SoK: An Analysis of End-to-End Encryption and Authentication

Ceremonies in Secure Messaging Systems

Mashari Alatawi Nitesh Saxena
Texas A&M University Texas A&M University
College Station, Texas, USA College Station, Texas, USA
[email protected] [email protected]
ABSTRACT ACM Reference Format:
Instant-messaging (IM) and voice over IP (VoIP) applications like Mashari Alatawi and Nitesh Saxena. 2023. SoK: An Analysis of End-to-End
Encryption and Authentication Ceremonies in Secure Messaging Systems. In
WhatsApp, Zoom, and Skype have made people extremely reliant
Proceedings of the 16th ACM Conference on Security and Privacy in Wireless
on online communications for their audio, video, and text conver- and Mobile Networks (WiSec ’23), May 29-June 1, 2023, Guildford, United
sations. Since more people are using these platforms to talk to each Kingdom. ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/
other and share sensitive information, many ongoing concerns have 3558482.3581773
been raised about how the government and law enforcement moni-
tor these platforms. Due to these concerns, the need for a method 1 INTRODUCTION
to secure confidential messages and electronic conversations has
End-to-end encryption (E2EE) ensures that the contents of a mes-
grown. This solution could be achieved by implementing an end-to-
sage are unintelligible to anyone except the sender and the intended
end encryption (E2EE) system without relying on any first or third
recipient, preventing service providers, government surveillance
parties, such as an online service or a centralized infrastructure
programs, or man-in-the-middle (MitM) attackers from reading the
like a public key infrastructure (PKI), which may be attacked, mali-
exchanged messages. After the Snowden revelations about gov-
cious, or coerced by law enforcement and government surveillance
ernment snooping in 2013 [56], more instant messaging (IM) and
programs. In this systematization of knowledge paper, we first in-
voice over IP (VoIP) applications claimed to support E2EE. How-
troduce the most popular E2EE apps, including their underlying
ever, these IM and VoIP apps are susceptible to numerous forms of
E2EE messaging protocols. Then, based on the existing research
attack, including MitM and eavesdropping attacks [6, 72]. Govern-
literature, we investigate and systematize their E2EE features, in-
ment agencies, hackers, and even IM and VoIP service providers
cluding their underlying authentication ceremonies. Even though
could monitor these apps to conduct surveillance programs or steal
many research studies have examined some messaging services,
sensitive information [5, 10].
we analyze and evaluate a broader set of the most popular E2EE
The community of security researchers began considering pri-
apps and their underlying authentication ceremonies. Based on
vate chat apps and secure online communication systems long ago.
our evaluation, we have determined that all current E2EE apps,
In 2004, the off-the-record (OTR) protocol was proposed to provide
particularly when operating in opportunistic E2EE mode, are in-
E2EE [4]. It has been implemented as a plugin in common IM clients
capable of repelling active man-in-the-middle (MitM) attacks. In
such as Pidgin [44], but it is not widely used due to usability issues
addition, we find that none of the current E2EE apps provide better
[55, 62]. In 2013, Snowden’s revelations increased public awareness
and more usable authentication ceremonies, resulting in insecure
of underlying privacy concerns [35]. Consequently, other alter-
E2EE communications against active MitM attacks. The conclu-
natives have emerged in the form of new encrypted messaging
sions of this systematization paper could influence future research
systems that provide E2EE communications by adopting and ex-
in the field, including any improvements to the implementation of
panding the OTR protocol. Open Whisper Systems released Signal,
E2EE systems and authentication ceremonies that provide powerful
a new breakthrough E2EE protocol, in 2013 to provide E2EE as well
protections against eavesdropping and MitM attacks.
as advanced security features such as forward secrecy and future
secrecy [7, 16]. Signal was designed to enable both synchronous and
CCS CONCEPTS
asynchronous messaging environments [36]. The Signal protocol
• Security and privacy; has been used by other IM and VoIP apps in recent years, including
Signal and WhatsApp. Google is now implementing E2EE for rich
KEYWORDS communication services (RCSs) in Android Messages, and Zoom
E2EE apps, authentication ceremony, MitM attacks has also recently implemented it for meetings [3, 29]. Despite the
fact that numerous IM and VoIP apps have included E2EE features,
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed they vary in terms of their security and usability properties, privacy
for profit or commercial advantage and that copies bear this notice and the full citation concepts, threat models, and security claims [62].
on the first page. Copyrights for components of this work owned by others than the Our Contributions: Our contributions in this work are two fold.
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission First, we examine the most popular E2EE apps [11, 14, 15, 20, 27,
and/or a fee. Request permissions from [email protected]. 32, 33, 39, 40, 51, 53, 54, 58, 60, 66, 69–71, 74] and their underlying
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom E2EE messaging protocols. Based on the current research litera-
© 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 978-1-4503-9859-6/23/05. . . $15.00 ture [1, 4, 7, 9, 16, 17, 21, 26, 36, 47–50, 57, 64], we then scrutinize
https://doi.org/10.1145/3558482.3581773 and systematize their E2EE features, including their underlying

