A Security and Privacy Audit of KakaoTalk's End-to-End Encryption

 |  Login

Show simple item record

dc.contributor Aalto-yliopisto fi
dc.contributor Aalto University en
dc.contributor.advisor Deibert, Ronald
dc.contributor.author Schmidt, Dawin
dc.date.accessioned 2016-11-02T09:18:25Z
dc.date.available 2016-11-02T09:18:25Z
dc.date.issued 2016-08-24
dc.identifier.uri https://aaltodoc.aalto.fi/handle/123456789/23165
dc.description.abstract End-to-end encryption is becoming a standard feature in popular mobile chat applications (apps) with millions of users. In the two years a number of leading chat apps have added end-end encryption features including LINE, KakaoTalk, Viber, Facebook Messenger, and WhatsApp. However, most of these apps are closed-source and there is little to no independent verification of their end-to-end encryption system design. These implementations may be a major concern as proprietary chat apps may make use of non-standard cryptographic algorithms that may not follow cryptography and security best practices. In addition, governments authorities may force chat app providers to add easily decryptable export-grade cryptography to their products. Further, mainstream apps have a large attack surface as they offer a variety of features. As a result, there may be software vulnerabilities that could be exploited by an attacker in order to compromise user's end-to-end privacy. Another problem is that, despite being closed-source software, providers often market their apps as being so secure that even the provider is not able to decrypt messages. These marketing claims may be potentially misleading as most users do not have the technical knowledge to verify them. In this Master's thesis we use KakaoTalk -- the most popular chat app in South Korea -- as a case study to perform a security and privacy assessment and audit of its "Secure Chat" opt-in end-to-end encryption feature. Also, we examine KakaoTalk's Terms of Service policies to verify claims such as "[...] Kakao's server is unable to decrypt the encryption [...]" from a technical perspective. The main goal of this work is to show how various issues in a product can add up to the potential for serious attack vectors against end-to-end privacy despite there being multiple layers of security. In particular, we show how a central public-key directory server makes the end-to-end encryption system vulnerable to well-known operator-site man-in-the-middle attacks. While this naive attack may seem obvious, we argue that (KakaoTalk) users should know about the strength and weaknesses of a particular design in order to make an informed decision whether to trust the security of a chat app or not. en
dc.format.extent 164
dc.language.iso en en
dc.title A Security and Privacy Audit of KakaoTalk's End-to-End Encryption en
dc.type G2 Pro gradu, diplomityö fi
dc.contributor.school Perustieteiden korkeakoulu fi
dc.subject.keyword secure messaging en
dc.subject.keyword end-to-end encryption en
dc.subject.keyword android security en
dc.subject.keyword privacy en
dc.identifier.urn URN:NBN:fi:aalto-201611025266
dc.programme.major Security and Mobile Computing fi
dc.programme.mcode T3011 fi
dc.type.ontasot Master's thesis en
dc.type.ontasot Diplomityö fi
dc.contributor.supervisor Asokan, N.
dc.programme Master's Degree Programme in Security and Mobile Computing (NordSecMob) fi

Files in this item

Files Size Format View

There are no files associated with this item.

This item appears in the following Collection(s)

Show simple item record

Search archive

Advanced Search

article-iconSubmit a publication


My Account