Skip to main content

⚠️ What Can Go Wrong

Attack Scenarios Against Signal Protocol

In 15 minutes: Understand potential attacks and defenses
Prerequisites: Security Properties

🎯 The Simple Story

What if Eve tries various attacks? Signal Protocol defends!

Scenarios:

  1. Replay attack: Eve sends old message again
  2. MITM attack: Eve replaces Bob's keys with hers
  3. Compromise attack: Eve steals device
  4. Server attack: Eve compromises server

🧠 Mental Model

Hold this picture in your head:

Attacks and Defenses:

REPLAY ATTACK:
    Eve captures msg 5 ciphertext
    Eve sends msg 5 again to Bob
    Defense: Message numbers detect duplicate
    Bob: Reject "Already seen msg 5!"

MITM ATTACK:
    Eve replaces Bob keys with Eve's keys
    Alice downloads "Eve's Bob keys"
    Defense: Signature verification fails
    Alice: Reject "Invalid signature!"

COMPROMISE ATTACK:
    Eve steals Bob's device at msg 10
    Eve reads msg 10 from device
    Defense: Forward secrecy
    Msg 1-9: K1-K9 deleted → Safe
    Msg 11+: New DH → Eve doesn't have DH keys

SERVER ATTACK:
    Eve compromises server
    Eve changes Bob's public keys
    Defense: Signature verification
    Alice downloads checks: Eve's signature ≠ Bob's signature → Reject

🎭 Attack: Replay

Scenario: Alice sends msg 5. Eve captures ciphertext "C5".

Eve's attempt:

  • Eve sends same "C5" to Bob again
  • Bob receives: Should decrypt?

Defense:

  • Bob checks message number metadata
  • Bob sees: "Msg 5 already seen!"
  • Bob rejects: Replay attack!

🎭 Attack: MITM

Scenario: Eve wants to impersonate Bob to Alice.

Eve's attempt:

  • Eve replaces Bob's keys on server with Eve's keys
  • Alice downloads "Eve's Bob keys"
  • Alice does X3DH with Eve's keys (thinking it's Bob!)

Defense:

  • Alice verifies: SIG_B valid for pk(SPKEVE_) using pk(IVEVE_)?
  • Alice checks: NO! SIG_B matches Eve's signature (signed with Eve's IK)
  • Alice rejects: "Invalid Bob keys (Eve's)!"

🎭 Attack: Compromise

Scenario: Eve steals Bob's phone at message 10.

Eve's attempt:

  • Eve has K10 on phone
  • Eve decrypts msg 10
  • Eve tries to decrypt msg 1-9
  • Eve tries to decrypt msg 11+

Defense:

  • Msg 1-9: K1-K9 deleted → Eve can't decrypt
  • Msg 11+: New DH needed → Eve doesn't have DH keys for K11, K12...
  • Limit: Eve reads msg 10 only

🎭 Attack: Server

Scenario: Eve compromises server storing Bob's keys.

Eve's attempt:

  • Eve replaces Bob's keys with Eve's keys
  • Alice downloads "Eve's Bob keys"
  • Alice starts X3DH with Eve

Defense:

  • Same as MITM: Signature verification detects Eve's signature
  • Alice rejects: "Invalid Bob keys!"

✅ Quick Check

Which attacks are prevented?

All 4:

Replay: Message number check MITM: Signature verification Compromise: Forward secrecy (K_i delete) Server: Signature verification

What can Eve do?

Read current message only:

Eve steals phone at msg 10: Eve decrypts msg 10. But not msg1-msg9 (deleted) or msg11+ (new DH needed).

📋 Summary

Replay: Message numbers prevent
MITM: Signature verification blocks
Compromise: Limited to current message
Server: Same as MITM (signature check)
Conclusion: Signal Protocol resilient!