187
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

authentication ceremonies. Specifically, we examine the most cru- • Perfect Forward Secrecy: It guarantees that data that has
cial aspect of key management, i.e., verifying and authenticating already been encrypted cannot be decrypted, even if all the
key fingerprints (an authentication ceremony), and whether the key materials are compromised.
verification process is susceptible to human errors, which could • Future Secrecy: It is also called backward secrecy, which en-
lead to MitM attacks. We also investigate and systematize the secu- sures that encrypted data cannot be decrypted in the future,
rity and usability of authentication ceremonies used in E2EE apps. even if all the key materials are compromised.
Even though several research studies have been done to explore • Deniability: To achieve this property, both conversation
popular messaging services in terms of their security, usability, parties must be able to deny that they sent or made a message.
and adoption, this work will examine a broader set of the most This makes it impossible for other people to prove that a
popular E2EE apps and their underlying authentication ceremonies. certain message was sent by a certain conversation party.
The outcomes of this systematization paper could provide valu-
able suggestions for future research to strengthen current E2EE 2.3 Threat Model
implementations and enhance authentication ceremonies in E2EE Inspired by a comprehensive survey on secure messaging by Unger
systems. et al. [62], we assume the existence of the following attackers:
• Local Adversary: An (active/passive) attacker who can con-
2 BACKGROUND
trol local networks on either side of a conversation, such as
2.1 State-of-the-Art End-to-End Encryption the owners of open wireless access points.
The state-of-the-art E2EE implementation ensures that messages • Global Adversary: An (active/passive) attacker who can
cannot be read by anyone except the endpoints of communication. take over many parts of Internet service (e.g., powerful
Figure 1 displays how Alice and Bob encrypt messages using state- nation-states or large Internet service providers).
of-the-art E2EE. Therefore, the majority of E2EE apps utilize this • Service Providers: All service operators could be consid-
E2EE scheme since it ensures robust end-to-end data confidentiality ered as potential attackers when E2EE apps utilize a central-
[62]. However, these apps use a service provider to store users’ pub- ized infrastructure for distributing public keys and storing or
lic keys, exchange public keys, and relay encrypted data between forwarding messages, such as using a public-key directory.
endpoints. This type of E2EE implementation, which relies on a As stated in [62], we assume that attackers can utilize E2EE apps,
server to distribute keys, can thwart a passive MitM attacker but allowing them to create accounts and send messages as legitimate
cannot thwart an active MitM attacker, who can substitute keys users. We also assume that the endpoints of E2EE apps are secure.
and thereby compromise the entire communication between autho-
rized users. Consequently, a malicious or hacked server can easily 2.4 End-to-End Encrypted Messaging Protocols
mount an attack known as a key substitution attack during the 2.4.1 Off-the-Record In 2004, the OTR protocol was introduced
key-exchange service, compromising the entire E2EE system. Many as a cryptographic protocol to enable the E2EE feature [4]. It was
E2EE apps let users take part in a hidden task called an authentica- a substitute for pretty good privacy (PGP) to provide complete
tion ceremony. During this task, users verify their key fingerprints forward secrecy and deniable authentication, simulating private
and, if they do it right, defeat active MitM attackers. communication in the real world. Due to the vulnerability of the
basic Diffie-Hellman key exchange protocol to MitM attacks, the
OTR protocol uses a variation of the SIGMA protocol [28] as the
authenticated key exchange to provide authentication [45]. The
OTR protocol has been implemented as a plugin in standard IM
clients such as Pidgin; however, researchers have found that these
implementations have a number of usability problems [55, 62]. Fur-
thermore, the OTR protocol does not support asynchronous mes-
saging environments or group messaging because it was designed
for synchronous messaging environments [12].
2.4.2 Signal The Signal Protocol was introduced in 2013 by Open
Figure 1: A high-level diagram of the state-of-the-art end-to-end encryption
Whisper Systems to provide E2EE as well as enhanced security fea-
tures such as forward secrecy and future secrecy [7, 16]. It supports
2.2 Properties for Secure Messaging Systems both synchronous and asynchronous messaging environments [36].
• Confidentiality: It keeps the contents of a message from Signal uses the Extended Triple Diffie-Hellman (X3DH) key agree-
being shared without permission. This means that only the ment protocol to establish a shared secret key between two users,
sender and the intended recipient can read messages. who mutually authenticate one another based on their public keys,
• Integrity: It ensures that a message has not been changed thereby ensuring forward secrecy and cryptographic deniability
while being sent, so that the intended recipient gets the [37]. The X3DH protocol is designed for asynchronous environ-
original message. ments, in which a user (Bob) can go offline after uploading informa-
• Authentication: It exposes the identities of both the sender tion to a server, and another user (Alice) can use that information
and the receiver in a private conversation, which ensures to send encrypted data to Bob, thereby establishing a shared secret
that a message was sent from the claimed sender. key for future communication. Using the shared secret key, both

