Master's Theses

(Supervisor: Prof. Kenny Paterson, Joint Supervisors: Matilda Backendal, Matteo Scarlata)

End-to-end encryption (E2EE) is now the norm for Internet browsing (via TLS) and increasingly also for messaging (with apps such as WhatsApp and Signal being end-to-end encrypted by default). Somewhat surprisingly, services that offer outsourced data storage, such as cloud storage and collaborative file editing platforms, still lag behind. One of the explanations might be the complexity that arises due to the persistence of data, which makes it difficult to use ephemeral key material to achieve strong security guarantees such as forward secrecy (FS) and post-compromise security (PCS). Another is the lack of a formal security models for even basic E2E security of outsourced data storage supporting functionality such as file sharing between users. In particular, the number of potential end-points arising from file sharing increases the complexity of E2EE cloud storage compared to single client settings.

This complexity also exists in messaging, as showcased by the fact that protocols for secure two-party messaging (such as e.g. the Signal protocol) have been around for quite some time, but a protocol for E2EE group chats was only very recently standardized [rfc9420]. The newly standardized group messaging protocol is called "messaging layer security" (MLS). One of the main motivations for MLS was to make E2E security for messaging in groups of size n more efficient than through the naïve construction of n^2 two-party channels, while still retaining the same high-security guarantees—including forward secrecy and post-compromise security—that we expect from modern secure messaging protocols.

In this project, we will explore the possibilities for more advanced security guarantees for file sharing systems in the E2EE setting. In particular, we will aim to tackle the conflict between the required functionality (including persistent data access, and flexible group and access management) and strong security guarantees such as FS and PCS. Our initial attempt at a solution, which we call the "secure shared folder" (SSF) scheme, combines the recent advancements of group messaging from the MLS standard with a form of key ratcheting known as key regression [NDSS:FuKamKoh06]. The aim of this project is to test the practicality of the SSF scheme by implementing a proof of concept file sharing system based on this cryptographic design.

(Supervisor: Prof. Kenny Paterson, Joint Supervisors: Matteo Scarlata, Matilda Backendal)

With more and more data stored online or distributed across multiple devices, an increasing number of security-sensitive applications face the challenge of combining availability with user-friendly key management. The traditional solution is passwords, for both authentication and key derivation.

Passwords often have low entropy, come from a small and predictable "dictionary'' and may be highly correlated. Consequently, the usage of password-only authentication to web services is being phased out. Instead, users are offered a two step verification process, where they need to provide a second "factor'' in addition to their password, providing a second layer of protection against attacks in the case of weak passwords. This is known as Two-Factor Authentication (2FA), or more generally, Multi-Factor Authentication (MFA).

In contrast, passwords are still commonly used as the sole authentication method to derive keys for encryption using Password-Based Key Derivation Functions (PBKDFs). Examples of this include full disk encryption, client-side encryption of backups and cloud storage, password managers and cryptocurrency wallets.

In this project, we harden password-based key derivation exploiting the user's possession of multiple devices, in a similar fashion to MFA. We take inspiration from the tradition of "PRF services", such as Pythia (Everspaugh, Chatterjee, Scott, Juels, Ristenpart 2015), but port them to the setting where the PRF service is operated by the users themselves, and can be lost or fall into adversarial hands. We design a cryptographic notion to capture the security of key derivation in this setting. We then aim to show that our system achieves the proposed security notion, while other state-of-the-art systems are actually too weak and fail to deliver on their security claims.

(Supervisor: Prof. Kenny Paterson, Joint Supervisors: Shannon Veitch, Dr. Lenka Mareková)

VPNs provide increased privacy to users, and are therefore commonly used to circumvent censorship. In response, certain censoring bodies have begun using more advanced traffic analysis to block VPN access. There are two main strategies for VPN blocking: blocking by address (IP addresses of a VPN service), and blocking by behaviour (identifiable characteristics of the VPN traffic). VPN fingerprinting is the process of identifying a particular VPN protocol based on its protocol features. As is common in the cat-and-mouse game of defences and attacks, circumvention developers have created new protocols intended to protect against such fingerprinting. Several VPN protocols have implemented advanced protocols for the sake of circumventing this style of fingerprinting.

This project aims to determine the efficacy of these circumvention techniques, by evaluating two advanced deployments of VPN protocols for censorship circumvention: Outline VPN [Out20,RM23] and LEAP VPN [Lea22]. Both Outline and LEAP offer client and server-side tools to enable individuals as well as organisations to act as service providers. These tools utilise and build on a number of existing technologies, from OpenVPN and Shadowsocks to Tor and Snowflake, which have previously been studied only in isolation [FWW20]. The project involves providing accurate and holistic abstractions of the systems and protocols and then applying a combination of fingerprinting [XKHE23, XRJ22], cryptanalysis, and machine learning techniques to determine if the protocols have identifiable features. We focus on exploring the capabilities of VPN fingerprinting for the sake of developing stronger censorship-resistant protocols in the future.

References:

[XKHE23] external pagehttps://www.usenix.org/conference/usenixsecurity24/presentation/xuecall_made
[XRJ22] external pagehttps://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwencall_made
[Lea22] external pagehttps://leap.se/call_made
[Out20] external pagehttps://getoutline.org/call_made
[RM23] external pagehttps://www.technologyreview.com/2023/09/13/1079381/google-jigsaw-outline-vpn-internet-censorship/call_made
[FWW20] external pagehttps://www.ndss-symposium.org/ndss-paper/detecting-probe-resistant-proxies/call_made

(Supervisor: Prof. Kenny Paterson, Joint Supervisor: Kien Tuong Truong)

Cloud storage providers such as Dropbox, Google Drive and Microsoft OneDrive allow users to offload their digital storage requirements to a remote server, managed by the provider. This is convenient and can create cost savings for both individuals and organizations. All of these providers consider security against attacks from outsider threats. However, few providers address security when the server itself is compromised, and some of those that do have been shown to have devastating cryptographic vulnerabilities, as evidenced by the attacks on Mega [BHP23] and Nextcloud [CPAB23]. Even if there were existing solutions that provably provided confidentiality and integrity of files, metadata is still often leaked. As an example, some providers leak file names. As another example, the server is always aware of the access patterns of the users. All these leakages can combine to create attacks which can compromise the privacy of users.

