Impersonation in signal group messaging

Question

For group messaging, signal uses the sender keys protocol where each message is encrypted using a group symmetric key thats shared with all other members of the group.

My question is, how does signal stop members of the group from impersonating each other? Say in the group theres Alice, Bob, and Charlie. Since Charlie has Alice and Bob's sender keys, he can send messages pretending to be either of them by encrypting it using their sender keys.

I assume this can be easily thwarted by making it so each message is digitally signed using the sender's private key, but this eliminates deniability which is one of signal's goals. Does anyone know what steps signal takes to prevent impersonation amongst group members?

Answer 1

From what I've read, Signal prevents impersonation in group messaging while maintaining deniability through a combination of techniques:

1. Each sender key is actually a pair of keys: a chain key for message encryption and a signing key unique to that sender in the group
2. Messages are signed using the sender's signing key, but this signing key is ephemeral and group-specific, not the user's long-term identity key. This preserves deniability since the signing key is only known within the group context
3. When a member joins a group, they create a new random signing keypair and distribute the public part along with their sender key. Other members associate this ephemeral public key with that sender for message verification
4. Charlie can decrypt Alice and Bob's messages using their sender keys, but cannot forge messages as them since he doesn't have their group-specific private signing keys

This approach achieves both authentication (preventing impersonation) and deniability (since the ephemeral signing keys cannot be linked to users' identities outside the group context).

See more at https://signal.org/docs/specifications/x3dh/