188
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

users can use the Double Ratchet algorithm to exchange encrypted by unclear security claims and usability issues [62]. To do a sys-
messages [43]. The Double Ratchet algorithm leverages the key tematization of knowledge on the most popular E2EE apps, we
derivation function (KDF) chain to derive secret keys for encrypting developed and implemented the approach described in this sec-
messages. In recent years, the Signal protocol has been adopted by tion. Since the Snowden disclosures about widespread government
several E2EE apps. Furthermore, some protocols customize their surveillance in 2013 [56], both academia and industry have shown
own specifications to copy certain security features from the Sig- an increasing interest in developing secure communications solu-
nal protocol and thus implement the E2EE feature. For instance, tions. In recent years, the number of E2EE apps has also increased
the Matrix protocol [38] uses the Olm encryption library, which is significantly. Based on the existing research literature and publicly
based on the Signal protocol, to implement the E2EE feature in the available messaging apps, we restricted our analysis to the most
Element app [11]. popular E2EE apps, focusing on the systematization and evalua-
tion of how they implemented their E2EE functionality and their
underlying authentication ceremonies. We examined the pertinent
2.4.3 Proprietary and Other Protocols Several E2EE apps use
white papers, documentation, research literature, and E2EE proto-
their own proprietary protocols, such as Apple’s iMessage, Tele-
col definitions. In addition to examining their E2EE functionality
gram’s MTProto protocol, and many other E2EE apps (discussed
and implementation, we also investigated their underlying authen-
further in Section 4). Linphone [33] and Silent Phone [53] use the
tication ceremonies. We meticulously examined prominent E2EE
Zimmermann Real-time Transport Protocol (ZRTP) [73] to imple-
apps (see Section 4). We limited our study to a collection of highly
ment the E2EE feature for voice and video communications. ZRTP
popular E2EE apps compatible with Android or iOS, based on the
is a key agreement protocol that uses Diffie-Hellman key exchange
number of installations and ratings derived from the Google Play
to establish a shared secret between two endpoints. This shared
Store. The Apple App Store does not publicly disclose the number
secret is then used to establish secure real-time transport protocol
of app installations; however, we believe that the data currently
(SRTP) sessions for VoIP apps [73]. However, the Diffie-Hellman
available from the Google Play Store provides adequate informa-
key exchange is known to be susceptible to MitM attacks, and there-
tion on app popularity. Table 3 in Appendix A.3 shows 17 highly
fore, ZRTP uses a mechanism based on a short authentication string
popular E2EE apps and was last updated on December 25, 2022.
(SAS) to prevent this type of attack [63]. This SAS can be validated
We covered apps that implement the state-of-the-art E2EE feature
by end users to guarantee that no MitM attack has occurred.
and provide documentation of their E2EE functionality. Because
the apps listed in Table 3 are all compatible with both Android and
2.5 Related Work iOS, we had to include two additional apps in our study (namely,
Even though various aspects of the secure messaging landscape FaceTime and Messages by Apple) that are only supported on Ap-
have been systematized in prior research studies, this systemati- ple devices as default apps but not supported on Android devices.
zation of knowledge paper provides a unique and complementary Both apps also implement the state-of-the-art E2EE feature and
perspective. Prior work has focused on secure messaging and con- provide documentation of their E2EE functionality. We looked at
ducted only a high-level investigation of the basic concepts and relevant white papers, E2EE documentation, and research litera-
features of E2EE messaging protocols [4, 7, 16, 45]. Our work is, to ture based on top-tier conferences and Google Scholar citations.
the best of our knowledge, the first to scrutinize a broader set of These academic and non-academic references were used to investi-
the most popular E2EE apps, including their underlying authenti- gate how E2EE functionality is currently being used in E2EE apps.
cation ceremonies. Some other papers also investigate the security We specifically looked for the main E2EE protocol that the E2EE
of E2EE apps and the usability of their underlying authentication app uses to implement E2EE functionality and the cryptographic
ceremonies; however, they do so without conducting a systematic primitives that the main E2EE protocol depends on. We also con-
study that covers a large number of E2EE apps, instead focusing ducted a practical analysis of the E2EE features provided by E2EE
only on one or a few apps [1, 17, 21, 26, 46, 47, 50, 64, 65]. These apps and the various code verification methods used by E2EE apps
studies also lack a focus on E2EE security and the usability of the au- during their underlying authentication ceremonies. During this
thentication ceremony in group-based scenarios. The most closely stage, we examined the usability of authentication ceremonies in
related work is by Herzberg et al. [22], which reveals the problems E2EE apps and how human errors may impact usability and lead to
and limitations of the current authentication ceremony in some MitM attacks based on the existing research literature. For the E2EE
secure messaging apps. We share a common approach of bringing apps in focus, we intended to evaluate several criteria regarding
to light the importance of the authentication ceremony and its us- their implementation of the E2EE feature, including their underly-
ability in current E2EE apps; however, we cover a large number of ing E2EE message protocols and authentication ceremonies. The
popular E2EE apps, and we focus not only on the authentication criteria being evaluated can be classified into two categories:
ceremony but also on the implementation of the E2EE feature in
these E2EE apps. We also make a greater effort to apply a method- A. Security
ology with which to evaluate implementing the E2EE feature and • The E2EE protocols used by E2EE applications to imple-
authentication ceremonies in group-based scenarios. ment the E2EE feature.
• Whether the E2EE feature is provided by default or as an
3 SYSTEMATIZATION METHODOLOGY optional property.
Recent claims have been made that numerous IM and VoIP apps pro- • Whether or not an E2EE application implements the E2EE
vide secure messaging solutions. However, they have been plagued feature for text messaging and audio/video calls.

189
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

• Whether or not E2EE applications implement the E2EE smartphones to assess whether the E2EE app offers the E2EE feature
feature in group scenarios, such as group messages and by default or as an opt-in when initiating audio and video calls.
group audio or video calls. For group-based scenarios, we set up a group of three different
• Whether the opportunistic E2EE mode is vulnerable to smartphones in the E2EE app that supports group messaging. We
active MitM attacks. then followed the same procedures for sending text messages as
• Whether an E2EE application provides a way for verifying well as making audio and video calls in group-based scenarios.
and authenticating the key fingerprints (the authentication This enabled us to determine whether group-based text messaging,
ceremony) to thwart active MitM attacks. audio, and video conversations implement the E2EE functionality by
• Whether the authentication ceremony is a primary task default or as an opt-in. In E2EE apps, any conversation between two
or not. users is called a one-to-one scenario, while a conversation between
B. Usability more than two users is called a group-based scenario. Therefore, we
• How users find and locate the authentication ceremony elected to confine our analysis to a group size of three different
in order to perform it. smartphones. This was very helpful in providing results and lessons
• The terminology that E2EE applications use to refer to the for our current study. However, in future studies, the group size
authentication ceremony. could be increased to more than three to further investigate the
• How a key fingerprint is represented to a user to partici- E2EE functionality in contemporary messaging apps.
pate in an authentication ceremony.
• How users are asked to do the authentication ceremony. 4.1 E2EE Apps Using the Signal Protocol
• How users perform the authentication ceremony in groups. Most E2EE apps use the Signal protocol or rely heavily on custom
• Whether an E2EE application allows users to exchange protocols that copy some of the Signal protocol’s security features.
their fingerprint codes via an out-of-band (OOB) channel The Signal protocol is designed to work in both synchronous and
directly from the app. asynchronous messaging environments, so it uses a key-distribution
• Whether the authentication ceremony is vulnerable to server to store the identities and ephemeral keys of its users. Frosch
human errors, which could lead to MitM attacks. et al. [16] and Cohn-Gordon et al. [7] examined the security of the
Signal protocol in their research studies. They found that users had
to sign up and upload their long-term, medium-term, and ephemeral
4 ANALYSIS OF E2EE APPLICATIONS public keys to a key distribution server as part of the registration
This section will compare the evaluated E2EE apps regarding crite- process. In [7], the authors also found that the key-distribution
ria related to implementing the E2EE feature. A brief summary of server could become a malicious server and, as a result, be used
these implementations can be found in Table 1. The results were in MitM attacks. They found that Signal has an authentication
primarily taken from our experiments examining the E2EE apps, ceremony that lets users verify public keys through an OOB channel.
as well as the E2EE documentation and the official security white However, they had doubts about some implementations of the
papers of the corresponding E2EE apps. We examine how the E2EE Signal protocol that might not require such a ceremony to be done.
feature is currently implemented in the most popular E2EE apps This would let a rogue server or an attacker with control over
(only smartphone apps) that claim to offer E2EE messaging solu- identity registration change keys and get messages from the other
tions. On these apps, the E2EE feature is either turned on by default end. Herzberg et al. [21] examined how WhatsApp, Viber, Telegram,
or can be turned on by the user. In both cases, these apps use an op- and Signal utilized E2EE and found that all four apps supported
portunistic E2EE mode, which means they set up a secure channel both the opportunistic E2EE and the authenticated E2EE modes.
between two parties without authenticating the other party [31]. The authors stated that the authenticated E2EE mode matches the
This opportunistic E2EE mode can defeat a passive MitM attacker, classical definition of E2EE, which protects users from a rogue
but it cannot defeat an active MitM attacker who can change keys MitM operator, while the opportunistic E2EE mode alone is not
and put all communication between legitimate users at risk [21]. safe against this type of attack. They found that most users did not
In our experiments, we examined every E2EE app in two stages. know what the difference was between these two modes and did
In the first stage, we analyzed relevant white papers and E2EE not use them effectively. In the following, we introduce each E2EE
documentation to determine which E2EE protocol is used by each app in more detail. We also present our evaluation, which goes into
E2EE app and what cryptographic primitives are implemented by more depth about the E2EE features that these E2EE apps offer.
the E2EE protocol. In the second stage, we did our own tests to see
how the E2EE feature worked in each E2EE app and how it was 4.1.1 Facebook Messenger It is an IM application with voice
implemented in both one-to-one and group-based conversations. and video calling capabilities, developed by Meta [14]. It uses the
To this end, we used four different phone devices (namely Apple Signal protocol to implement E2EE functionality in chats and calls
iPhone X, Apple iPhone 7 Plus, Samsung Android 5, and Google through a feature called Secret Conversation [13]. However, the
Pixel) and installed the latest version of each E2EE app on them. For Secret Conversation feature is not the default option, and therefore,
one-to-one scenarios, we used the installed E2EE app to send a text users must enable the Secret Conversation mode manually and ask
message from one phone to another. This allowed us to see if the their intended recipients to enable the Secret Conversation mode on
text message was encrypted by default in E2EE mode or if the user their devices as well. In addition to individual chats and calls, the
had to turn on the optional E2EE mode. We also followed the same Facebook Messenger app also implements the E2EE functionality
procedure for audio and video conversations between two separate in group chats and calls through the Secret Conversation feature.

