[messaging] Viber's New End-to-End Authentication

Frederic Jacobs lists at fredericjacobs.com
Thu Apr 21 08:10:11 PDT 2016


Hey Michael, messaging,

> On 20 Apr 2016, at 18:54, Michael Farb <mwfarb at cmu.edu> wrote:
> 
> What I really like is the improved UX for authentication I’ve not seen yet. They use their own real-time channel (voice) to guide the user through the fingerprint readout.

I did some reverse engineering on this, it appears that they are using WebRTC for the voice channel stuff. I have not found any additional encryption layer on top of that.

> Now, real-time channels are available through many tools, but I think this is the first time I’ve seen a text messaging service do this (ZRTP in video calls and voice calls notwithstanding).

Interestingly, I think they are performing the authentication over an un-authenticated channel. It is my understanding that the "secret identification” is not tied to the authentication of the WebRTC session.

I think that SilentCircle has a more elegant solution when it comes to integrating two different authentication mechanisms (one for voice and one for messaging).
They add the ZINA's (their ratchet) identity key in the ZRTP confirm packet, so it’s part of the SAS that is verified on calls. It’s nice because SAS are shorter than key fingerprints and yet reasonably secure.

Best,

Frederic


More information about the Messaging mailing list