ProductsLogo
LogoStudy Documents
LogoAI Grader
LogoAI Answer
LogoAI Code Checker
LogoPlagiarism Checker
LogoAI Paraphraser
LogoAI Quiz
LogoAI Detector
PricingBlogAbout Us
logo

A Secure Instant Messaging System: Architecture and Implementation

Verified

Added on  2019/09/25

|12
|3124
|144
Report
AI Summary
The importance of data security in instant messaging systems is a growing concern as technology and user expectations continue to evolve. This paper explores the requirements for a secure instant messaging system and examines the architecture of three popular software: Skype, WhatsApp, and Viber. The analysis reveals that the choice between these options depends on the priority given to end-to-end encryption versus other security features.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
<University>
SECURING INTERNET BASED INSTANT
MESSAGING
by
<Your Name>
August 12, 2016
<Lecturer’s Name and Course Number>
Investigate, analyse and discuss cryptographic issues in
part of securing systems and data.
<Your Name> 2016 1 of 12

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Instant messaging allows us to communicate in real-time with text, images, audio,
video and digital files for our personal or business requirements. But are they secure?
Do the service providers care for user's privacy or something else?
<Your Name> 2016 2 of 12
Document Page
SECURING INTERNET BASED INSTANT MESSAGING
Introduction
Data is the new oil. The crude oil and the internal combustion engine changed the
world's economy and way of living, and now data is doing the same for all industries,
whether high-tech or low-tech (Van't Spijker, 2014). Whatever is valuable, is worth
protecting. We need to transfer data from point A to point B, and we also need to keep
data at rest, and to do both of these securely. Thus, we have protocols, software,
hardware and laws for ensuring security and preventing 'unwanted actions of
unauthorized users' (Elçi, 2013) .
There are many technical ways to ensure security of data and systems namely
software mechanisms like encryption, masking, erasure and hardware mechanisms
like biometric devices, and techniques like multi-factor authentication.
Security
In this paper, I will discuss about the security in a recent global phenomenon with
wide-reaching personal and business effects - instant messaging, and specifically on
inter-platform messengers like WhatsApp, Viber, Facebook Messenger, Skype etc.
I chose this application for my research on security because of its relevance in our
personal lives. You and I both are deeply concerned about the security and privacy of
the messages we send and receive (and with whom) using instant messengers, and so
are the 3.5 billion people all over the world (Instant Messaging Statistics Report ,
2015 - 2019, 2015) . Something is up when the current top third-party app for locking
WhatsApp and chats on Android platform has more than 5 million installs
(Play.google.com, 2016) . The acquisition of WhatsApp by Facebook in 2014
(Deutsch, 2015) created a lot of reaction on social media, and this indicates the
attachment people have for their favourite instant messengers.
<Your Name> 2016 3 of 12
Document Page
Usage of these inter-platform instant messaging apps range from the exchange of
sweet nothings of new couples to routine communication to intimate text and photos
in socially disapproved relations to school announcements to business
communication. Thus, for such an intimate or a business communication, we desire
security for not only the data in motion as it goes from sender to receiver, but also for
the data at rest, as it lies in the device.
The threats include snooping partners, business competitors, hackers, terrorists and
governments. 'In the face of widespread Internet surveillance, we need a secure and
practical means of talking to each other from our phones and computers' (Electronic
Frontier Foundation, 2014).
What are the Cryptographic Requirements?
We identify two main classes of uses of instant messengers - personal and business.
Personal use comprises of an individual user interacting for personal purposes with
another individual or a group who do not have a common mission-oriented bonding,
but are more likely to be family and friends (Tyson and Cooper, 2001). Business use
may be described as a corporate or institutional environment composed of many users,
but all accountable and working for the mission of the same organisation (Wikipedia,
2016).
Hindocha and Chien (2016) claim that instant messaging is an up and coming threat
as a carrier for malware. They identify the threats as worms, backdoor Trojan Horses,
vulnerabilities (like common coding mistakes) or a combination in blended threats.
Also present is the risk of involuntary data disclosure as a hacker can obtain data and
files without the knowledge of the instant messenger. Techniques for hijacking and
impersonation include session cookie attacks, man-in-the-middle attacks, network
sniffing etc.
Thus, we arrive at the requirements for a secure instant messaging system (Electronic
Frontier Foundation, 2014):
1. Encrypting data in transit between all links in the communication path.
<Your Name> 2016 4 of 12