A significant problem is that, even though a multitude of end-to-end encrypted (E2EE) cloud storage solutions exist on the market, there is a lack of foundational work on the cryptographic design for such systems. In order to guide such work, we look at the current ecosystem of E2EE cloud storage solutions, analyzing their protocols, and discussing their requirements.

A new cloud storage solution that promises to protect the security and privacy of users is PrivateStorage [Aut] by Least Authority [lea]. Much like MEGA and Nextcloud, they claim to provide end-to-end encryption. However, they also implement unique features like accountless authorization, which they implement with a bespoke variation of Privacy Pass [Dav18]. This mechanism allows users to access the service without the need for a traditional account, decoupling service usage from identifiable information (e.g. payment information), and thus enhancing user privacy. This should ensure protection against surveillance, invasive data analysis and profiling, even if the adversary is a nation-state actor.

PrivateStorage’s model offers a promising solution that could set new standards for the industry. However, new designs and the new cryptographic and privacy related protocols always raise concerns about potential vulnerabilities. This thesis seeks to analyze the protocol in order to find possible issues or, if none are found, to prove (a selection of) the claims given by PrivateStorage.

References:

[Aut] Least Authority. Privatestorage. external pagehttps://private.storage/call_made. Accessed on 2024-02-11.
[Aut21] Least Authority. Zkaps whitepaper. 2021.
[BHP23] Matilda Backendal, Miro Haller, and Kenneth G. Paterson. Mega: Malleable encryption goes awry. In 2023 IEEE Symposium on Security and Privacy (SP), pages 146–163, 2023.
[CPAB23] Daniele Coppola, Kenneth G. Paterson, Martin Albrecht, and Matilda Backendal. Breaking cryptography in the wild: Nextcloud. 2023.
[Dav18] Alexander Davidson. Privacy pass: Bypassing internet challenges anonymously. Proceedings on Privacy Enhancing Technologies, 2018(3):164–180, 2018.
[lea] Least authority, privacy matters. external pagehttps://leastauthority.com/call_made. Accessed on 2024-02-11

(Supervisor: Prof. Kenny Paterson, Joint Supervisor: Dr. Lenka Mareková)

In light of the mass surveillance and censorship going on in many countries, there has been continued interest in providing tools that enable their users to communicate securely and privately. This is of particular importance to groups of higher-risk users (e.g., political activists). Decentralised messaging applications offer promising solutions for such users because they do not require a central server in the middle to forward messages or manage data, thus removing a potential single point of failure as well as making it harder for communications to be monitored.

Despite the strong security claims made by the designers of decentralised messaging applications, many of them employ custom cryptographic protocols and justify their security claims using only informal arguments or by way of partial code audits that only check for common vulnerabilities. Hence, it is unclear what security guarantees are provided in reality. Researchers studying these protocols often find cryptographic vulnerabilities in them, even after supposed fixes and code audits, which is illustrated in the example of Bridgefy [ABJM21, AEP22, 7AS23] and Matrix [ACDJ23]. This shows the importance of performing formal security analyses of decentralised messaging applications.

Two decentralised messaging applications in particular are of core interest because they both have generally positive track records from past security audits, but their custom cryptographic protocols have yet to receive any formal security analysis.

external pageDelta Chatcall_made is a messaging application that builds on the existing email infrastructure. There is no central server unless all users come from the same email provider. It offers end-to-end encryption using external pageAutocryptcall_made and external pageCounterMITMcall_made protocols, which use a subset of the OpenPGP standard.

external pageBriarcall_made is a messaging application designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. Briar users can synchronize messages directly between contacts via Bluetooth, WiFi, or Tor. Our semester project [Son23] argues informally that Briar's custom cryptographic protocols are overall secure.

The main objective of the project is to make a deep-dive on Delta Chat and Briar, with the primary aim of conducting a formal security analysis of their cryptographic protocols. This entails analysing their cryptographic components as well as the composition of these components and various subprotocols that the applications rely on.

References:

[7AS23] 7ASecurity. Bridgefy Pentest Report, 2023. Downloadhttps://7asecurity.com/reports/pentest-report-bridgefy.pdfvertical_align_bottom.

[ABJM21] Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Mareková. Mesh messaging in large-scale protests: Breaking Bridgefy. In CT-RSA, volume 12704 of Lecture Notes in Computer Science, pages 375–398. Springer, 2021.

[ACDJ23] Martin R. Albrecht, Sofía Celi, Benjamin Dowling, and Daniel Jones. Practically-exploitable cryptographic vulnerabilities in Matrix. Cryptology ePrint Archive, Paper 2023/485, 2023. To appear at IEEE Symposium on Security and Privacy, S&P 2023. external pagehttps://eprint.iacr.org/2023/485call_made.

[AEP22] Martin R. Albrecht, Raphael Eikenberg, and Kenneth G. Paterson. Breaking Bridgefy, again: Adopting libsignal is not enough. In USENIX Security Symposium, pages 269–286. USENIX Association, 2022.

[Son23] Yuanming Song. Cryptography in the wild: Briar, 2023. Downloadhttps://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_YuanmingSong.pdf (PDF, 614 KB)vertical_align_bottom.