+1-817-968-5551
+61-488-839-671
+44-7480-542904About Expert
Key Topics
Requirement
Question: Instant messaging allows us to communicate in real-time with text, images, audio, video and digital files for our personal or business requirements. But are they secure? Do the service providers care for user's privacy or something else?
Solution
SECURING INTERNET-BASED INSTANT MESSAGING
Introduction
Data is the new oil. The crude oil and the internal combustion engine changed the world's economy and way of living, and now data is doing the same for all industries, whether high-tech or low-tech (Van't Spijker, 2014). Whatever is valuable, is worth protecting. We need to transfer data from point A to point B, and we also need to keep data at rest, and to do both of these securely. Thus, we have protocols, software, hardware and laws for ensuring security and preventing 'unwanted actions of unauthorized users' (Elc?i, 2013).
There are many technical ways to ensure security of data and systems namely software mechanisms like encryption, masking, erasure and hardware mechanisms like biometric devices, and techniques like multi-factor authentication.
Writing Assignment and completing it on time is not an easy job. If you forget to write your assignment you can take urgent essay help from Allassignmenthelp.com. We are a team of professional assignment writers who are talented enough to deliver a plagiarism-free assignment within the given frame. On our website, the students can get information technology assignment help at a very affordable price.
Security
In this paper, I will discuss security in a recent global phenomenon with wide-reaching personal and business effects - instant messaging, and specifically on inter-platform messengers like WhatsApp, Viber, Facebook Messenger, Skype, etc.
I chose this application for my research on security because of its relevance in our personal lives. You and I both are deeply concerned about the security and privacy of the messages we send and receive (and with whom) using instant messengers, and so are the 3.5 billion people all over the world (Instant Messaging Statistics Report , 2015 - 2019, 2015) . Something is up when the current top third-party app for locking WhatsApp and chats on Android platform has more than 5 million installs (Play.google.com, 2016) . The acquisition of WhatsApp by Facebook in 2014 (Deutsch, 2015) created a lot of reaction on social media, and this indicates the attachment people have for their favourite instant messengers.
Usage of these inter-platform instant messaging apps range from the exchange of sweet nothings of new couples to routine communication to intimate text and photos in socially disapproved relations to school announcements to business communication. Thus, for such an intimate or a business communication, we desire security for not only the data in motion as it goes from sender to receiver, but also for the data at rest, as it lies in the device.
The threats include snooping partners, business competitors, hackers, terrorists and governments. 'In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers' (Electronic Frontier Foundation, 2014).
What are the Cryptographic Requirements?
We identify two main classes of uses of instant messengers - personal and business. Personal use comprises of an individual user interacting for personal purposes with another individual or a group who do not have a common mission-oriented bonding, but are more likely to be family and friends (Tyson and Cooper, 2001). Business use may be described as a corporate or institutional environment composed of many users, but all accountable and working for the mission of the same organisation (Wikipedia, 2016).
Hindocha and Chien (2016) claim that instant messaging is an up and coming threat as a carrier for malware. They identify the threats as worms, backdoor Trojan Horses, vulnerabilities (like common coding mistakes) or a combination in blended threats. Also present is the risk of involuntary data disclosure as a hacker can obtain data and files without the knowledge of the instant messenger. Techniques for hijacking and impersonation include session cookie attacks, man-in-the-middle attacks, network sniffing etc.
Thus, we arrive at the requirements for a secure instant messaging system (Electronic Frontier Foundation, 2014):
-
1. Encrypting data in transit between all links in the communication path.
-
2. End-to-end encryption i.e. encrypting the data with keys which the service provider itself is unaware of.
-
3. Making it possible for users to independently verify their correspondent's identity e.g. by comparing key fingerprints.
-
4. Having past communications secure if the encryption keys are stolen (forward secrecy)
-
5. Having the source code open to independent review (open source).
-
6. Having the software's security designs well-documented.
-
7. Having a recent independent security audit.
In addition, security can be increased if the service provider does not log any information about any message, its contents or any session (Wikipedia, 2016).
Approaches Used by Different Software
Let us analyse the approaches used by WhatsApp, Viber and Skype.
WhatsApp states that since its inception, its aim has been to allow people to communicate to solve their genuine concerns and problems, and understands that some of the most personal moments are shared using it. It claims that for achieving the highest level of privacy and security, it uses end-to-end encryption (WhatsApp.com, 2016) which is based on a protocol called The Signal Protocol (WhatsApp Encryption Overview, 2016). This protocol prevents anyone except the sender and receiver to read the message and has forward secrecy i.e. if keys are compromised, earlier encrypted messages cannot be decrypted. WhatsApp never has access to the private keys of users. Also, after the initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys, known as The Double Ratchet algorithm. For implementation of public keys, it uses Curve25519 key pairs in three categories (identity key pair, signed pre key and one-time). Also, session keys are used in three categories of 32 or 80 bytes length. In addition, for peace of mind and confidence, WhatsApp allows verification of the end-to-end encryption to rule out any man-in-the-middle attack. This can be done by scanning a QR code, or comparing a 60-digit number. Finally, the protocol used is open source and available at GitHub (2016).
