4

I'm studying E2EE (end to end encryption) at the moment. I have come across Whatsapp white paper and watched a greatly explanatory video of TextSecure (the precursor of E2EE nowadays). I have a concern about how sender keys are handled in case of a member leaves a group. The video doesn't mention this case (which is reasonable if the case is a quite-detailed section to be included in the talk). The Whatsapp white paper describes their approach as clearing all sender keys in such case and start advertise sender keys over again. In this document, such approach is mentioned as a way to ensure PCS (post-compromise security). It said "Both properties require some form of key updating mechanism, and forward security requires secure state erasures to achieve. Additionally, protocols must secure group membership updates, namely removed members must not be able to read messages sent after their removal, and newly added members must not (by default) be able to read past messages."

In my opinion, removing the sender key of the leaving member and resetting all sender key at the leaving member side is sufficient (*) Given the fact that each member could have multiple devices and the number of member of the group, Whatsapp approach seems too excessive to me. I'm sure that (*) is quite an approach they have rejected and I'm curious of the reason. Is there a possible attack that could harm the PCS in (*) approach?

somehybrid
  • 15
  • 3
Huan
  • 43
  • 3

1 Answers1

2

Let Alice, Bob and Charlie be in a group chat, and let Charlie be the leaving member. The reason why Alice and Bob need to erase their sender keys and start over is that all secret key material known by Charlie should no longer be in use after Charlie's removal. It is not sufficient that Charlie erases his state locally after being removed. Some examples:

  1. Charlie may be offline at the time it is removed, and so Alice and Bob will continue communicating with their previous keys, still known to Charlie when he comes online again.

  2. A malicious Charlie may decide not to erase the key material, or decide to make a copy of such key material, therefore maintaining read access to the group conversations.

  3. If Charlie is removed at time t1 and rejoins at a later time t2, messages sent between t1 and t2 should not be readable by Charlie. This is not the case if Alice and Bob do not refresh their keys at t1, since Charlie will again learn those keys at t2.

  4. If Charlie is compromised before he leaves (or before Alice or Bob remove him), the key material from Alice and Bob will be exposed before Charlie erases it. If Alice and Bob do not refresh their key material, they will not achieve any form of PCS.

In https://eprint.iacr.org/2023/1385.pdf, a more efficient form of key updates to achieve PCS upon a user's removal is proposed, which does not require all users to erase their keys and start over. To the best of my knowledge, this protocol has not been implemented in practice.

Hope this helps!

David Balbás
  • 36
  • 1