Abstract
As people become more and more privacy conscious, the need for end-to-end encryption (E2EE) has become widely recognized. We study the security of SFrame, an E2EE mechanism recently proposed to IETF for video/audio group communications over the Internet. Although a quite recent project, SFrame is going to be adopted by a number of real-world applications. We inspected the original specification of SFrame. We found a critical issue that will lead to an impersonation (forgery) attack by a malicious group member with a practical complexity. We also investigated the several publicly-available SFrame implementations, and confirmed that this issue is present in these implementations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andreeva, E., et al.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016). https://doi.org/10.1007/s00145-015-9206-4
Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol, October 2020. https://tools.ietf.org/html/draft-ietf-mls-protocol-10
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Cisco Systems: SFrame (2020). https://github.com/cisco/sframe
Cisco Systems: Zero-Trust Security for Webex White Paper (2021). https://www.cisco.com/c/en/us/solutions/collateral/collaboration/white-paper-c11-744553.pdf
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020)
Dodis, Y., Grubbs, P., Ristenpart, T., Woodage, J.: Fast message franking: from invisible salamanders to encryptment. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 155–186. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_6
Dworkin, M.: NIST SP 800–38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007). U.S. Department of Commerce/National Institute of Standards and Technology
Omara, E.: Extend Tag Calculation to Cover Nonce #59 (2021). https://github.com/eomara/sframe/pull/59
Omara, E.: Remove Signature #58 (2021). https://github.com/eomara/sframe/pull/58
Ferguson, N.: Authentication Weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf
Garman, C., Green, M., Kaptchuk, G., Miers, I., Rushanan, M.: Dancing on the lip of the volcano: chosen ciphertext attacks on apple iMessage. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 655–672. USENIX Association, August 2016
Isobe, T., Ito, R.: Security analysis of end-to-end encryption for zoom meetings. IEEE Access 9, 90677–90689 (2021)
Isobe, T., Minematsu, K.: Breaking message integrity of an end-to-end encryption scheme of LINE. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 249–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_13
Jitsi: Jitsi Meet API library (2020). https://github.com/jitsi/lib-jitsi-meet/
Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_15
Knodel, M., Baker, F., Kolkman, O., Celi, S., Grover, G.: Definition of End-to-end Encryption, February 2021. https://datatracker.ietf.org/doc/draft-knodel-e2ee-definition/
Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_19
Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). Internet Engineering Task Force - IETF, Request for Comments 5869, May 2010
Matrix.org Foundation: Olm: a Cryptographic Ratchet (2016). https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/olm.md
Mattsson, J., Westerlund, M.: Authentication key recovery on Galois/Counter Mode (GCM). In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 127–143. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_7
McGrew, D.A.: An Interface and Algorithms for Authenticated Encryption. Internet Engineering Task Force - IETF, Request for Comments 5116, January 2008
Menezes, A.J., Oorschot, P.C.V., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15
Omara, E.: Google Duo End-to-End Encryption Overview - Technical Paper (2020). https://www.gstatic.com/duo/papers/duo_e2ee.pdf
Omara, E., Uberti, J., Gouaillard, A., Murillo, S.G.: Secure Frame (SFrame), November 2020. https://tools.ietf.org/html/draft-omara-sframe-01
Omara, E., Uberti, J., Gouaillard, A., Murillo, S.G.: Secure Frame (SFrame), March 2021. https://tools.ietf.org/html/draft-omara-sframe-02
Open Whisper Systems.: Signal Github Repository (2017). https://github.com/WhisperSystems/
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002. https://doi.org/10.1145/586110.586125
Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_24
Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in signal, WhatsApp, and Threema. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 415–429. IEEE (2018)
Corretgé, S.I.: The road to End-to-End Encryption in Jitsi Meet (2021). https://fosdem.org/2021/schedule/event/e2ee/attachments/slides/4435/export/events/attachments/e2ee/slides/4435/E2EE.pdf
Murillo, S.G.: SFrame.js (2020). https://github.com/medooze/sframe
Turner, J.M.: The keyed-hash message authentication code (HMAC). Federal Inf. Process. Stand. Publ. 198(1) (2008)
Acknowledgments
We are grateful to the SFrame designers (Emad Omara, Justin Uberti, Alex Gouaillard, and Sergio Garcia Murillo) for the fruitful discussion and feedback about our findings. We would like to thank the anonymous reviewers for their insightful comments, and Shiguredo Inc. for helpful discussion about real-world applications of the end-to-end encryption. Takanori Isobe is supported by JST, PRESTO Grant Number JPMJPR2031, Grant-in-Aid for Scientific Research (B)(KAKENHI 19H02141) and SECOM science and technology foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Isobe, T., Ito, R., Minematsu, K. (2021). Security Analysis of SFrame. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-88428-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88427-7
Online ISBN: 978-3-030-88428-4
eBook Packages: Computer ScienceComputer Science (R0)