Score:2

Double Ratchet Algorithm: Active Man in the Middle Attack without Root-Key or Ratchet-Key

tl flag

I am currently studying the Double Ratchet Algorithm from Signal (link to the documentation). I stepped over a security issue which I was not able to find that it was mentioned anywhere.

I assume that an attacker is able to delay messages at the public channel. Let's say Alice and Bob are having a conversation via double-ratchet encrypted messages.

At double ratchet, if an attacker has compromised a message key, it is going to be able to calculate the next message keys until the next diffie hellman ratchet step.

But assume that the attacker compromises a sending-chain-key / message key from Alice's sending ratchet. Because Alice sent the message, Bob might do another diffie hellman ratchet step. The attacker could now stop all messages from Alice, so Bob never receives a message which indicates another diffie hellman ratchet step. The attacker may now send as many messages as he wants to Bob. It just needs to calculate more message keys in the compromised sending-chain.

This attack also assumes that the attacker knows how to calculate the associated data.

Does this attack actually work or am I missing anything?

Score:1
mx flag

At double ratchet, if an attacker has compromised a message key, it is going to be able to calculate the next message keys until the next diffie hellman ratchet step.

Look at the KDF(key derivation function) chain diagram on page 4. The key used to derive per message encrypt/MAC keys is one half the output of the KDF function. The other half is the KDF_key fed into the next KDF step. Compromising output_keys doesn't compromise the KDF chain since the attacker needs the KDF_key to calculate further steps in the chain.

Supposing the attacker obtains one of the KDF_keys for the sending or receiving KDF ratchets, then they can compute future output keys and read/send messages. This is a known "problem" with the protocol.

This results in a “ping-pong” behavior as the parties take turns replacing ratchet key pairs. An eavesdropper who briefly compromises one of the parties might learn the value of a current ratchet private key, but that private key will eventually be replaced with an uncompromised one. At that point, the Diffie-Hellman calculation between ratchet key pairs will define a DH output unknown to the attacker.

The KDF_keys are Alice's secrets. The protocol could add additional secrets for Alice to keep and the attacker to steal but that doesn't address the core problem of Alice leaking her secrets. That's what the DH based KDF chain replacement stuff is supposed to do so eventually, after some messages go back and forth, the attacker's stolen secrets are useless.

But this doesn't stop the attacker from using stolen secrets to pretend to be Alice if they can block messages between the two (or from Bob) so no new keys get derived.

Still, Bob might get suspicious that Alice has never received his messages but is replying to them if the protocol exposes the “ping-pong” behavior to the application to indicate Alice has received messages.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.