190
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

4.1.2 Signal It is an application for IM and VoIP services [51]. It standard (AES) in GCM mode for its E2EE feature in Zoom meetings.
uses the Signal protocol to implement E2EE in all individual and Key derivation is done via the HMAC-based key derivation function
group chats by default [52]. It also supports E2EE for voice and (HKDF). Zoom uses the same cryptographic techniques and key
video communications between two parties and group video calls. management system as Zoom meetings for the E2EE feature in
RingRTC, an open-source video calling library written in Rust, is one-to-one Zoom Phone calls.
used by the Signal app to provide video and voice calling services
on top of web real-time communication (WebRTC). 4.2.4 Other E2EE Applications Due to space constraints, other
E2EE apps that use their own E2EE protocols can be found in
4.1.3 WhatsApp It is an application owned by Meta for IM and Appendix A.2. These E2EE apps are listed in Tables 1 and 2, but
VoIP services [69]. It uses the Signal protocol to implement the readers unfamiliar with them can refer to Appendix A.2.
E2EE feature by default in all messages and calls for all one-to-one
and group scenarios [68]. In all one-to-one and group calls, a user 4.3 The Opacity of E2EE Applications
initiates a voice or video call by establishing encrypted sessions Many E2EE apps mislead users by claiming to be encrypted or
with each of the devices of the recipient, such as those used in a secure communications platforms. According to a comprehensive
messaging scenario. Once the call is made, SRTP is used to protect survey of secure messaging conducted by Unger et al. [62], sev-
it with master secret keys that are made for each device of the eral of these apps do not provide E2EE messaging solutions as
recipient. advertised. Not all E2EE apps support the E2EE feature by default,
and that may confuse new users who use these apps for sending
4.1.4 Other E2EE Applications Due to space constraints, other sensitive information. Additionally, as was mentioned before, the
E2EE apps that use the Signal protocol are included in Appendix A.1. opportunistic E2EE mode is resistant to passive MitM attacks but
These E2EE apps are listed in Tables 1 and 2, but readers unfamiliar susceptible to active MitM attacks. The majority of E2EE apps alert
with them can refer to Appendix A.1. users that the opportunistic E2EE mode is activated and their com-
4.2 E2EE Apps Using Proprietary Protocols munications are E2EE by using various indicators, such as special
notification messages and lock icons, to indicate that the mode is
Here, we will introduce E2EE apps that implement their own pro-
enabled (see Figure 3 in Appendix A.3). This could make it more
prietary protocols to provide the E2EE feature. We will also present
difficult for average users to detect active MitM attacks, especially
our evaluation, in which we investigate their implementations of
if they are unaware of the security risks caused by not verifying key
the E2EE feature in more detail.
fingerprints. In [1], Abu-Salma et al. conducted a user study with
4.2.1 Telegram It is a cloud-based messenger for IM and VoIP 22 participants (eleven of whom were Telegram users) and investi-
services [58]. It uses its customized protocol, called the MTProto gated several security elements of the Telegram app. The authors
protocol, to implement the E2EE feature in one-to-one chats and reported that the design of the user interface had a detrimental im-
calls [59]. However, the E2EE feature is not supported in group pact on the behavior of the participants during the authentication
scenarios. In all one-to-one scenarios, the Telegram app does not ceremony due to several design issues. They also found that all par-
implement the E2EE functionality by default; thus, users must en- ticipants were unaware of the usefulness of fingerprints. In addition,
able the Secret Chat option to protect their communications in an they observed that, despite having prior experience with Telegram,
E2EE fashion. The Diffie-Hellman protocol is used to exchange none of the eleven users had used the key fingerprints. Users must
cryptographic keys in the MTProto protocol. Once a Secret Chat is therefore participate in an authentication ceremony to verify their
set up, the devices that are taking part in it exchange these keys. key fingerprints and thwart active MitM attacks. Participation in
the verification and authentication of these key fingerprints will
4.2.2 Viber It is an IM and VoIP application owned by Rakuten enable the authenticated E2EE mode, which is supported by the
[66]. It implements the E2EE feature by using the same concepts majority of E2EE apps (discussed further in Section 5).
as the Signal protocol [67]. However, the Viber app uses its own
implementation to protect all messages and calls in an E2EE fashion. 5 ANALYSIS OF THE AUTHENTICATION
In the Viber app, the E2EE feature is enabled by default in all one- CEREMONY
to-one and group scenarios. In Viber calls, the audio and video call
stream is converted to the SRTP protocol and encrypted with the After the previous section investigated the current implementation
Salsa20 algorithm. of the E2EE feature in many E2EE apps, this section builds on that
and examines the usability of the authentication ceremony in E2EE
4.2.3 Zoom It is a cloud platform for video meetings, VoIP, and apps and how users can participate in such an authentication cere-
team chat [74]. Zoom recently added the E2EE feature to Zoom mony. For each E2EE app, we evaluate the implementation of the
meetings and Zoom Phone calls between two end users [29, 30]. authentication-ceremony-related criteria outlined in Section 3. This
By default, Zoom meetings and Zoom Phone calls between two provides an overview of the differences between E2EE apps as well
end users are not E2EE. This means that users must turn on the as their underlying authentication ceremonies. We examine the
E2EE feature through the Zoom web portal. To implement the current implementation of the authentication ceremony in E2EE
E2EE feature, Zoom uses public-key cryptography to distribute a apps based on relevant white papers, documentation, and academic
session key to all users who are taking part in a Zoom meeting [75]. literature, while some information was collected by examining the
Zoom uses Diffie-Hellman over Curve25519, the Edwards-curve E2EE apps. All E2EE apps analyzed in this study use the same ap-
digital signature algorithm (EdDSA), and the advanced encryption proach to implement the authentication ceremony, which consists

