[messaging] How secure is TextSecure?

Frederic Jacobs lists at fredericjacobs.com
Sat Dec 20 06:22:01 PST 2014

TextSecure clients are storing a trusted identity key per TextSecure identifier (currently phone numbers, but nothing prevents us from using email identifiers in the future). 

When a message is received, the clients are verifying that the message belongs to a session for that TextSecure identifier and then checks public keys for that identifier.

The UKS attack doesn’t seem to work in practice, but I guess that what the authors wanted to point out is that there is no cryptographic guarantee that the key belongs to the people you’re talking to.

> On 20 Dec 2014, at 00:09, Trevor Perrin <trevp at trevp.net> wrote:
> On Fri, Dec 19, 2014 at 2:47 PM, Joseph Bonneau <jbonneau at gmail.com> wrote:
>> On Fri, Dec 19, 2014 at 5:35 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>> If Bob lies to his girlfriend Alice and give her Charlie's fingerprint
>>> and phone number, Bob doesn't need to register anything.
>> I guess there are two types of attack:
>> In the first one Bob and Charlie both have accounts (separate usernames),
>> and Bob changes to have Charlie's key fingerprint then tries to redirect
>> Alice's message to Charlie. I was arguing you can prevent this version
>> fairly cheaply in a centralized service by preventing key fingerprint
>> collisions.
> A service can prevent this even more cheaply by not allowing Bob to
> redirect Alice's messages.
>> In the second, Bob has no account. He tells Alice that Charlie's username X
>> is really his (and perhaps even has Charlie's QR code on his screen so Alice
>> is convinced she's "verified" that Bob really owns X). Fixing that probably
>> requires the verification is a challenge-response proving knowledge of the
>> private keys as the authors of the paper suggested and I agree that's
>> probably not worth it.
> Yeah, it's not worth it (IMO) and isn't a certain fix (Bob can relay
> the challenge-response through someone else querying Charlie).
> Trevor
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

More information about the Messaging mailing list