Volume 15, Issue 3 (9-2023)                   itrc 2023, 15(3): 11-20 | Back to browse issues page


XML Print


Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:

Mousavi S J, Chaharsooghi K, Montazer G A. Using Blockchain to Improve the Security Of The X3DH Key Exchange Protocol. itrc 2023; 15 (3) :11-20
URL: http://journal.itrc.ac.ir/article-1-562-en.html
1- Department of Information Technology, Faculty of Industrial Engineering Tarbiat Modares University Tehran, Iran
2- Department of Information Technology, Faculty of Industrial Engineering Tarbiat Modares University Tehran, Iran , skch@modares.ac.ir
Abstract:   (1792 Views)
First and most important step to making secure end-to-end encryption is key exchange. X3DH is one of the most used protocols to do that. It uses a trusted server to exchange keys. If the key exchange is secure then we have identification, authentication, integrity, non-repudiation, and confidentiality for messages. In X3DH, if the trusted server is compromised the entire end-to-end encrypted connection will be exposed. Transport Layer Security (TLS) is used for client-server communication. Therefore, the whole security is based on a certificate authority (CA) therefore there will be the single point of failure. In this paper, we proposed using blockchain as a trusted medium to exchange keys and identity authentication. The proposed method is based on the use of X3DH in instant messaging. This method improves the first step of the X3DH algorithm which includes authentication. This is the first time using blockchain directly to identify a user.
Full-Text [PDF 836 kb]   (738 Downloads)    
Type of Study: Research | Subject: Network