191
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

Table 1: The Security of Implementing End-to-End Encryption Feature in End-to-End Encrypted Applications
E2EE E2EE Feature in One-to-One Scenario E2EE Feature in Group Scenario Vulnerable Providing a Method
Application
Protocol E2EE In Audio In Video E2EE In Audio In Video to Active to Switch to the
In Chat In Chat
Mode Call Call Mode Call Call MitM Attack Authenticated E2EE Mode
Yes, it relies on users
Opportunistic Opportunistic
Element Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Facebook Opportunistic Opportunistic
Signal ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
Messenger via an opt-in via an opt-in
an authentication ceremony.
Opportunistic Opportunistic
FaceTime Proprietary N/A ✓ ✓ N/A ✓ ✓ Yes No
by default by default
Opportunistic Opportunistic
Google Meet Signal ✓ ✓ ✓ ✓ ✓ ✓ Yes No
by default by default
Yes, it relies on users
Opportunistic Opportunistic
KakaoTalk Proprietary ✓ ✗ ✗ ✓ ✗ ✗ Yes to optionally perform
via an opt-in via an opt-in
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
LINE Proprietary ✓ ✓ ✓ ✓ ✗ ✗ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Linphone Proprietary ✓ ✓ ✓ ✓ ✗ ✗ Yes to optionally perform
via an opt-in via an opt-in
an authentication ceremony.
Opportunistic Opportunistic
Messages
Proprietary by default ✓ N/A N/A by default ✓ N/A N/A Yes No
by Apple
via iMessage via iMessage
Opportunistic Yes, it relies on users
Messages
Signal by default ✓ N/A N/A N/A N/A N/A N/A Yes to optionally perform
by Google
in RCS an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Signal Signal ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Silent Phone Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic
Skype Signal ✓ ✓ ✗ N/A N/A N/A N/A Yes to optionally perform
via an opt-in
an authentication ceremony.
Yes, it relies on users
Opportunistic
Telegram Proprietary ✓ ✓ ✓ N/A N/A N/A N/A Yes to optionally perform
via an opt-in
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Threema Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Viber Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
WhatsApp Signal ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Wickr Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Wire Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
by default by default
an authentication ceremony.
Yes, it relies on users
Opportunistic Opportunistic
Zoom Proprietary ✓ ✓ ✓ ✓ ✓ ✓ Yes to optionally perform
via an opt-in via an opt-in
an authentication ceremony.
✓ indicates that the E2EE feature is provided, and ✗ indicates that the E2EE feature is not provided.

of making this task optional, relying on users to find and perform it, that no active MitM attackers are involved in any private conver-
and providing users with similar code representations to compare sation between two end users. Whenever Alice and Bob want to
and verify their key fingerprints. Therefore, instead of focusing on communicate using an E2EE app, they both use a service provider
a single app as in the previous section, this section examines and to exchange their public encryption keys and establish a secret
evaluates the authentication ceremony as a whole, using the knowl- shared key for future communication. This secret shared key is
edge gained from examining the E2EE apps and relevant references. only known to Alice and Bob. No one else, not even the service
In the following subsections, we will provide an in-depth analysis provider, can find out what the value of the secret shared key is
of the authentication ceremony and its usability in all E2EE apps. or decrypt any of the messages being sent. However, these service
Note that in practice, some E2EE apps have the same usability chal- providers could use fake public keys during the key-exchange ser-
lenges and technical concerns with the authentication ceremony. A vice to get around the protection that E2EE apps offer against rogue
brief summary of this analysis can be found in Table 2. or compromised service providers. For example, when Alice wants
to talk to Bob through an E2EE app, she will get his public key
5.1 Finding and Performing the Ceremony from a service provider to encrypt a shared secret key and then
Participating in an authentication ceremony and successfully com- send it to him through the service provider. However, a malicious
pleting it will enable the authenticated E2EE mode, which is con- provider can easily mount a key substitution attack and furnish her
sistent with the traditional definition of E2EE. In contrast to the with a phony public key under its control. The rogue provider can
opportunistic E2EE mode, the authenticated E2EE mode guarantees now decrypt the shared secret key, re-encrypt it using Bob’s real

