Researchers have developed a solution to a longstanding problem in the field of end-to-end encryption, a technique that ensures that only sender and recipient can read a message.
With current end-to-end encryption, if an attacker compromises a recipient’s device, they can then put themselves in a position to intercept, read and alter all future communications without sender or recipient ever knowing.
The new protocol, published in IEEE Transactions on Information Forensics and Security, forces attackers to leave evidence of any such activity and alerts users to take action.
Dr. Jiangshan Yu at the University of Luxembourg, Professor Mark Ryan at the University of Birmingham and Professor Cas Cremers at the University of Oxford, were motivated by the discovery of mass software vulnerabilities, such as the Heartbleed bug, that make the majority of devices vulnerable to compromise.
Dr Yu explained, “There are excellent end-to-end encryption services out there, but by definition they rely on your device itself remaining secure; once a device has been compromised there’s little we can do. That’s the problem we wanted to solve.”
Following Edward Snowden’s revelations about government mass surveillance, end-to-end encryption is now widely available through services such as Facebook’s WhatsApp. The approach uses pairs of cryptographic ‘keys’ for the sender to encrypt and the recipient to decrypt messages; anyone wanting to read your messages has to first hack into your phone to steal your latest keys. The attacker then performs a ‘Man-in-the-middle’ (MITM) attack, for example by taking control of your WIFI router to intercept your messages, and uses the stolen keys to impersonate you.
Current encryption protocols such as Signal used by WhatsApp make the most of the fact that a MITM attacker can only intercept messages sent via the compromised network. For example, as soon as you send a message via 3G…
Click here to read more