Hardening Guaranteed End-to-End encryption based on a security analysis from ETH researchers

March 25, 2024 by holga, link2xt

We released guaranteed end-to-end encryption in November 2023 and were in for a pleasant surprise three months later. The Applied Cryptography Group at ETH Zurich handed us a cryptographic security analysis of our SecureJoin protocol implementation which is the basis of Delta Chat’s guaranteed end-to-end encryption mechanisms. We subsequently fixed 20 identified issues that became part of the v1.44 release but only disclose it now because we first wanted Delta Chat apps with all fixes to be available on all stores.

We’d like to thank the ETH researchers Yuanming Song, Lenka Mareková and Kenneth G. Paterson for their thorough work and their forthcoming communication to resolve questions and review patches. What follows is a timeline and some brief technical discussions of our hardening efforts in response to the cryptographic analysis about which the researchers published separately and in more detail.

Disclosure Timeline

Hardening E-mail Header protections and encryption

Standard OpenPGP e-mail encryption protects message contents, but not message headers such as From, To and Subject fields. To protect Subject header Delta Chat and other email clients such as Thunderbird and K-9 Mail replace Subject with “…” or “Encrypted Message” and place real Subject into the encrypted part of an e-mail message. However, while they place From header into encrypted part as well, they do not take any headers other than Subject out of the encrypted part.

Starting with version v1.44 Delta Chat extends protection to several important headers, mitigating all attacks identified in the ETH report:

Gossip key injection

Delta Chat’s implementation of SecureJoin allows members to introduce new contacts by sending a key they trust into a guaranteed E2EE group via Autocrypt-Gossip. The reported gossip key injection problem was that recipients always verified the most recent gossiped key stored, but did not update it if gossip was coming from an old message. This was fixed by explicitly passing the key that should be verified around.

Identity-misbinding attack

The newly protected From header ensures that an attacker cannot take an encrypted message and present it as sent by themselves. But it is still possible to do something the other way round: take a message sent by someone else and send it to a different recipient. This can be regarded as message forwarding, but in the case of the SecureJoin protocol this is dangerous. To prevent such misbinding attacks we check that each encrypted SecureJoin message contains the fingerprint of the intended recipient inside encrypted part as an Autocrypt-Gossip key. Prior Delta Chat versions already sent this key fingerprint in SecureJoin messages, but since v1.44 Delta Chat we will stop processing messages if there is a mismatch (612aa143).

Synchronization forgery

We don’t parse “own” Autocrypt headers anymore for outgoing messages. This fixes a synchronization forgery attack that allowed an attacker controlling an e-mail server to inject synchronization messages sent between a user’s multiple devices to synchronize some settings, contact and chat state as well as invite codes.

Disabled compression for SecureJoin messages

Compression and encryption don’t interact well because compressed message size leaks information about message contents. Web servers disable compression due to attacks such as BREACH. Practical attacks require the ability to trigger generation of a large amount of messages, so compression is less of a concern for regular chat messages and attachments. However, SecureJoin protocol messages are sent automatically, so we disabled compression for them to prevent potential attacks.

Delta Chat v1.44 does not log QR code contents or invite links anymore. Delta Chat logs stay on the device, but sometimes users send them to developers or post on the forum when reporting bugs. Not including QR codes into logs ensures that nobody can join groups by following an invite link from the log.

rPGP improvements

The rPGP library is the end-to-end encryption engine used and originally developed in the context of Delta Chat, but also used standalone via the “pgp” Rust crate by other projects. Three issues reported by ETH relate to rPGP and were fixed there ahead of the Delta Chat v1.44 releases.

Autocrypt Setup Message plaintext encryption

The Autocrypt Setup Message is a message sent to self that contains a secret key encrypted with an auto-generated passphrase that a user needs to manually copy from one device (and app) to another.

Due to a bug in rPGP it was possible to send an unencrypted Autocrypt Setup Message such that any passphrase results in successful decryption. This could be used to trick users into importing secret keys of an attacker as their own. This issue of Autocrypt Setup forgery is fixed by treating unencrypted Autocrypt Setup Messages as invalid. We additionally now require that Autocrypt Setup Message is self-sent. Autocrypt Setup Message can only appear in the “Saved messages” chat now.

Note that Autocrypt Setup Message support was added at the end of 2017. Since Delta Chat v1.36 (released in March 2023) there is an option to setup a second device by scanning a QR code triggering a full account transfer (not just the key) over the network. It is thus generally preferable to use the “add second device” work flow between Delta Chat apps.

Compression quine

OpenPGP standard allows construction of complex message structures consisting of several levels of encryption, signing and compression. Delta Chat composes encrypted messages by signing them, then compressing, and then encrypting. However, when receiving encrypted messages, Delta Chat cannot assume that received messages are that simple.

One particularly interesting trick is possible because OpenPGP allows compressed messages to contain compressed messages inside. Due to the way compression algorithms work, it is possible to compose messages that decompress to themselves, also known as compression quine. Attempting to process such messages results in trying to decompress the same message over and over.

The new version of rPGP 0.11 does not allow more than one level of compression. Attempts to decrypt such messages now results in a controlled decryption failure rather than a crash.

Quick check

rPGP 0.11 also fixes an issue discovered during a previous rPGP security audit. While it does not affect Delta Chat, we addressed the issue by disabling the quick check mechanism.

Conclusion: more confidence that guaranteed E2EE encryption is safe

While Delta Chat has contracted four independent security audits, the cryptographic analysis of the “Applied Crypto” group from ETH went much deeper and uncovered many issues. Most of our fixes were relatively small changes because the main work was done by the researchers and involves thinking about all the details of what goes over the wires, what can be replayed or modified for abusive purposes. While no conceptual issues were found it is known that “invite links” or “QR codes” for establishing guaranteed end-to-end encryption should be privately transferred and we intend to enforce this by implementing “invite” code expiration in one of the following releases.

Overall, thanks to the ETH researchers, the 1.44 releases come with raised confidence that Delta Chat’s End-to-End encryption guarantees hold against network and server attackers. Conversely, guaranteed end-to-end encryption allows to use e-mail addresses without having to trust server operators, marking a radical departure from the traditionally required trust that users need to have in e-mail providers. Guaranteed E2EE particularly fits well with using chatmail providers even if one doesn’t know or can’t trust the operators, because no private data is collected and guaranteed encryption keeps messages and chat groups safe.

Show Comments

You can reply on any Fediverse (Mastodon, Pleroma, etc.) website or app by pasting this URL into the search field of your client: