The Reality of Secure Messaging: Users, Entity Authentication, and a World after Compromise

Britta Hale


Modern secure messaging applications aim to provide post-compromise security (PCS): the ability for a protocol to “heal” from key compromise. However PCS presents a limited view as it considers only confidentiality. To achieve protection from a man-in-the-middle attack, messaging protocols require post-compromise authentication security – something that modern messaging apps fail to offer. As such, Signal and similar applications are vulnerable to man-in-the-middle attacks in the post-compromise scenario. This raises the question, “How can we achieve PCS entity authentication?"

To correctly model and achieve PCS entity authentication, we take a closer at how entity authentication is handled in secure messaging. Protocol user interaction is a well-accepted and often relied upon technique for entity authentication in such messaging protocols, as well as some key exchange protocols and IoT device commissioning. Here, users enter pin-codes, nonces, or other information to complete device pairing, or to provide verification via numeric sequence comparison. In turn, user-mediated protocols face non-typical adversarial threats, such as shoulder-surfing, social engineering, and adversarial control of the device display (aka “bluebugging” in Bluetooth). Despite this active user protocol participation and consequent vulnerability potential, analysis usually considers the user role as a perfectly reliable OOB action.

This talk will address the scope of security in a post-compromise setting, the challenge of achieving entity authentication in secure messaging, and the “user problem” in computational analysis models. Finally, we present a provably secure solution for achieving PCS entity authentication in Signal and similar applications.


Britta Hale is an Assistant Professor of Computer Science at the Naval Postgraduate School working in cryptography and cybersecurity. Her specialization areas include analysis and design of cryptographic key exchange and authentication protocols. Hale is currently active in the design and IETF standardization of the MLS group messaging protocol, user-mediated protocol analysis, hybrid post-quantum cryptography, and security in-depth solutions for AIS (maritime communications) and SDNs. Britta holds a PhD from the Norwegian University of Science and Technology and a Master’s in Mathematics of Cryptography and Communications from Royal Holloway, Univ. of London.

Time and Place

Monday, November 11, 4:15pm
Gates 104