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
2. End-to-end encryption i.e. encrypting the data with keys which the service
provider itself is unaware of.
3. Making it possible for users to independently verify their correspondent's
identity e.g. by comparing key fingerprints.
4. Having past communications secure if the encryption keys are stolen (forward
secrecy)
5. Having the source code open to independent review (open source).
6. Having the software's security designs well-documented.
7. Having a recent independent security audit.
In addition, security can be increased if the service provider does not log any
information about any message, its contents or any session (Wikipedia, 2016).
Approaches Used by Different Software
Let us analyse the approaches used by WhatsApp, Viber and Skype.
WhatsApp states that since its inception, its aim has been to allow people to
communicate to solve their genuine concerns and problems, and understands that
some of the most personal moments are shared using it. It claims that for achieving
the highest level of privacy and security, it uses end-to-end encryption
(WhatsApp.com, 2016) which is based on a protocol called The Signal Protocol
(WhatsApp Encryption Overview, 2016). This protocol prevents anyone except the
sender and receiver to read the message and has forward secrecy i.e. if keys are
compromised, earlier encrypted messages cannot be decrypted. WhatsApp never has
access to the private keys of users. Also, after the initial key exchange it manages the
ongoing renewal and maintenance of short-lived session keys, known as The Double
Ratchet algorithm. For implementation of public keys, it uses Curve25519 key pairs
in three categories (identity key pair, signed pre key and one-time). Also, session keys
are used in three categories of 32 or 80 bytes length. In addition, for peace of mind
<Your Name> 2016 5 of 12
Document Page
and confidence, WhatsApp allows verification of the end-to-end encryption to rule out
any man-in-the-middle attack. This can be done by scanning a QR code, or comparing
a 60-digit number. Finally, the protocol used is open source and available at GitHub
(2016).
Viber states that it is committed to user privacy and security and thus has introduced
end-to-end encryption (Viber, 2016). Viber's implementation uses the same The
Double Ratchet protocol as used by Open Whisper Systems which is used by
WhatsApp, however Viber claims that their implementation has been coded from
scratch and does not share the code as used by WhatsApp (Viber, 2016). The
technologies used which is understandable as their source specifications as same, even
if the implementations are different.
Skype take data security and privacy lightly and though it employs encryption but it is
not end-to-end encryption (like WhatsApp and Viber), and Skype gives preference to
government monitoring, as when 'Microsoft handed the NSA[National Security
Agency] access to encrypted messages' (Greenwald et al., 2013). Thus, from a user's
point of view, I discourage Skype for anything but the most banal of conversations. In
addition, there appears to be backdoor by design in Skype as Austrian police has
claimed they can listen to any Skype connection (Leyden, 2008). However, let us
analyse its technical implementation. It uses 256 bit AES (Advanced Encryption
Standard) encryption, but when calling a telephone or mobile, the part of call over
PSTN (Public Switched Telephone Network) is not encrypted. For each call, Skype
creates a session with a 256-bit session key. This session exists as long as
communication continues and for a fixed time afterward. As part of connecting a call,
Skype securely transmits the session key to the call recipient. That session key is then
used to encrypt messages in both directions (Wikipedia, 2016).
Advantages and Disadvantages of Various Cryptographic Methods Used
In our analysis of some of the instant messaging software, we came across some
cryptographic methods. Now, let us evaluate them and see their advantages and
disadvantages.
<Your Name> 2016 6 of 12
Document Page
AES (Advanced Encryption System) is a symmetric key encryption (i.e. the same key
is used to encrypt and decrypt), and thus the key needs to be kept a secret. This makes
AES extremely secure, relatively fast but with the burden of sharing the key with the
other party and having the potential that all encrypted data becomes decipherable in
case the key is compromised (Techin.oureverydaylife.com, 2016).
Elliptic Curve Cryptography (e.g. Curve25519 key pairs etc) is '...one of the most
powerful...' types of cryptography. (Sullivan, 2013). This is among the best
technologies as breaking it would require to solve a mathematical problem on which
we have not made any major progress since 1985 (Sullivan, 2014). Now, if we cannot
form an algorithm of something, then how can a machine process it. Thus, the security
industry and academia is currently confident of this technology.
The Double Ratchet algorithm is specifically designed for instant messaging, and has
the property of forward secrecy (i.e. compromise of keys will not allow decryption of
past messages) as well as automatically establishing secrecy in case of a compromise
in session key. The developers refer to the algorithm as 'self-healing'
(Whispersystems.org, 2013). The algorithm has found usage in popular applications
like WhatsApp, Viber, is being tested in Facebook Messenger in an optional mode
called "secret conversations" (Greenberg, 2016).
Evaluation and Comparison of Different Approaches
Instant messengers can be peer-to-peer or client-server, depending upon the protocol
they implement. Both provide their own capabilities and we saw examples of
successful products implementing both of them. The difference manifests in whose
interests are priority - the users' or the service provider/government.
In a peer-to-peer approach, the service provider is only helpful in brokering the initial
connection between the sender and receiver. No user data (text, images, audio, video,
files etc) pass through the server and directly reach the receiver device. This approach
allows for implementation of end-to-end encryption which means that no one (not
even the service provider) is aware of the key required for decrypting the messages.
<Your Name> 2016 7 of 12

