Secure Messaging Applications


Discussing End-To-End Encryption Protocols used by messaging applications such as WhatsApp

Due to the highly interconnected world we live in today and the increased dependency on technology in almost every aspect of our lives, the rise of crimes for which technology added another vector that not only makes our lives easier, it has also been utilized by criminals in many ways including the ease of communication. At the same time governments are forced and on occasions takes advantage of this to tap into every aspect of our privacy.

This paper investigates several secure messaging applications and how end-to-end encryption used to secure our communications, not only in transit but also from the moment we initiate this communication from our handset or computer. 


We live in a highly interconnected world with almost everything we can think of is connected to the internet, from our computers, mobile phones, refrigerators, critical devices, smart TVs and even the watch that many of us wear on our wrists is connected. In addition to this social networks and social messaging applications is becoming a normal day to day tools that many of us are not only using to chat with our team mates and family members but also used by many of us to publish personal photos, videos and even live location feeds.

From a business perspective these applications or an enterprise version of these applications are used by businesses for team collaborations and group discussions.

Several vulnerabilities has been announced till date in additions to a number of governments trying to put pressure on providers to share data, which breaches the privacy act, making us question the security of these applications and if governments have succeeded in forcing providers to break their privacy commitment to their users.

On the positive side the majority of the information security community and providers of these applications have put a huge effort into how they can make these applications secure without the need of a head to head collision with government agencies whom in many parts of the world take advantage of crime and terrorism to invade our privacy and imprison our freedom.

This movement driven many vendors, especially those whom privacy is at their focus to move towards end to end encryption and the use of deniable key authentication, which basically even if providers are forced to surrender their servers, they are unable to get anything because many of these servers do not store any data because encryption is performed end-to-end on the devices participating in the communication.


End-to-end encryption (E2EE) is a way of securing communication and prevents third-parties from accessing data while it’s transferred from one end system or device to another.

In E2EE, encryption of data occurs on the sender’s system or device and only the participants can decrypt it. This means that nobody in between, whether it is the Internet service provider, application service provider or an adversary, can read it or compromise its integrity.

The encryption keys used to encrypt and decrypt the messages are stored exclusively on the endpoints; this is made possible using public key encryption.

The first widely used E2EE messaging software was Pretty Good Privacy, which secured email and stored files, as well as securing digital signatures.

Text messaging applications frequently utilize end-to-end encryption, including Jabber, TextSecure and Apple’s iMessage, Signal, WhatsApp…


Off-the-Record is a protocol that was designed to provide features for an underlying instant messaging protocol. It uses the instant messaging protocol as a transport layer and follows four steps during the entire communication:

  1. OTR starts with the Off-The-Record Authenticated Key Exchange.
  2. Followed by message transmission.
  3. Step three is about the re-keying that OTR often does during the conversation between parties.
  4. Lastly the publishing of MAC-keys.

After the above-mentioned necessary steps, an important protocol is used, which ensures no passive or active attacker, such as Man-in-the-middle, is possible during a conversation.

Step 1: Authenticated Key Exchange

When starting a conversation, both parties need to know if they want to have a conversation with OTR. This is done by one of the parties informing the other that he is willing to use OTR protocol to communicate with him.

  • A Query Message requesting is sent from party A to B to start an OTR conversation.
  • Party A can also state which version of OTR to use.
  • It is up to party B if they accept to communicate with OTR or not.
  • This means party B is going to be the one starting the Authenticated Key Exchange if he agrees.

OTR uses a variation of Diffie-Hellman Key Exchanged called SIGMA.

An unauthenticated Diffie-Hellman key exchange is used to set up an encrypted channel, and inside that channel the mutual authentication is performed.

Diffie-Hellman is used to find a way of generating shared secret between two parties, in a way that is not possible for others to compute the same shared secret. The key does not get shared during the exchange, but the two parties create the key together, which is an important distinction.

Step 2: Message Transmission

During Message transmission step, the encryption and authentication of messages happen before sending them over the web. The Off-the-Record Protocol uses AES as its encryption protocol, using it in counter mode.

The message is first encrypted using the AES in counter mode; then the resulting ciphertext is authenticated using a keyed-hash message authentication code (HMAC).

The reason the Off-the-Record team chose AES in counter mode was because it increases deniability. This means that a valid ciphertext cannot relate to any of the communication participants since anyone can create a ciphertext that can be decrypted correctly and then compute a valid MAC from the ciphertext, because old MAC keys are published to the web.

Step 3: Re-key

The third step is to re-key as often as possible. All participants need to pick a new key and then perform a new Diffie-Hellman exchange.

The way OTR performs this, is to change the keys every time the conversation changes directions.  Once the new key is established it will be used to encrypt and authenticate new messages, while the previous ones are erased.

The reason to securely erase this information is to get perfect forward secrecy in our instant message conversations.

