of-band channel.

Leveraging the users’ long-term secrets, our Authentication Steps extension guarantees authenticity as long as long-term secrets are not compromised, strengthening

Signal’s post-compromise security. Our mechanism further allows to detect a potential compromise of long-term secrets after the fact via an out-of-band channel.

Our protocol comes with a novel, formal security definition capturing continuous authentication, a general construction for Signal-like protocols, and a security proof for the proposed instantiation.

We further provide a prototype implementation which seamlessly integrates on top of the official Signal Java library, together with bandwidth and storage overhead benchmarks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.