When designing any system like Talaria, it’s very important to think about the types of ways that it might be attacked. As we’ve explained in broad strokes here and here, Talaria uses a number of different things in concert to prevent those attacks.
The first scenario is to think about is someone who doesn’t already use Talaria at all. As part of the protocol we send an encrypted SMS message to a user to make sure that they have control of the phone number they say they do. The first scenario is that, that gets blocked and never arrives. The thing to note about this attack is that whilst it prevents someone using the system, it doesn’t mean that your chat can be read by an unscrupulous actor. At the very least this can be detected and you know there is something wrong.
The next scenario is if someone who has access to the telephone infrastructure can pretend to be you. This is a difficult problem as if you’ve never registered to use the system they could in the first instance they can pretend to be you. This attack is limited to someone who can manipulate the telephone infrastructure and where the detection of that sort of attack relies upon the person that the attacker is talking to (pretending to be you) realizes that they are not talking to their real friend. This is a risky strategy and is likely to be detected when you talk to your friend. One of the things the Talaria application does it that at whilst this negotiation is going on it will ask if you want to call the person you’re chatting to to make sure that they are in fact using Talaria. Hey Jim, says here you’ve just started using Talaria, is that true?
The next scenario is where someone can intercept the text message and return the verifier. This is of no use to someone as the request has to be signed and sent using the same secret key that only resides on your phone. We reject messages which aren’t signed by you. So someone can’t fail the verification process on your behalf.
The other scenario is that Katy the Kidnapper gets us to change our software so that everything we send between Alice & Bob to them too or that we leak the secret key for the channel. To combat that we give the tools away that you using your keys can decrypt all their messages. That would be quickly found out and that’s very risky.
But what if someone compelled us to help them. They’ve kidnapped our family and we have no choice but to help them. The first attack we can think of like this is where they get our private key from us. That means they can now impersonate us, capturing all your traffic and sending it to their system. They can forge the public keys of your friends and publish new ones. Thing is your friends will get warned about this when they get given new keys and can choose to accept you, or call you to ask what’s happened. But what happens if they publish fake keys for both you and your friend. Let’s say Alice wants to talk to Bob and they both use the system to publish their public keys so they can sort out channels. Except when they look each other up they get a fake key from Harry the Hacker & Katy the Kidnapper. They both negotiate a secret channel with Harry and Harry just switches out the communications on both ends and forwards them on. This is a tricky problem. You might be wondering why we don’t just publish the man in the middle attackers fake key, the risk with that is the more people involved in the process the more likely it is that they’ll get found out. Either way we’ve got a man in the middle attack here. What they can’t do in this scenario is change the key that you have on your phone. So the way to deal with that is for you to somehow find out their real key on their phone. You generated that, and for whatever reason they can’t risk hacking into your phone. We’ll discuss the distributed key check protocol in the next post but in short, you can enable the app to ask others you chat with to check the keys of other people you talk to, automatically and on demand. That way Harry Hacker & Katy Kidnapper have to start impersonating everyone in your network and acting as a go between for all the communications in and out of your phone and because they need to be a man in the middle for all of your channels it increases the risk that they’ll get caught doing it. This is what the system does automatically, if you have an NFC device simply touch your device to that of a friend using Talaria and they’ll check all your keys for you to make sure nobody is impersonating them to you.
These are just some of the attacks we’ve thought through (that are allot of ways and there are allot of very intelligent and capable people out there who’d do it), we’ll be talking a bit more about how we guard against these things in future posts.