[messaging] Question regarding Whatsapp/Signal Safety Numbers

Vincent Breitmoser look at my.amazin.horse
Wed Sep 27 11:01:18 PDT 2017

Hey there,

I have been looking at the way safety numbers are constructed in Signal.
This left me somewhat confused, and I thought I'd ask here for
clarification :)

As a brief recap, the safety numbers are structured like this:

decimalize(SHA512^5200(id1_pub+userid1)) || decimalize(SHA512^5200(id2_pub+userid2))

Where decimalize takes the first 100 bits and transforms them into 30
decimals. Most of these things are straightforward: mix in id pubkeys,
salt with user ids, stretch a bit, and transform into display
representation. Cool beans.

What confused me was that the safety number is constructed as a
concatenation of two hashes. This struck me as weird and thinking
through the attack scenarios a bit I couldn't come up with a good
explanation for this design.

The attack scenario we want to prevent is impersonation. Let's say we
have Alice and Bob, with safety numbers A and B, each 30 digits ~= 100
bits in size (disregarding stretching here). Let's take Mallory
impersonating Bob in communication with Alice as attack scenario.

To perform this attack, Mallory will have to find a preimage for B, so
her attacker capabilities must include 100 bits preimage. Comparing
fingerprints with Alice, she'll display A and her preimage of B. Alice
will first compare her own 30 digits on both devices, which helps verify
the integrity of her own device (if the other party is genuine, at
least) but says nothing about Bob's identity? She'll then compare Bob's
numbers, gaining 100 bits of verification for him.

So it seems to me that with this scheme 1) Mallory can impersonate Bob
in communication with anyone, not just Alice, given a single preimage
2) Alice is asked to compare 60 digits, but gains only 100 bits of
verification with Bob, and 3) if Alice is lazy and compares only part of
the safety numbers, she might miss Bob's part entirely.

Simply hashing all of the public keys and user ids together into one
Alice+Bob-specific safety number has none of these problems, yielding
the same 100 bits preimage attack scenario, in only half the digits.

Can someone shed some light on this for me? :)

 - V

More information about the Messaging mailing list