Name: What's Up With Group Messaging? - Computerphile
Uploaded: 2020-03-27T16:56:50.000Z
Duration: 10 min 50 s
Description: Thousands of YouTube videos with English-Chinese subtitles! Now you can learn to understand native speakers, expand your vocabulary, and improve your pronunciation...

We've already covered Signal, WhatsApp, Facebook private messages, these kind of things.

Modal verbs - A2

Peer-to-peer, sort of two-person communication, which hopefully is end to end. And it means that no one can get in on that conversation,

Past simple

Impersonate us, read any messages, put in any messages themselves.

Even the server, and this is a really good thing.

This doesn't work as well in group messages. And maybe people don't actually know this.

Last time we talked about end-to-end encryption in apps like Signal, WhatsApp, Facebook Messenger.

Signal implemented this by default, Facebook Messenger has a private conversations thing you can enable and you definitely should enable

so don't use the default because they'll be reading your messages, but

These things kind of start to break down when we're looking at groups, right? What's true in terms of cryptographic security,

what's true between you and me is not the same as when we bring Steve in. There were a lot of reasons for that.

So let's imagine that we've got three people in a conversation, right or maybe just a couple of people

We're actually using not Alice and Bob this time, they'll be glad to be having a bit of a break

I mean I thought about using it just to keep the trend going

But let's not. So this is Sean and Steve over here

Normally when we're talking about one of these applications I will have some kind of shared key with you

We've got this double ratchet going on where we're sending messages back and forth keys are being updated

So I will have a kind of encrypted communication channel with you

Now, of course this is going through a server, but I'm not drawing a server in this image

There's a few interesting properties that this particular conversation has. The first is obviously it's it's secret, right?

This is encryption. Also, it has something called perfect forward secrecy

Which means that if someone cracks one of our keys they can't use that to go back and crack all the other messages

Previously to this because the keys are constantly updating and you can't go backwards

it also has this kind of self-healing or post compromised security, which means that if you

Let's say someone cracks one of my keys if they sort of look away even for a second,

We can have some more communication and that problem goes away

Essentially, to continually eavesdrop on our conversation, not only do you have to break one of our keys

But you also have to see every single message from then on. If you miss one, you're out

So the question I guess is if we want to do implement group conversations

Which is where I'm sending messages to both you and Steve at the same time

Can we still do these things? And the answer is a little bit but not totally

So, okay. So let's imagine now we've got a three-way conversation.

Now remember I have already got channels, but I've been perhaps talking to you beforehand

And you and Steve have been talking as well separately

Right, if it's the case that you're introduced to a group where you haven't been talking to them

You will form a two-way conversation with that person immediately right as a way as a sort of prerequisite

Well, I suppose the sort of naive way of doing this would this be: whenever I want to send a message to the group

Using our pairwise channels and then we have the benefits of the security of each of these channels

I send that same message once encrypted using our keypairs and once encrypted using mine and Steve's keypairs

And then kind of up to you and Steve to make sure these messages are in sync

And if you then send a message, you're gonna send it this way. This is how our message works

The benefit you get is that each of the messages has the guaranteed security that we had with this sort of pairwise messaging:

Self-healing, perfect forward secrecy, this kind of stuff.

The problem is the more people you add to this group. So maybe you're a member of some kind of school thing, 50 people in the group, you're sending 50 messages

Maybe you're sending a video suddenly the bandwidth becomes actually a bit of a problem

This may not be an issue depending on the application

But Whatsapp, Signal and others have decided that this is a bit of a problem, and this is not how they're going to do it.

The next thing we could do is we could say well, why can't we use the same protocol to establish keys to get a group key?

We do our Diffie-Hellman in some way and that gets us one shared group key that we can then use, right?

So then I encrypt a message to you both with the one group key

Now, of course in practice I would just send the one message to the server and it would spread out

So this will be called server-side fan-out. So a single message for me to the server

The server knows it has to go to the group and it sends it out

Now there are ways to turn Diffie-Hellman into a kind of three- or four- or n-way Diffie-Hellman

They're usually using trees where two of us will do it, exchange, and then someone will do an exchange with that

And and so on all the way up to the top where that's everyone's key

The problem is that this takes time. It involves all the parties

So implementing this in a way where Steve doesn't have to be online at the same time as me

and at the same time as you, that's a problem

And that's another of the things that we get from our pairwise messaging, this asynchronicity

The other problem is that how often do we do this, right?

If I create a group key with you and Steve and we chat for two years using that same key

Maybe someone broke it one month in and has been reading all our messages for nearly two years

Huge problem, right? So there's no self healing really unless we recompute these keys regularly

So how does actually work, right? It's kind of a compromise

What we do is we use our pairwise channels to establish a key and then we use group keys

Kind of the big problem with this group key idea is that the Diffie-Hellman key exchange is complex

and if people haven't got their phone switched on that's a huge problem

one of the nice things would be if you and me could add Steve to a group when his phone's turned off

And then a month later he remembers, turns his phone on it gets all the previous messages

That would be really good. The way we do this is something called sender keys. So I'm going to write sender keys here

A bit like our sending and receiving chains in a normal protocol,

Each person comes up with a sending key, right? This is iterated for every message. So we have this perfect forward secrecy

So, how do I give this to you? Well, I use the two-way communication we already have

So I have a sender key for me. You have a sender key for Sean. This is not going to work

And this is — yeah, I've not thought this through — This is a sender key for Steve

I mean, this is a shambles and now I was only one letter, okay?

So at the very beginning we'd established a group

So I send you a message which says this is my sender key for this group

I send Steve a message. It says this is my sender key for this group

You will do the same. It's a few initial messages, but it doesn't have to happen online

I can send the messages and you can pick it up later. So that might sit on the server waiting for you

Just like a normal WhatsApp message the server can't read it because it's protected using our end-to-end encryption

From then on, when either I send a message I send it encrypted using my sender key and then I ratchet my sender key one tick

If you are sending to someone you perhaps haven't had that before

Someone said hey add this person to the group because they've joined the school or something

In your previous season then presumably that then starts to use the stubs that we had in the previous thing?

No, so what will happen: Yes, you mean the three keys?

Yes, so what will happen is let's imagine, that we add a fourth person to the group

He does now, so Dave turns up. I've never spoken to Dave before on a mobile phone, right?

So I will then perform a quick triple Diffie-Hellman handshake with Dave using the standard pairwise protocol we have

And then I'll use that to distribute my sender key for this group

And have a good thing is everyone can do this asynchronously

Subtitles ListPlay Video

What's Up With Group Messaging? - Computerphile

sort

essentially

compromise

realize