Viber states that it is committed to user privacy and security and thus has introduced end-to-end encryption (Viber, 2016). Viber's implementation uses the same The Double Ratchet protocol as used by Open Whisper Systems which is used by WhatsApp, however Viber claims that their implementation has been coded from scratch and does not share the code as used by WhatsApp (Viber, 2016). The technologies used which is understandable as their source specifications as same, even if the implementations are different.
Skype take data security and privacy lightly and though it employs encryption but it is not end-to-end encryption (like WhatsApp and Viber), and Skype gives preference to government monitoring, as when 'Microsoft handed the NSA[National Security Agency] access to encrypted messages' (Greenwald et al., 2013). Thus, from a user's point of view, I discourage Skype for anything but the most banal of conversations. In addition, there appears to be backdoor by design in Skype as Austrian police has claimed they can listen to any Skype connection (Leyden, 2008). However, let us analyse its technical implementation. It uses 256 bit AES (Advanced Encryption Standard) encryption, but when calling a telephone or mobile, the part of call over PSTN (Public Switched Telephone Network) is not encrypted. For each call, Skype creates a session with a 256-bit session key. This session exists as long as communication continues and for a fixed time afterward. As part of connecting a call, Skype securely transmits the session key to the call recipient. That session key is then used to encrypt messages in both directions (Wikipedia, 2016).
Advantages and Disadvantages of Various Cryptographic Methods Used
In our analysis of some of the instant messaging software, we came across some cryptographic methods. Now, let us evaluate them and see their advantages and disadvantages.
AES (Advanced Encryption System) is a symmetric key encryption (i.e. the same key is used to encrypt and decrypt), and thus the key needs to be kept a secret. This makes AES extremely secure, relatively fast but with the burden of sharing the key with the other party and having the potential that all encrypted data becomes decipherable in case the key is compromised (Techin.oureverydaylife.com, 2016).
Elliptic Curve Cryptography (e.g. Curve25519 key pairs etc) is '...one of the most powerful...' types of cryptography. (Sullivan, 2013). This is among the best technologies as breaking it would require to solve a mathematical problem on which we have not made any major progress since 1985 (Sullivan, 2014). Now, if we cannot form an algorithm of something, then how can a machine process it. Thus, the security industry and academia is currently confident of this technology.
The Double Ratchet algorithm is specifically designed for instant messaging, and has the property of forward secrecy (i.e. compromise of keys will not allow decryption of past messages) as well as automatically establishing secrecy in case of a compromise in session key. The developers refer to the algorithm as 'self-healing' (Whispersystems.org, 2013). The algorithm has found usage in popular applications like WhatsApp, Viber, is being tested in Facebook Messenger in an optional mode called "secret conversations" (Greenberg, 2016).
Evaluation and Comparison of Different Approaches
Instant messengers can be peer-to-peer or client-server, depending upon the protocol they implement. Both provide their own capabilities and we saw examples of successful products implementing both of them. The difference manifests in whose interests are priority - the users' or the service provider/government.
In a peer-to-peer approach, the service provider is only helpful in brokering the initial connection between the sender and receiver. No user data (text, images, audio, video, files etc) pass through the server and directly reach the receiver device. This approach allows for implementation of end-to-end encryption which means that no one (not even the service provider) is aware of the key required for decrypting the messages. Thus by skipping the server for any data transfer, any chance of unauthorised access by staff, or by government is precluded. In addition. the burden on server for resources is reduced. A popular implementation of this approach is WhatsApp (Dunn, 2016).
In client-server approach, every message is sent to the service provider, which then sends it to the recipient. Now, messages in the first leg of their journey from sender device to server may or may not be encrypted, and similarly when they are rerouted to the receiver may or may not be encrypted. In another variation, messages may be encrypted but allow the server to decrypt and read the messages. Thus, the client-server model allows for the possibility of unauthorised staff, or the government to snoop on any communication without much difficulty. A popular implementation of this approach is Skype. Needless to say, Skype has been criticised for its underhand approach to user privacy and security (Leyden, 2008).
It is my evaluation that client-server architecture should only be used (if a secure alternative is not available or suitable) for routine communication, something which you will not mind much if it becomes public and prefer end-to-end encrypted (in a peer-to-peer) architecture for anything secret or private. For client-server, the recommendation is Skype and for end-to-end encrypted, the recommendation is WhatsApp.
Conclusion
The stack of technology and the user expectations keep getting higher. Instant messaging over a wide variety of devices and software is a part of life in all industrial countries. When people and businesses communicate, certain concerns and responsibilities of the service providers come into question. Security of data and systems is important.
In this paper, we looked into the importance of data and the security of data with regards to instant messengers. We analysed the requirements of a secure instant messaging system and then explored the architecture of three popular software. We also noticed how the priority leads a service provider to choose between one of the two approaches to implementing the instant messaging service.