192
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

public key, and then send it to Bob, claiming that it was sent by 5.2.1 QR Code The key fingerprint is encoded into a QR code
Alice. Thus, the rogue provider has become an active MitM attacker that can be automatically captured and compared by the E2EE app
between Alice and Bob. This means that the attacker can read or without the need for end-user intervention. This method works
change the messages Alice and Bob send each other without the best when the authentication ceremony is performed in person and
knowledge of the two parties being attacked. In the real world, all the QR code is scanned in person. Only 5 E2EE apps analyzed in this
E2EE apps mentioned in Section 4 implement this opportunistic study (Element, Signal, Threema, WhatsApp, and Wickr) offer this
E2EE mode by default, which is only known to be secure against method to users who are located in close proximity to one another,
passive MitM attacks. To switch to the authenticated E2EE mode allowing them to perform the authentication ceremony in person.
and thwart active MitM attacks, both end users need to participate Figure 5a in Appendix A.3 shows the QR code representation for
in an authentication ceremony and successfully complete it. the Signal app.
Despite the significance of the authentication ceremony in detect-
ing active MitM attacks, the authentication ceremony is optional 5.2.2 Numeric Representation The key fingerprint is repre-
in all current E2EE apps. Consequently, users may be susceptible sented as a sequence of numerical digits to facilitate comparison
to human errors, which can result in MitM attacks. Therefore, the and verification. To make a long code more readable, this method
authenticated E2EE mode depends on the users and how they in- is organized as blocks (or chunks) of numbers with few digits. For
teract in the authentication ceremony to establish trust and enable example, the WhatsApp app, shown in Figure 5b in Appendix A.3,
secure communication. It is also common for users to ignore the uses a 60-digit numeric string that is broken up into 12 blocks of
authentication process until they are encouraged to do so, at which five-digit numbers. This method can be used either in person or
point they may struggle and misunderstand the steps, leaving them- remotely to compare and verify the key fingerprint. It is useful
selves vulnerable to MitM attacks. In practice, all the E2EE apps for people who are in distant locations and unlikely to meet in
listed in Section 4 (that provide a mechanism for performing the person prior to communicating via an E2EE app. Only 6 E2EE apps
authentication ceremony) rely on end-users to activate the authen- analyzed in this paper (Messages by Google, Signal, Skype, Viber,
ticated E2EE mode, from being aware of the security risks and WhatsApp, and Zoom) offer this method to their users, whether
the importance of authentication in preventing such an attack, to they are nearby or remote. However, in the real world, only Sig-
taking the necessary steps for the authentication ceremony to be nal and WhatsApp offer a feature for directly exchanging the key
successful. This includes navigating the app’s settings and menu fingerprint from the app over an OOB channel in remote communi-
system to find the terminology used to refer to the authentication cations. Other apps only rely on users to compare and verify the
ceremony. Figure 4 in Appendix A.3 depicts some E2EE apps and key fingerprint over an OOB channel of their choice. Figure 5b in
the terminologies they use to refer to the authentication ceremony. Appendix A.3 shows the WhatsApp app’s numerical key fingerprint
After locating the authentication ceremony, the end-users must and the share icon at the top-right corner of the phone’s screen,
compare and verify the key fingerprints before deciding whether or which is used to directly exchange the key fingerprint from the
not to continue communicating. Also, end users must comprehend WhatsApp app over an OOB channel to perform the authentication
the meaning of failure (non-matching key fingerprints) to cease ceremony remotely.
communication. As shown in Table 2, all E2EE apps in Section 4 5.2.3 Alphanumeric Representation For the purposes of com-
(that offer a mechanism for performing the authentication cere- parison and verification, the key fingerprint is displayed both nu-
mony) use different terminologies and representations of the key merically and alphabetically. This approach can be used to divide a
fingerprints in their authentication ceremonies. string of characters into equal-sized chunks, improving the text’s
readability. It can be used in hexadecimal, base32, or base64 for-
5.2 Fingerprint Representations
mat. Only 7 E2EE apps analyzed in this work (Facebook Messenger,
During the authentication ceremony, many E2EE apps use textual KakaoTalk, LINE, Telegram, Threema, Wickr, and Wire) offer this
(words and sentences), numeric, hexadecimal, and graphical finger- method for comparing and verifying the key fingerprint, either in
print representations. The representation of the key fingerprints is person or remotely. In practice, all of the aforementioned E2EE apps
an essential component of the authentication ceremony in all E2EE display the key fingerprint in hexadecimal characters (Figure 5c in
apps, and it plays a significant role in assisting users to perform the Appendix A.3 shows the hexadecimal representation for the Tele-
authentication ceremony correctly and thwart active MitM attacks. gram app), and none of them offer a feature to directly exchange the
In such authentication ceremonies, E2EE apps represent the finger- key fingerprint within the app, with the exception of the Wickr app,
prints of the encryption key or the fingerprints of the public keys which displays the key fingerprint in base32 characters (as shown
of other users using a variety of approaches (see Table 2). These in Figure 5d in Appendix A.3). Although the Base64 representation
fingerprints can be compared and verified in person or over an has also been proposed in the literature, none of the E2EE apps we
OOB channel, such as a text message, email, or phone call. Such a analyze in this paper currently use it.
fingerprint is encoded into a readable/exchangeable code to facili-
tate manual comparison and verification. In the real world, all E2EE 5.2.4 Graphical Representation The key fingerprint is encoded
apps listed in Section 4 (that offer a mechanism for performing the into an image or a sequence of emojis for comparison and veri-
authentication ceremony) generate the fingerprint and represent fication. This method can be used to replace textual fingerprint
it as a human-readable code or an exchangeable object. Figure 5 representations and has been suggested to improve usability in the
in Appendix A.3 displays the common fingerprint representations prior literature. Only 3 E2EE apps analyzed in this study (Element,
used by E2EE apps and described here: KakaoTalk, and Telegram) offer this method for comparing and

193
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

verifying the key fingerprint, either in person or remotely. For ex-

ample, Figure 5e in Appendix A.3 depicts the image derived from
the encryption key for the KakaoTalk app. Also, Figure 5f in Ap-
pendix A.3 shows the emoji that the Element app uses to compare
and verify the key fingerprint.

