[Cryptography] Silly idea for WhatsApp MitM protection for the masses

[Bill Cox]

On Fri, Apr 8, 2016 at 10:29 AM, Trevor Perrin <trevp at trevp.net> wrote:

> On Fri, Apr 8, 2016 at 6:18 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> >
> > - Users have to verify a 60 digit code rather than a 4 digit code to
> prove
> > there is no MitM
>
> No, there is a "Scan QR code" option.


Hi, Trevor.  Not that I'm an expert, but what I've seen so far of your
Noise Protocol looks good to me.  I recommended it as a potential solution
to a problem yesterday.  Do you know if the Noise Pipes implementation in
WhatsApp is open-source?  I think several of us on this list would like to
take a look and help WhatsApp find any implementation flaws.  Also, kudos
to the WhatsApp team for enabling end-to-end encryption by default.

The QR code feature is cool.  I doubt many users will use it.  I tried it
out yesterday with my dad, and it is simple enough to use, if you are in
the same location.

> - Use hash commitments and reduce their code to 4 digits
>
> That wouldn't work well, here.  WhatsApp provides asynchronous text
> messaging.  Alice can send initial messages to Bob when he is offline,
> and he might receive them when Alice is offline.
>
> Short-auth strings (SAS) require a 3-way handshake before the SAS is
> displayed.  So in the above case, Alice and Bob would be in an awkward
> "pending state", where they have sent or received messages but have no
> way of authenticating.  Using public-key fingerprints avoids this.
>

What if you only display the SAS (or something more interesting randomly
selected based on the SAS) after sending the second message?  I assume the
second message is better protected than the first message in any case,
since that's when ephemeral secrets are in place.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160408/19d91574/attachment.html>