Title: Security and Privacy of Secure Messaging Services
Language: English
Authors: Boll, Andreas 
Keywords: Wire; Secure Messaging; End-to-End Encryption; Security; Privacy; Metadata
Wire; Secure Messaging; End-to-End Encryption; Security; Privacy; Metadata
Advisor: Weippl, Edgar 
Assisting Advisor: Merzdovnik, Georg 
Issue Date: 2020
Number of Pages: 70
Qualification level: Diploma
Abstract: 
End-to-end encryption has become a requirement for secure messaging, which has improved a lot since Signal introduced the Double Ratcheting algorithm for end-to-end encryption. Although metadata is often needed by service providers to fulfill their tasks i.e. forward messages, it is usually not end-to-end encrypted. Another problem is that most mobile messaging apps depend on phone numbers as unique identifiers. However, it is increasingly difficult to acquire anonymous prepaid cards. Further, contact discovery often works via upload of the address book to the server, exposing sensitive data.Motivated to find a messaging service that does not have the above-mentioned drawbacks, this thesis shows how to evaluate the security and privacy of secure messaging services. For this, a case study of Wire was conducted and compared to other services i.e. Signal. The main questions answered in this thesis are (1) how can the security of the Wire protocol be evaluated, (2) how does Wire perform in trust establishment, conversation security and transport privacy compared to Signal and (3) how much metadata does Wire expose?To do this, a test setup with a self-hosted Wire server without AWS dependencies was built to inspect the Wire protocol, the REST API and the database, particularly for metadata. The Wire protocol was evaluated regarding trust establishment, conversation security and transport privacy. To help understanding the Wire protocol, a Pidgin plugin was developed which implements most features of Wire's protocol to support end-to-end encrypted messaging. Further, the production environments of Wire's and Signal's official servers were analyzed with a focus on TLS security, HTTP security headers and cookie security. To conclude, Wire has a good security level but has room for several improvements. Especially trust establishment and its usability should be advanced. Furthermore, Wire does expose a lot of metadata which should be reduced.
URI: https://resolver.obvsg.at/urn:nbn:at:at-ubtuw:1-136677
http://hdl.handle.net/20.500.12708/1313
Library ID: AC15631494
Organisation: E194 - Institut für Information Systems Engineering 
Publication Type: Thesis
Hochschulschrift
Appears in Collections:Thesis

Files in this item:

File Description SizeFormat
Security and Privacy of Secure Messaging Services.pdf871.7 kBAdobe PDFThumbnail
 View/Open
Show full item record

Page view(s)

2
checked on Jul 2, 2020

Google ScholarTM

Check


Items in reposiTUm are protected by copyright, with all rights reserved, unless otherwise indicated.