5.2.5 Short Authentication String Only two E2EE apps ana-

lyzed in this work (Linphone and Silent Phone) use a SAS-based
verification mechanism (e.g., four characters or two words) instead
(a) Facebook Messenger
of alphanumeric or numeric representations to make comparison
(b) LINE
and verification tasks during authentication ceremonies more read-
able. Figure 5g in Appendix A.3 shows the authentication ceremony
for the Linphone app, which uses a SAS code with four characters
to verify the user’s identity. Figure 5h in Appendix A.3 shows the
authentication ceremony for the Silent Phone app, which uses a
SAS code with two words to verify the user’s identity.

5.3 Supporting OOB Channels

Unfortunately, only 7 of the apps analyzed in this study (Linphone,
Signal, Silent Phone, Threema, Viber, WhatsApp, and Wickr) pro-
vide a feature for directly exchanging the key fingerprint from
inside the app using an OOB channel, e.g., a text message, email,
or phone call. These apps rely on users’ decisions to use another
(c) Zoom
trusted means of communication to compare and verify their key
Figure 2: Authentication ceremonies in E2EE group scenarios
fingerprints. Having such an OOB channel can facilitate authen-
tication ceremonies, especially for users who are not close to one
Most of the E2EE apps analyzed in this study support E2EE group
another. Additionally, some E2EE apps use numeric representations
communications. However, participating in an authentication cere-
and do not support OOB channels via which users can perform
mony is not group-based authentication. It is pairwise authentica-
the authentication ceremony. For example, Zoom uses numeric
tion, which is similar to a one-to-one authenticated scheme, such
representations for its E2EE meeting codes, but it does not support
as the authentication ceremony for two parties. Therefore, having
OOB channels to perform the authentication ceremony manually
a group with an enormous number of group members will make
or even any automated verification process. Instead, the meeting
the authentication ceremony hugely problematic and more chal-
host can read the security code aloud, and therefore, users can com-
lenging to perform. Like in one-to-one encrypted communication,
pare and verify that their clients display the same security code.
the group members in end-to-end encrypted group communica-
However, an adversary can sit and copy the meeting host’s voice
tions must perform an authentication ceremony to guarantee that
when announcing the string of digits 0-9 from previous meetings
conversations between group members are confidential and authen-
and, thus, mount a voice-reordering attack to create any digits the
ticated, thereby ensuring that there are no MitM attacks. In fact,
adversary wants and thus compromise the E2EE feature in a future
the vast majority of E2EE apps follow the same procedures for the
meeting [48].
authentication ceremony in all one-to-one and group scenarios. For
instance, WhatsApp does not allow its users, when in a group chat,
5.4 E2EE Group Communications to authenticate one another in a group-based manner; rather, it
In general, the security issues and usability obstacles of E2EE apps relies on pairwise individual authentication. However, some other
in group scenarios are similar to those in the one-on-one scenarios. E2EE apps vary in terms of their authentication ceremony settings
In [26], the authors conducted a security analysis of Letter Sealing, regarding presenting keys to their users during the authentication
which is the E2EE scheme for LINE. They found that Letter Sealing ceremony while keeping the fingerprint verification pairwise. For
does not meet one of the fundamental security requirements of instance, the Facebook Messenger app (as shown in Figure 2a) uses
E2EE, which is the integrity of the message. Their results demon- different terminology to refer to its group-authentication ceremony.
strated the feasibility of attacks by exploiting several vulnerabilities It lists all group members in a single list to help users find each
in LINE’s E2EE system. These attacks can be mounted by an end- member’s device key, which may increase the usability of the au-
to-end adversary, a malicious group member, or a malicious user. thentication ceremony in a group scenario. Another app (LINE in
For instance, a malicious group member can mount impersonation Figure 2b) lists all group members with their keys in one list, which
or forgery attacks on the group message encryption scheme by could be helpful for group members in terms of participating in
exploiting the vulnerability of the key-derivation stage in group the group authentication ceremony as well. On the other hand,
message encryption. there is only one app (Zoom) in which the authentication ceremony

194
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

Table 2: The Usability of the Authentication Ceremony in End-to-End Encrypted Applications

