The Undeniable Truth: How Remote Attestation Circumvents Deniability Guarantees in Secure Messaging Protocols

Presented at Black Hat Europe 2018, Dec. 5, 2018, 3:15 p.m. (50 minutes)

In 2016, attackers broke into John Podesta's e-mail account and published his mailbox via WikiLeaks; many messages could be authenticated by their DKIM signatures. After this, secure messaging apps saw a flood of new users: Signal, for example saw a 400% increase in downloads. One reason for this is that secure messaging applications, like Signal, promise cryptographic deniability: that when you send a message to someone, they can verify that it came from you but the protocol will not leave any trace that can be used to convince skeptical third parties who sent that message. Enter remote attestation: most new processors include a hardware-assisted trusted execution environment (TEE) that provides remote attestation; such TEEs can prove something about their state to a remote party. An attacker, even a manifestly untrustworthy one like a criminal or propaganda organization, can piggyback on the trust placed in the TEE, allowing them to prove to a skeptical audience that their purloined messages are authenticated by the messaging protocol, and that the attacker did not have the keys needed to forge the messages. We demonstrate this attack using the Signal protocol and Intel SGX, but it applies to *any* purely-software protocol that provides sender authentication of messages. We show how to design protocols that resist attackers with remote attestation, including both completely cryptographic methods such as on-line deniable key establishment (that work against some adversaries and as adopted by the upcoming OTRv4) and methods that use TEEs (which can stop it completely). More generally, we want to raise awareness among users of secure messaging protocols about the limits of the level of deniability they can expect and among designers of such protocols that widespread availability of hardware-assisted remote attestation has changed the implicit assumptions they make.


  • N. Asokan - Professor, Aalto University   as N Asokan
    <p class="p1"><span class="s1">Asokan is a professor of computer science at Aalto University. He leads the Secure Systems research group and is the lead academic PI for ICRI-CARS in Finland. Follow him on twitter at @nasokan or check out his work at</span></p>
  • Ricardo Vieitez Parra - Research Assistant, Aalto University
    Ricardo Vieitez is a research assistant in the Secure Systems Group at Aalto University. His research focuses on platform security and consensus, and he is interested in user-security and privacy-enhancing applications of trusted hardware.
  • Lachlan Gunn - Postdoctoral Researcher, Aalto University
    <div>Lachlan Gunn is a postdoctoral researcher in the Secure Systems Group at Aalto University, working in the areas of consensus and platform security. His past research includes such topics as Tor hidden service geolocation, physical-layer key establishment, and non-cooperative web service auditing. Follow him on Twitter at @lachlan_gunn or check out his work at <a href="" data-mce-href=""></a></div>


Similar Presentations: