Overview of the Field: A secure messaging protocol (SMP) is the collection of procedures that use cryptographic schemes to send and receive messages (and other data such as files, VOIP streams, and more). A bit more precisely, such a protocol describes how:
Any messaging platform can only ever be as secure as the underlying protocol it is built on. This makes messaging protocols a fundamental and critical tool, not just for Wickr but for any secure messaging platform.
The market for messaging encompasses well over a billion end-users as well as countless organizations across the world and most sectors of private, military and government life. However, these protocols can be quite complicated beasts making them far from trivial to get “right”. Even more so when more advanced functionalities are needed such as Group Messaging, Managed Secure Messaging, Federation, Verifiable Abuse Reporting, Transcript Consistency, P2P Transport, Real-time Conference Calling, etc. The difficulty only grows when more advanced security properties are needed such as Post Compromise Security, Deniability and Resilience to Insider Attacks. In fact, even just precisely defining such notions is proving to be far from a done deal.
This motivates steering clear of ad-hoc solutions whenever possible and instead applying a more rigorous cryptographic methodology to the design and analysis of new messaging protocols (and accompanying security notions). To this end, Wickr is increasingly engaged, both with industry and academia, in pushing forward this field of applied cryptography.
This page is devoted to Wickr’s research in the area. As such it is focused on the state of and specific context within which Wickr’s research is taking place. However, for a (less detailed but) more holistic view of cryptography and secure messaging protocols we encourage the interested reader to look at this series of blog posts. The first covers some important historical milestones while the second a more high-level look at the secure messaging crypto field covering several other active research threads beyond the pure message protocols covered below.
2-Party Messaging Protocols Context: A natural place to start when applying cryptographic techniques to building better secure messaging platforms is to focus on the core messaging protocols. In that spirit several recent research projects in the field can be traced back to the introduction and deployment of the Double Ratchet (key agreement) protocol and the various secure messaging protocols that are built onto of it. Thanks to its novel design and strong security claims it triggered a new line of cryptographic research into provable security for 2-party messaging protocols. Initial, in , the focus was on proving some type of formal security for that protocol.
With this result public cryptographers quickly expanded their focus beyond the original Double Ratchet protocol. At CRYPTO 2017 focused on a uni-direction variant of the protocol. Meanwhile, at CRYPTO 2018, in , a new focus was introduced when two teams of cryptographers posed themselves the question “How strong of a security notion can a 2-party secure messaging protocol provide?” While the details differed, a common theme in the results was that, at least in theory, we can construct significantly more powerful protocols than any used in practice today. While the specifics of these notions are quite complicated (and well outside the scope of this page) we observe that the flavor of the improvement over current protocols was in the precise type of Post Compromise Security (PCS) the new protocols provided. In other words these new protocols were even faster to “heal” from a state / key compromise by the adversary making them yet more resilient.
Unfortunately, this added security comes at a rather steep price (at least from a practical perspective). Namely, all of the new protocols in those works make use of some quite heavy cryptographic machinery which makes their wide spread use in practice implausible, at least for the for the foreseeable future. This observation set the stage for the next pair of results in and who modified the previous motivating question by asking “How strong of a security notion can a 2-party secure messaging protocol provide if it is built exclusively from practical and efficient ‘standard’ cryptographic primitives?” In both works new protocols (and accompanying security notions and security proofs) are introduced which ultimately demonstrate that the answer remains: “stronger security than anything used in practice today”! Roughly speaking, the security improvements over the original Signal protocol can be described as follows:
While RECOVER-security is undoubtably a novel and interesting security property, at least in a theoretical sense, we at Wickr believe that it remains somewhat in the eye of the beholder as to wether it is truly desirable in practice. In particular, the adversary may continue to impersonate Bob to Alice while Bob has no (in-band) means to notify Alice that this is happening. Thus, the value of the property may well depend on the particular use case of the SMP.
In any case a (seemingly unavoidable) consequence of RECOVER-security (and the analogue) is that any protocol satisfying it is unable to handle messages received out of order. In particular, when a message is dropped any and all future communication remains undecryptable until the dropped message is resent and delivered. In other words RECOVER-security contradicts “Message Loss Resilience”.
To be clear, there are many many other factors involved in building and deploying a secure messaging *platform* besides using a good protocol. How well is the protocol implemented? How are default options in the platform set? What code review processes are being used? How are the capabilities, and especially the limitations of the platform communicated to the user? And much much more.Nevertheless, with out a solid messaging protocol all of these other considerations won’t help make a secure platform either.