SPLICE

Messaging applications such as WhatsApp, iMessage, and Signal provide end-to-end encryption, which secures communications from eavesdroppers using public-key cryptography. In public-key cryptography, if you know someone’s public key, you can message them securely. But how do you find out someone’s public key? In popular messaging services, the app looks it up in the service’s database based on your contact’s phone number. However, the server can respond to this lookup with the wrong key and execute a meddler-in-the-middle attack, allowing someone to read your messages despite the encryption. To prevent this from happening and keep the server honest, users are supposed to meet in person and compare “fingerprints” of their public keys. Very few people do this, despite attempts to make this process more usable. 

This paper explores a new, more user-friendly idea for verification, called incidental incremental in-band fingerprint verification (I3FV). In this approach, users periodically share with their friends photos or videos of themselves responding to simple visual or behavioral prompts (“challenges”). Importantly, not all such “challenges” are available to every user each day— instead, their availability is determined by the user’s key fingerprint. Therefore, which challenge someone completes reveals a small portion (e.g., one bit) of their fingerprint. To perform validation, recipients are asked a simple question to disambiguate which of the day’s challenges the sender completed. As this process repeats over time, the full fingerprint is gradually verified. 

To learn more, check out the paper! You can find additional SPLICE publications on our Zotero page.

Nathan Malkin. 2023. Incidental Incremental In-Band Fingerprint Verification: a Novel Authentication Ceremony for End-to-End Encrypted Messaging. In Proceedings of the 2022 New Security Paradigms Workshop (NSPW ’22). Association for Computing Machinery, New York, NY, USA, 104–116. https://doi.org/10.1145/3584318.3584326