References
1. [1] B. Dean, "WhatsApp 2022 User Statistics: How Many People Use WhatsApp?," Backlinko, Jan. 05, 2022. https://backlinko.com/whatsapp-users (accessed May 07,2022).
2. [2] U. Gulacti and U. Lok, "Comparison of secure messaging application (WhatsApp) and standard telephone usage for consultations on Length of Stay in the ED," Applied clinical informatics, vol. 8, no. 03, pp. 742-753, 2017. [DOI:10.4338/ACI-2017-04-RA-0064] [PMID] []
3. [3] D. Cuddeford, "WhatsApp: Mobile Phishing's Newest Attack Target," Dark Reading, Aug. 28, 2018. https://www.darkreading.com/endpoint/whatsapp-mobilephishing-s-newest-attack-target (accessed May 07, 2022).
4. [4] D. Barda, R. Zaikin, and O. Vanunu, "FakesApp: A Vulnerability in WhatsApp," Check Point Research, Aug. 07, 2018. https://research.checkpoint.com/2018/fakesapp-avulnerability-in-whatsapp/ (accessed May 07, 2022).
5. [5] M. Vigo, "Compromising online accounts by cracking voicemail systems," ERSONAL HACKING PROJECTS, WRITEUPS AND TOOLS, Aug. 14, 2018. https://www.martinvigo.com/voicemailcracker/ (accessed May 12, 2022).
6. [6] K. Ullah, I. Rashid, H. Afzal, M. M. W. Iqbal, Y. A. Bangash, and H. Abbas, "Ss7 vulnerabilities-a survey and implementation of machine learning vs rule based filtering for detection of ss7 network attacks," IEEE Communications Surveys & Tutorials, vol. 22, no. 2, pp. 1337-1371, 2020. [DOI:10.1109/COMST.2020.2971757]
7. [7] J. Botha, W. C. Vant, and L. Leenen, "A comparison of chat applications in terms of security and privacy," in Proc. 18th Eur. Conf. Cyber Warfare Secur., 2019, p. 55.
8. [8] R. Abu-Salma et al., "The security blanket of the chat world: An analytic evaluation and a user study of telegram," 2017. [DOI:10.14722/eurousec.2017.23006]
9. [9] J. Cox, "NSO Group Pitched Phone Hacking Tech to American Police," Vice, May 12, 2020. https://www.vice.com/en/article/8899nz/nso-group-pitchedphone-hacking-tech-american-police (accessed Sep. 20, 2022).
10. [10] amnesty.org, "Forensic Methodology Report: How to catch NSO Group's Pegasus," Amnesty International, Jul. 18, 2021. https://www.amnesty.org/en/latest/research/2021/07/forensicmethodology-report-how-to-catch-nso-groups-pegasus/(accessed Sep. 20, 2022).
11. [11] T. Perrin, "The Noise Protocol Framework," noiseprotocol, Protocol Revision 34, Jul. 2018. Accessed: May 09, 2022. [Online]. Available: http://noiseprotocol.org/noise.pdf
12. [12] M. Marlinspike and T. Perrin, "The X3DH Key Agreement Protocol," Signal, Protocol Revision 1, Nov. 2016. Accessed: May 10, 2022. [Online]. Available:https://signal.org/docs/specifications/x3dh/x3dh.pdf
13. [13] T. Perrin and M. Marlinspike, "The Double Ratchet Algorithm," Signal, Algorithm Revision 1, Nov. 2016. Accessed: May 10, 2022. [Online]. Available:https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf
14. [14] C. Boyd and K. Gellert, "A Modern View on Forward Security," The Computer Journal, vol. 64, no. 4, pp. 639-652,Apr. 2021, doi: 10.1093/comjnl/bxaa104. [DOI:10.1093/comjnl/bxaa104]
15. [15] N. Rastogi and J. Hendler, "WhatsApp security and role of metadata in preserving privacy," arXiv Prepr. arXiv1701, vol. 6817, pp. 269-275, 2017.
16. [16] T. Carpay and P. Lontorfos, "WhatsApp End-to-End Encryption: Are Our Messages Private?," Retrieved, vol. 2, no.05, p. 2020, 2019.
17. [17] M. Bolli and P. Kofmel, "WhatsApp End-to-End Encryption," Seminar, Bern University of Applied Sciences, Bern,Switzerland, 2017.
18. [18] D. Van Dam, "Analysing the signal protocol," URL: ru. nl/publish/pages/769526/z00b_2019_thesis_dion_van_dam_2 019_eerder. pdf, 2019.
19. [19] Mozilla, "CA/WoSign Issues," MozillaWiki. https://wiki.mozilla.org/CA/WoSign_Issues (accessed Feb. 11,2022).
20. [20] sslshopper, "SSL Certificate for Mozilla.com Issued Without Validation," sslshopper, Jan. 01, 2008.https://www.sslshopper.com/article-ssl-certificate-formozilla.com-issued-without-validation.html (accessed Feb.11, 2022).
21. [21] microsoft, "Microsoft Security Bulletin MS01-017 - Critical," Microsoft Security Bulletins, Jun. 23, 2003.https://docs.microsoft.com/en-us/securityupdates/securitybulletins/2001/ms01-017 (accessed Feb. 11,2022).
22. [22] A. Arnbak and N. A. van Eijk, "Certificate Authority collapse: regulating systemic vulnerabilities in the HTTPS value chain,"2012. [DOI:10.2139/ssrn.2031409]
