
How secure is TextSecure? - zorked
https://eprint.iacr.org/2014/904
======
tptacek
There are three concerns raised in this paper.

The first (A) is that TextSecure truncates SHA-2 hashes and, particularly,
HMAC-SHA2 MACs. MAC truncation is extraordinarily common and is a design goal
for most authenticated encryption schemes. So far as anyone knows, truncation
of SHA-2 hashes and HMAC-SHA2 MACs is completely safe; that is, HMAC-SHA2
isn't somehow less safe when truncated than GCM or Poly1305.

The second (B) is that the authors believed TextSecure to have swapped some of
the parameters for the HMAC algorithm. Moxie has asserted that this is a
mistake by the paper authors, and that TextSecure uses HMAC conventionally.

The third (C, and most of the rest of the paper) is an identity misbinding
attack. An identity misbinding attack happens when it becomes possible for
Mallory to present Alice's public key to Bob instead of her own, and have Bob
reply with a message encrypted to Mallory-seeming-Alice. Mallory can't decrypt
the message, but because it's encrypted to a key Alice has, Alice might act
based on the message contents. Identity misbinding problems are endemic to
public-key cryptography. They are a real issue for protocols in which
computers chat with each other and take action (like, authorizing an HTTP
request) based on identities. They are less of an issue in chat protocols. Of
particular importance, contextually: every other chat protocol has much, much
worse key management problems.

Brian Smith says that this paper has value as part of a formal conversation
about the security properties of TextSecure. I'm not qualified to evaluate
that statement. I don't see anyone saying the paper has practical import for
TextSecure or its users. TextSecure remains the best thing out there, I think.

~~~
BlueMatt
(B) Used to be correct (there were some constants used in the HMAC constants
which are supposed to be 1/2, but were actually 0/1, of course this makes no
difference practically to security), but this has been changed in more recent
versions.

~~~
BlueMatt
Ehh, seems they were talking about different HMAC parameters and I was
thinking about the HKDF...sorry (see the moderncrypto discussion for more).

------
justcommenting
This sort of analysis underscores how different TextSecure is from the growing
number of snake-oil/backdoored messaging applications out there.

Kudos to moxie and team for building usable free software; it's so much harder
to build something that people can use than it is to criticize others' work.

~~~
mayneack
I've got my parents using text secure - apart from a periodic MMS bug, they
basically can't tell the difference. It's really good.

~~~
fbboisclair
I can also confirm the simplicity, my wife use it all the time. It is simple
to use.

~~~
rquirk
It's a pain that it supports SMS. I wish they would make a TextSecure that
completely dropped all SMS sending support. As it is, having legacy SMS makes
it trickier to use than Whatsapp, since Textsecure "randomly" sends SMSs (e.g.
when your data drops out). If SMS cost you money then this is a deal breaker
for using it with less tech-savvy family members.

~~~
finnn
So obviously that's not the ideal solution, the ideal solution is to have an
option to disable sending SMSs. Most people (at least in the US) have
unlimited or nearly unlimited SMS with every plan, so sending an SMS doesn't
really matter. For those that it does matter for, they could simply disable
SMS. In fact, this is such an obvious solution that I went to check if it was
there already and what do you know? It is. "Allow outgoing SMS to" has an a
checkbox to allow outgoing SMS, to prompt before sending and SMS to another
TextSecure user, etc.

~~~
rquirk
I know that, and I can fiddle with settings and get it working as I like.
Family members less so.

There are many data plans in Europe where SMS are charged at rip off rates,
and are something to be avoided. Even just the risk of sending SMS is enough
to put anyone off using the application. Especially when competing solutions
work as expected - i.e. they will not send SMS at all, ever.

------
diafygi
Thread in Modern Crypto: [https://moderncrypto.org/mail-
archive/messaging/2014/001029....](https://moderncrypto.org/mail-
archive/messaging/2014/001029.html)

------
dharma1
on a related note, anyone use RedPhone?

What if TextSecure and RedPhone were installed by default on a mobile
operating system?

~~~
higherpurpose
Either that, or Google (or Microsoft or Apple) could use the same protocols as
well for end-to-end encryption of voice and chats. And yes, hell could freeze
over, too.

~~~
maaku
Hell will freeze over, eventually. Expanding universe ftw.