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Thus by skipping the server for any data transfer, any chance of unauthorised access
by staff, or by government is precluded. In addition. the burden on server for
resources is reduced. A popular implementation of this approach is WhatsApp (Dunn,
2016).
In client-server approach, every message is sent to the service provider, which then
sends it to the recipient. Now, messages in the first leg of their journey from sender
device to server may or may not be encrypted, and similarly when they are rerouted to
the receiver may or may not be encrypted. In another variation, messages may be
encrypted but allow the server to decrypt and read the messages. Thus, the client-
server model allows for the possibility of unauthorised staff, or the government to
snoop on any communication without much difficulty. A popular implementation of
this approach is Skype. Needless to say, Skype has been criticised for its underhand
approach to user privacy and security (Leyden, 2008).
It is my evaluation that client-server architecture should only be used (if a secure
alternative is not available or suitable) for routine communication, something which
you will not mind much if it becomes public and prefer end-to-end encrypted (in a
peer-to-peer) architecture for anything secret or private. For client-server, the
recommendation is Skype and for end-to-end encrypted, the recommendation is
WhatsApp.
Conclusion
The stack of technology and the user expectations keep getting higher. Instant
messaging over a wide variety of devices and software is a part of life in all industrial
countries. When people and businesses communicate, certain concerns and
responsibilities of the service providers come into question. Security of data and
systems is important.
In this paper, we looked into the importance of data and the security of data with
regards to instant messengers. We analysed the requirements of a secure instant
messaging system and then explored the architecture of three popular software. We
<Your Name> 2016 8 of 12
Document Page
also noticed how the priority leads a service provider to choose between one of the
two approaches to implementing the instant messaging service.
<Your Name> 2016 9 of 12
Document Page
Reference List
Techin.oureverydaylife.com. (2016). Advantages & Disadvantages of
Symmetric Key Encryption | Tech in - Our Everyday Life. [online] Available
at: http://techin.oureverydaylife.com/advantages-disadvantages-symmetric-
key-encryption-2609.html [Accessed 12 Aug. 2016].
Deutsch, A. (2015). WhatsApp: The Best Facebook Purchase Ever? |
Investopedia. [online] Investopedia. Available at:
http://www.investopedia.com/articles/investing/032515/whatsapp-best-
facebook-purchase-ever.asp [Accessed 12 Aug. 2016].
Dunn, J. (2016). WhatsApp’s end-to-end encryption explained: What is it and
does it matter?. [online] Techworld. Available at:
http://www.techworld.com/security/whatsapps-end-end-encryption-
explained-what-is-it-does-it-matter-3637803/ [Accessed 12 Aug. 2016].
Elçi, A. (2013). Theory and practice of cryptography solutions for secure
information systems. Hershey, PA: Information Science Reference, p.107.
Greenberg, A. (2016). By this fall, your Facebook messages will have end-to-
end encryption---if you turn it on.. [online] WIRED. Available at:
https://www.wired.com/2016/07/secret-conversations-end-end-encryption-
facebook-messenger-arrived/ [Accessed 12 Aug. 2016].
Greenwald, G., Ackerman, S., Poitras, L., MacAskill, E. and Rushe, D. (2013).
Microsoft handed the NSA access to encrypted messages. [online] the
Guardian. Available at:
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data [Accessed 12 Aug. 2016].
Hindocha, N. and Chien, E. (2016). Malicious Threats and Vulnerabilities in
Instant Messaging. 1st ed. [ebook] Symantec Corporation. Available at:
<Your Name> 2016 10 of 12