Step 4: Publish MK

The final step OTR performs is to publish the MAC key. Communication participants do not need to forget since they know that they have moved over to a new MK, hence if one of them gets a message with the old MK, they will know that the message has been forged.

The old MAC keys are added to the next message that the participants send to each other, in plaintext, since they do not care if they are readable.

The reason for publishing it is because by doing this they will let other people forge transcripts of conversations between them, which provides extra deniability to all parties.

Step 5: Socialist Millionaire Protocol (SMP)

Socialist Millionaire Protocol (SMP) solves the problem of checking if both parties are equally rich, using a shared secret only the communicating parties know of, while the adversary does not know this secret.

They use the SMP algorithm to verify that the other party knows the same shared secret, and the job of SMP is to confirm this without revealing anything else. In the end, if the secrets are not equal, the parties only get the information that they are not equal. By this usage, SMP can assure the two parties are indeed exchanging messages with the right person.


The Signal Protocol is designed by Moxie Marlinspike and Trevor Perrin from Open Whisper Systems. Open Whisper Systems wanted to develop a new end-to-end encryption standard which works in both synchronous and asynchronous messaging environments.

The goals of Signal include end-to-end encryption and advanced security properties such as forward secrecy and future secrecy. Initially, Signal was divided into two different application, TextSecure and RedPhone. The former was about SMS and instant messaging, while the latter used as an encrypted VoIP application.

TextSecure was based on the Off-the-Record Protocol by taking the Ratchet from OTR and implemented a Double Ratchet, combining OTR’s asymmetric ratchet with a symmetric ratchet, and naming it Axolotl Ratchet.

Signal have later combined TextSecure and RedPhone to form the new Signal application together with the protocol having the same name. In recent years, the Signal Protocol has been adopted by numerous companies, such as WhatsApp by Facebook, the Messenger also by Facebook, and Google’s new messaging app, Allo which was removed in March 2019.


Comparison of Secure Messaging Apps


Although all the above applications have adopted end-to-end encryption on their applications, this feature is not enabled by default on many of them, which leave it the user’s awareness that this functionality exists and that it is not enabled by default. Additionally, not many users would know how to enable it from the application’s settings.

Another concern is how much are these vendors are cooperating to share user data with intelligence agencies or track user behavior. Like for example WhatsApp, which is owned by Facebook and until recently encryption was performed at the vendor server.

Even after WhatsApp adopted end-to-end encryption, it still logs, tracks, saves and analysis user data on the server and Facebook’s user data and user behavior collection and sharing with government agencies is well known.

Therefore, although these vendors may not be able to decrypt user messages; they can still piece together the pieces of the conversation from the meta data they store and use big data analytics to form a story line of the user’s behavior and depending on how much government agencies are interested in the target these pieces of information and data from analytics can be used by cryptanalysts to make more sense of what was communicated. As illustrated on the comparison table the applications that really meet the requirements of true security and privacy are Wickr and Signal, which were recommended by whistleblowers and data privacy activists.


Cyber Threats – How effective is your Cyber Security Operations?

The advancement in the technology of the world we live in today made it very easy for every business regardless of its size to reach out to places that would otherwise be very challenging to communicate with, let alone have a full business presence in.

In the past, very large organisations experienced many different types of difficulties in maintaining their businesses in different cities or keeping up with the demands of their customers who may be located in different regions.

Today we have small home-based businesses or businesses that may not even have a physical presence in their own region trade very successfully and easily across the globe.

A few years ago an organisation’s security operations analysts were not expected to have great level of knowledge in the different areas of information security to be able to learn the trade and analyse what they see on their screens. This was because abnormal behavior in most cases can easily be identified.

However the advancements we are experiencing brings with it a wide range of different applications and services that are built into the overall infrastructure. We have a wide range of different cloud services that are interconnected to internet facing applications that distribute their content on multiple different locations in the cloud.

These services in one transaction can generate many different signatures that a couple of years ago security analyst would consider them as a clear sign of an intrusion attempt, however today these signatures are not enough to determine the maliciousness of the activity. This means malicious activity can easily hide in plain sight of what is now considered as normal traffic in many environments.

These rapid developments aided in the spike in cyber threats, their complexity and continuous changes of the adversary’s Tactics, Techniques and Procedures (TTPs).

The information security community are observing on a daily basis, news of many different types of organisations being breached with a variety of attack methods that ranges in their complexity, delivery mechanisms AND motives.

Many organisations such as SANS institute, EC-Counsil, ISC2 and many more are working extremely hard to raise the level of expertise and research new methods to detect, collect and investigate breaches.

The GOOD news is that we are also observing many if not all organisations are starting to recognize how important it is to have a solid infrastructure that is built with security in mind.

Many developers are now being encouraged and educated in the methods of secure application development. Network administrators are also starting to take a security stance and work to harden their network and create that balance between Accessibility, Security and Usability.