23. [23] J. Braun and G. Rynkowski, "The Potential of an Individualized Set of Trusted CAs: Defending against CA Volume 15- Number 3 - 2023 (10 -20) 19 [ Downloaded from ijict.itrc.ac.ir on 2024-05-14 ]Failures in the Web PKI," in 2013 International Conference on Social Computing, Sep. 2013, pp. 600-605. doi:10.1109/SocialCom.2013.90. [DOI:10.1109/SocialCom.2013.90]
24. [24] J. Braun, F. Volk, J. Buchmann, and M. Mühlhäuser, "Trust views for the web PKI," in European Public Key Infrastructure Workshop, 2013, pp. 134-151. [DOI:10.1007/978-3-642-53997-8_9]
25. [25] C. Soghoian and S. Stamm, "Certified lies: Detecting and defeating government interception attacks against SSL (short paper)," in International Conference on Financial Cryptography and Data Security, 2011, pp. 250-259. [DOI:10.1007/978-3-642-27576-0_20]
26. [26] M. Shen et al., "Blockchain-assisted secure device authentication for cross-domain industrial IoT," IEEE Journal on Selected Areas in Communications, vol. 38, no. 5, pp. 942-954, 2020. [DOI:10.1109/JSAC.2020.2980916]
27. [27] C. Li, Q. Wu, H. Li, and J. Liu, "Trustroam: A novel blockchain-based cross-domain authentication scheme for WiFi access," in International Conference on Wireless Algorithms, Systems, and Applications, 2019, pp. 149-161. [DOI:10.1007/978-3-030-23597-0_12]
28. [28] Z. Wang, J. Lin, Q. Cai, Q. Wang, D. Zha, and J. Jing, "Blockchain-based certificate transparency and revocation transparency," IEEE Transactions on Dependable and Secure Computing, 2020.
29. [29] R. Johari, S. Kalra, S. Dahiya, and K. Gupta, "S2NOW: Secure social network ontology using whatsApp," Security and Communication Networks, vol. 2021, 2021. [DOI:10.1155/2021/7940103]
30. [30] E. O. Abiodun, A. Jantan, O. I. Abiodun, and H. Arshad, "Reinforcing the security of instant messaging systems using an enhanced honey encryption scheme: the case of WhatsApp, "Wireless Personal Communications, vol. 112, no. 4, pp. 2533-2556, 2020. [DOI:10.1007/s11277-020-07163-y]
31. [31] P. Rösler, C. Mainka, and J. Schwenk, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," in 2018 IEEE European Symposium on Security and Privacy (EuroS P), Apr. 2018, pp. 415-429. doi:10.1109/EuroSP.2018.00036. [DOI:10.1109/EuroSP.2018.00036]
32. [32] H. Hamdani et al., "The Proposed Development of Prototype with Secret Messages Model in Whatsapp Chat.," International Journal of Electrical & Computer Engineering (2088-8708),vol. 8, no. 5, 2018. [DOI:10.11591/ijece.v8i5.pp3843-3851]
33. [33] A. Ruggeri, A. Celesti, M. Fazio, A. Galletta, and M. Villari, "Bcb-x3dh: a blockchain based improved version of the extended triple diffie-hellman protocol," in 2020 Second IEEE International Conference on Trust, Privacy and Security inIntelligent Systems and Applications (TPS-ISA), 2020, pp. 73-78. [DOI:10.1109/TPS-ISA50397.2020.00020]
34. [34] A. Ruggeri, A. Galletta, A. Celesti, M. Fazio, and M. Villari,"An Innovative Blockchain Based Application of the Extended Triple Diffie-Hellman Protocol for IoT," in 2021 8th International Conference on Future Internet of Things and Cloud (FiCloud), Aug. 2021, pp. 278-284. doi:10.1109/FiCloud49777.2021.00047. [DOI:10.1109/FiCloud49777.2021.00047]
35. [35] btcinformation, "Bitcoin Developer Guide," Bitcoin information. https://btcinformation.org/en/developerguide#block-chain (accessed May 20, 2022).
36. [36] thereum.org, "Ethereum development documentation, "ethereum.org, May 20, 2022. https://ethereum.org (accessedMay 21, 2022).
37. [37] F. Lange, A. Toulme, and G. Ballet, "Ethereum Wire Protocol (ETH)." ethereum, 2015. Accessed: May 20, 2022. [Online].Available:https://github.com/ethereum/devp2p/blob/6b0abc3d956a626c28dce1307ee9f546db17b6bd/caps/eth.md
38. [38] subtly et al., "The RLPx Transport Protocol." ethereum, 2015. Accessed: May 20, 2022. [Online]. Available:https://github.com/ethereum/devp2p/blob/6b0abc3d956a626c28dce1307ee9f546db17b6bd/rlpx.md
39. [39] bitinfocharts, "Ethereum Block Time Chart," BitInfoCharts,2022. https://bitinfocharts.com/comparison/ethereumconfirmationtime.html (accessed Sep. 24, 2022).

Add your comments about this article : Your username or Email:
CAPTCHA

Send email to the article author


Rights and permissions
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.