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
https://www.symantec.com/avcenter/reference/malicious.threats.instant.mes
saging.pdf [Accessed 12 Aug. 2016].
Instant Messaging Statistics Report , 2015 - 2019. (2015). 1st ed. [ebook] The
Radicati Group, Inc., p.3. Available at: http://www.radicati.com/wp/wp-
content/uploads/2015/02/Instant_Messaging_Statistics_Report_2015-
2019_Executive_Summary.pdf [Accessed 12 Aug. 2016].
Leyden, J. (2008). Austrian official fuels Skype backdoor rumours. [online]
Theregister.co.uk. Available at:
http://www.theregister.co.uk/2008/07/25/skype_backdoor_rumours/
[Accessed 12 Aug. 2016].
Play.google.com. (2016). Messenger and Chat Lock - Android Apps on
Google Play. [online] Available at:
https://play.google.com/store/apps/details?id=com.whatsapplock&hl=en
[Accessed 12 Aug. 2016].
Whispersystems.org. (2013). Open Whisper Systems >> Blog >> Advanced
cryptographic ratcheting. [online] Available at:
https://whispersystems.org/blog/advanced-ratcheting/ [Accessed 12 Aug.
2016].
Wikipedia. (2016). Secure instant messaging. [online] Available at:
https://en.wikipedia.org/wiki/Secure_instant_messaging [Accessed 12 Aug.
2016].
Electronic Frontier Foundation. (2014). Secure Messaging Scorecard. [online]
Available at: https://www.eff.org/node/82654 [Accessed 12 Aug. 2016].
Wikipedia. (2016). Skype security. [online] Available at:
https://en.wikipedia.org/wiki/Skype_security [Accessed 12 Aug. 2016].
Sullivan, N. (2013). A (Relatively Easy To Understand) Primer on Elliptic
Curve Cryptography. [online] CloudFlare. Available at:
<Your Name> 2016 11 of 12
Document Page
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-
elliptic-curve-cryptography/ [Accessed 12 Aug. 2016].
Sullivan, N. (2014). ECDSA: The digital signature algorithm of a better
internet. [online] CloudFlare. Available at:
https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-
better-internet/ [Accessed 12 Aug. 2016].
Tyson, J. and Cooper, A. (2001). How Instant Messaging Works. [online]
HowStuffWorks. Available at: http://computer.howstuffworks.com/e-mail-
messaging/instant-messaging.htm [Accessed 12 Aug. 2016].
Van't Spijker, A. (2014). The new oil. Basking Ridge, NJ: Technics
Publications, p.3.
Viber. (2016). Viber - Free Calls and Messages.. [online] Available at:
http://www.viber.com/en/security-overview [Accessed 12 Aug. 2016].
Viber. (2016). Viber Security FAQ. [online] Available at:
https://support.viber.com/customer/portal/articles/2017401-viber-security-
faq [Accessed 12 Aug. 2016].
WhatsApp.com. (2016). WhatsApp :: Security. [online] Available at:
https://www.whatsapp.com/security/ [Accessed 12 Aug. 2016].
WhatsApp Encryption Overview. (2016). 1st ed. [ebook] WhatsApp.
Available at: https://www.whatsapp.com/security/WhatsApp-Security-
Whitepaper.pdf [Accessed 12 Aug. 2016].
GitHub. (2016). WhisperSystems/libsignal-protocol-java. [online] Available
at: https://github.com/whispersystems/libsignal-protocol-java/ [Accessed 12
Aug. 2016].
<Your Name> 2016 12 of 12
1 out of 12
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]