Abstract by Tarun Yadav
Automating the Authentication Ceremony in Signal
End-to-end encryption is widely used in instant messaging applications like WhatsApp, Facebook, and Google Allo. The protocol used by these applications is vulnerable to an active attacker due to its reliance on a trusted key server. The current method to combat these attacks, known as the authentication ceremony, places the burden on users to manually verify each other's public key. This is time-consuming and confusing, and almost nobody adopts it. Our goal is to automate the authentication ceremony. In this talk, I will describe our research plan to (1) demonstrate that active impersonation and man-in-the-middle attacks are feasible by implementing them, (2) design solutions for automating the authentication ceremony, and (3) evaluate and compare how well each design defends against the attacks.