Organisations are indeed stepping in the correct direction and have dedicated a large amount of money to secure their infrastructure and implement a wide range of security controls from IDPSs, SIEMs up to deception controls, however many organisations in their efforts to improve their security resilience neglect dedicating enough time to perfect their processes and forget that cyber security is made of three important components (People, Technology and Processes) that are part of a successful ISMS.

Having a well thought out processes can compensate for technological gaps or failures and neglecting your processes can render your state of the art devices very useless and break communications between your teams.

Your processes can save you in moments when everything else fails.

So, what makes a perfect or a well thought out processes?

2- Basic Malware Analysis – Static – Part 2

OK continuing from Part 1, today’s tutorial’s will involve the following:

  1. We will look at the strings of the program using strings.exe.

  2. We will check if the program is packed?

Examining the Program’s Strings

A string in an application is a set of characters such as “hello”, it is stored in either ASCII or Unicode format. The cases where a program may contain strings are as follows:

  1. I f the program prints a message.

  2. If it accesses a URL.

  3. Or if it copies a file to a certain location.

ASCII and Unicode uses NULL characters to indicate the string is complete.

The reason looking at the strings is important is that the string of a program would give us important information about the program or the codes functionality.

Strings.exe scans the program for any sequence or characters that are 3 characters or more in length, which is why it can produce results that don’t make sense. Therefore when reading the results from the strings.exe always make note of strings the make sense as shown below:

Continue reading

2- Basic Malware Analysis – Static – Part 1

To perform Basic Static Analysis we need to complete several steps, which will allow us to answer some of the following questions:

  1. What the suspicious file is?

  2. What does it do?

  3. When was it made?

  4. Does it depend on other files?

  5. Does it download other files?

  6. How does it work?

  7. What type of Malware is it?

Each of the Malware Analysis stages (Basic and Advanced) will provide us answers to some of the above questions and to be able to answer them all we need to exhaust each of the stages we mentioned in the first tutorial (1- Practical Malware Analysis – Introduction).

In today’s tutorial’s case we will be performing the following:

  1. We will run the suspicious file through multiple Anti Virus scanners such as to see if the file is already known and have been flagged previously.

  2. We will create an MD5 signature of the file, that we can use to share with our colleagues and we can also use it to search online for a file with the same MD5 hash.

  3. We will look at the strings of the program using strings.exe.

  4. We will check if the program is packed?

  5. Also we will check the Portable Executable File Format (PE) header, which will provide us with valuable information about the code, the type of application, required library functions and space requirements.

  6. To end this we will examine Linked libraries and functions.

Continue reading

1- Practical Malware Analysis – Introduction

Hi everyone it has been a long time since I last updated this site. It’s been very busy and hectic time as I took on a role as an Information Security Analyst, which was a 12 hour shifts early morning and nights in a very busy environment.

Anyway I am really pleased to be back and thought I will start this with a series of malware analysis, where we will go through step by step.

After this series I have a number of other series to come and plenty of skills to share with you.

I will try to be brief and focus on the hands-on topics and those of you who are more interested in the details please look out for a book called: Practical Malware Analysis by Michael Sikorski and Andrew Honig. It is a great book that I’ve learned a lot from, in fact I am still using it and everything we will discuss here will be skills learned from this valuable book.

So Michael/Andrew if you are looking at this please kindly accept my thanks and appreciation for this marvellous piece of work, keep up the good work guys.

Finally don’t forget everyone, no one knows everything and we will always be learning from each other, therefore those with more experience please kindly don’t hesitate to share your knowledge with us and surely don’t hesitate to correct any mistakes you see here or any of my previous or upcoming articles.

So let’s start with laying some grounds…

Continue reading

2. Guidelines For Secure Network Administration – part 1

Installing networks and making sure they’re able to communicate and talk to each other is the end of it for a network administrator. There are some guidelines that many admins neglect, which exposes the network and makes them vulnerable to attacks. In this section I’ll try to cover some of these guidelines. These guideline can be used as a general security guidelines and not just network security.

Rule-based Management

Firewalls, proxies, routers, IDPSs (IDS/IPS), antivirus, and more are example of rule-based security devices. Rule-based managements is a method of controlling the network activity via the use of rule-based devices. Each rule can either be explicit allow or deny. Continue reading

1. Network Security – part 2

1.1.        Security functions of network devices – Continued

VPN Concentrator

VPN (Virtual Private Network) will be discussed in the future as a chapter of its own due to its importance in the network security world.

VPN concentrators are sometimes known by many other names such as VPN servers, VPN firewalls, VPN RAS (VPN Remote Access Servers), VPN Proxies, etc.

VPN concentrators allows for high availability, high scalability and performance for VPN connections. They’re hardware appliances designed to facilitate a large number of multiple simultaneous VPN connections, usually hundreds or even in some implementations thousands of simultaneous VPN connections. Continue reading