Place Order For A Top Grade Assignment Now
We have some amazing discount offers running for the students
Place Your OrderReference List
-
Techin.oureverydaylife.com. (2016). Advantages & Disadvantages of Symmetric Key Encryption | Tech in - Our Everyday Life. [online] Available at: http://techin.oureverydaylife.com/advantages-disadvantages-symmetric-key-encryption-2609.html [Accessed 12 Aug. 2016].
-
Deutsch, A. (2015). WhatsApp: The Best Facebook Purchase Ever? | Investopedia. [online] Investopedia. Available at: http://www.investopedia.com/articles/investing/032515/whatsapp-best-facebook-purchase-ever.asp [Accessed 12 Aug. 2016].
-
Dunn, J. (2016). WhatsApp’s end-to-end encryption explained: What is it and does it matter?. [online] Techworld. Available at: http://www.techworld.com/security/whatsapps-end-end-encryption-explained-what-is-it-does-it-matter-3637803/ [Accessed 12 Aug. 2016].
-
Elc?i, A. (2013). Theory and practice of cryptography solutions for secure information systems. Hershey, PA: Information Science Reference, p.107.
-
Greenberg, A. (2016). By this fall, your Facebook messages will have end-to-end encryption---if you turn it on.. [online] WIRED. Available at: https://www.wired.com/2016/07/secret-conversations-end-end-encryption-facebook-messenger-arrived/ [Accessed 12 Aug. 2016].
-
Greenwald, G., Ackerman, S., Poitras, L., MacAskill, E. and Rushe, D. (2013). Microsoft handed the NSA access to encrypted messages. [online] the Guardian. Available at: https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data [Accessed 12 Aug. 2016].
-
Hindocha, N. and Chien, E. (2016). Malicious Threats and Vulnerabilities in Instant Messaging. 1st ed. [ebook] Symantec Corporation. Available at: https://www.symantec.com/avcenter/reference/malicious.threats.instant.messaging.pdf [Accessed 12 Aug. 2016].
-
Instant Messaging Statistics Report , 2015 - 2019. (2015). 1st ed. [ebook] The Radicati Group, Inc., p.3. Available at: http://www.radicati.com/wp/wp-content/uploads/2015/02/Instant_Messaging_Statistics_Report_2015-2019_Executive_Summary.pdf [Accessed 12 Aug. 2016].
-
Leyden, J. (2008). Austrian official fuels Skype backdoor rumours. [online] Theregister.co.uk. Available at: http://www.theregister.co.uk/2008/07/25/skype_backdoor_rumours/ [Accessed 12 Aug. 2016].
-
Play.google.com. (2016). Messenger and Chat Lock - Android Apps on Google Play. [online] Available at: https://play.google.com/store/apps/details?id=com.whatsapplock&hl=en [Accessed 12 Aug. 2016].
-
Whispersystems.org. (2013). Open Whisper Systems >> Blog >> Advanced cryptographic ratcheting. [online] Available at: https://whispersystems.org/blog/advanced-ratcheting/ [Accessed 12 Aug. 2016].
-
Wikipedia. (2016). Secure instant messaging. [online] Available at: https://en.wikipedia.org/wiki/Secure_instant_messaging [Accessed 12 Aug. 2016].
-
Electronic Frontier Foundation. (2014). Secure Messaging Scorecard. [online] Available at: https://www.eff.org/node/82654 [Accessed 12 Aug. 2016].
-
Wikipedia. (2016). Skype security. [online] Available at: https://en.wikipedia.org/wiki/Skype_security [Accessed 12 Aug. 2016].
-
Sullivan, N. (2013). A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography. [online] CloudFlare. Available at: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ [Accessed 12 Aug. 2016].
-
Sullivan, N. (2014). ECDSA: The digital signature algorithm of a better internet. [online] CloudFlare. Available at: https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ [Accessed 12 Aug. 2016].
-
Tyson, J. and Cooper, A. (2001). How Instant Messaging Works. [online] HowStuffWorks. Available at: http://computer.howstuffworks.com/e-mail-messaging/instant-messaging.htm [Accessed 12 Aug. 2016].
-
Van't Spijker, A. (2014). The new oil. Basking Ridge, NJ: Technics Publications, p.3.
-
Viber. (2016). Viber - Free Calls and Messages.. [online] Available at: http://www.viber.com/en/security-overview [Accessed 12 Aug. 2016].
-
Viber. (2016). Viber Security FAQ. [online] Available at: https://support.viber.com/customer/portal/articles/2017401-viber-security-faq [Accessed 12 Aug. 2016].
-
WhatsApp.com. (2016). WhatsApp :: Security. [online] Available at: https://www.whatsapp.com/security/ [Accessed 12 Aug. 2016].
-
WhatsApp Encryption Overview. (2016). 1st ed. [ebook] WhatsApp. Available at: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf [Accessed 12 Aug. 2016].
-
GitHub. (2016). WhisperSystems/libsignal-protocol-java. [online] Available at: https://github.com/whispersystems/libsignal-protocol-java/ [Accessed 12 Aug. 2016].
Give your grades a boost
Just share your requirements and get customized solutions on time.
-
1,168,768 Orders
-
4.9/5 Overall Rating
-
5,052 Experts