Terminology Used to Refer to Fingerprint Authentication Ceremony to Enable Group Supporting Vulnerable to
Application
the Authentication Ceremony Representation the Authenticated E2EE Mode Ceremony OOB Channels Human Errors
QR code,
In 1-to-1 and group scenarios: Scan QR code, Pairwise Based Yes, since users manually
Element On-screen emojis No
(Verify) One-time code Manually compare emojis Authentication compare emojis.
(7 emojis)
In 1-to-1 scenario:
(Device keys),
Facebook 66 hexadecimal characters Pairwise Based Yes, since users manually
In a group scenario: Manually compare characters No
Messenger for each device Authentication compare characters.
(End-to-end encryption)
Device keys
FaceTime N/A N/A N/A N/A N/A N/A
Google Meet N/A N/A N/A N/A N/A N/A
Image, Yes, since users manually
In 1-to-1 and group scenarios: Manually compare Pairwise Based
KakaoTalk 32 hexadecimal characters No compare image
(Public Key) image or characters Authentication
for each party or characters.
In 1-to-1 and group scenarios: 32 hexadecimal characters Pairwise Based Yes, since users manually
LINE Manually compare characters No
(Encryption keys) for each party Authentication compare characters.
In 1-to-1 and group scenarios: Yes, since users manually
Manually compare SAS Pairwise Based
Linphone (Call the contact) SAS code of 4 characters Yes compare SAS
via audio call Authentication
Communication security via audio call.
Messages
N/A N/A N/A N/A N/A N/A
by Apple
In 1-to-1 scenario:
Messages Yes, since users manually
(Verify encryption) 60-digit numeric Manually compare numbers N/A No
by Google compare numbers.
Verification code
In 1-to-1 and group scenarios:
QR code, Scan QR code, Pairwise Based Yes, since users manually
Signal (View Safety Number) Yes
60-digit numeric Manually compare numbers Authentication compare numbers.
Verify Safety Number
In 1-to-1 and group scenarios: Yes, since users manually
Manually compare words Pairwise Based
Silent Phone (Call the contact) Two words Yes compare words
via audio call Authentication
Verify SAS via audio call.
In 1-to-1 scenario: Yes, since users manually
Skype 60-digit numeric Manually compare numbers N/A No
(Security Code) compare numbers.
Yes, since users manually
In 1-to-1 scenario: Image, Manually compare
Telegram N/A No compare image
(Encryption Key) 64 hexadecimal characters image or characters
or characters.
In 1-to-1 and group scenarios: QR code, Scan QR code, Pairwise Based Yes, since users manually
Threema Yes
(Key Fingerprint) 32 hexadecimal characters Manually compare characters Authentication compare characters.
In 1-to-1 and group scenarios:
Yes, since users manually
Turn on (Trusted Contacts) Manually compare numbers Pairwise Based
Viber 48-digit numeric Yes compare numbers
(Call your contact) via audio call Authentication
via audio call.
Verify secret identification key
In 1-to-1 and group scenarios:
QR code, Scan QR code, Pairwise Based Yes, since users manually
WhatsApp (Encryption) Yes
60-digit numeric Manually compare numbers Authentication compare numbers.
Verify Security Code
In 1-to-1 and group scenarios: QR code,
Scan QR code, Pairwise Based Yes, since users manually
Wickr (Security Verification) 51 characters Yes
Manually compare characters Authentication compare characters.
Compare security code using Base32 scheme
In 1-to-1 and group scenarios:
64 hexadecimal characters Pairwise Based Yes, since users manually
Wire (Devices) Manually compare characters No
for each device Authentication compare characters.
Verify device fingerprint
In 1-to-1 and group scenarios:
Group-based Yes, since users manually
Zoom (Encryption) 40-digit numeric Manually compare numbers No
Authentication compare numbers.
Verify security code

is group-based. The Zoom app, as shown in Figure 2c, uses only may cause confusion for users unfamiliar with the E2EE scheme.
one security code for its Zoom meeting setting to verify the se- Abu-Salma et al. [2] investigated users’ experiences with various
curity code for all Zoom meeting members in the current session. communication tools and their perceptions of the tools’ security
Here, Zoom allows users to compare and verify a 40-digit number features. They found that users sent sensitive information using
represented as 8 blocks of five-digit numbers to verify the secure Telegram’s default chat, which is not E2EE. In practice, regular users
connection of their Zoom session. Therefore, the meeting host may may feel misled by E2EE claims. Therefore, we suggest that any
read the security code aloud, and then all users can compare and application that purports to offer a secure E2EE messaging solution
verify that their clients display the same security code. should implement E2EE functionality by default rather than as an
opt-in feature. We also suggest that E2EE apps should ask their
6 DISCUSSION AND RECOMMENDATIONS users to perform the authentication ceremony as a primary task.
In this section, we will discuss and recommend some possible im- All E2EE apps analyzed in this work implement the E2EE feature
provements for implementing E2EE functionality and authentica- in an opportunistic E2EE mode, whether as a default or an opt-in
tion ceremonies in current E2EE apps. These recommendations are option. In practice, this opportunistic E2EE mode is susceptible to
based on the knowledge gained from our test scenarios. Also, it is active MitM attacks; hence, users must complete the authentication
important to note that these recommendations should go through ceremony to activate the authenticated E2EE mode. However, the
testing before being deployed in E2EE apps. authentication ceremony is optional in all existing E2EE apps. This
Some E2EE apps analyzed in this study (Facebook Messenger, might make active MitM attacks more difficult to detect, especially
KakaoTalk, Linphone, Skype, Telegram, and Zoom) do not imple- for average users who are unaware of the security risks associated
ment the E2EE feature by default. Users will have to manually with skipping or clicking through the authentication ceremony.
turn on the E2EE feature to keep their conversations secure. This

195
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

The performance of the authentication ceremony in current mes- string used for fingerprint representation were excessively long. In
saging apps has been the focus of numerous published academic addition, there are some studies that have found that E2EE phones
studies. Due to usability flaws and human mistakes, it has been are susceptible to MitM attacks due to human errors. For example, a
proven that users cannot perform the authentication ceremony study by Shirvanian et al. [49] examined the security and usability
and are hence vulnerable to MitM attacks. In a research study con- of E2EE phones. The authors considered two words and four words
ducted by Schröder et al. [47], the authors found that users failed to in the checksum-comparison and speaker-verification tasks. They
complete the authentication ceremony in the Signal app and were found that users were vulnerable to MitM attacks due to their fail-
therefore susceptible to MitM attacks due to usability issues. In a ures in the checksum-comparison and speaker-verification tasks.
study by Vaziripour et al. [64], the authors investigated the ease Furthermore, most contemporary E2EE apps use numeric represen-
of locating and completing the authentication ceremony in What- tations in their authentication mechanisms, which users have com-
sApp, Viber, and Facebook Messenger. They found that, due to a plained about, according to the research literature. Therefore, we
lack of security knowledge and various user interface design flaws, recommend that E2EE apps use textual and visual representations
participants struggled to locate and perform the authentication that make the authentication process easier for users. However,
ceremony. Furthermore, studies conducted by Herzberg et al. [21] more research is needed to study the security vulnerabilities of
and Shirvanian et al. [50] investigated the usability of performing these representations.
the authentication ceremony in WhatsApp, Viber, Telegram, and
Signal and found that participants were vulnerable to MitM attacks. 7 CONCLUSION
In [21], the authors showed that the majority of participants failed In this paper, we examined the most popular E2EE apps, including
to authenticate even when they were shown how to authenticate. their underlying E2EE messaging protocols and authentication cer-
In [50], the authors demonstrated that participants did not per- emonies. Even though the authentication ceremony plays a vital
form remote authentication ceremonies correctly due to usability role in helping to thwart active MitM attacks, a few E2EE apps do
difficulties and human errors. To help users locate and find the not offer any authentication ceremony to their users. We found
authentication ceremony, we suggest that E2EE apps should give that the current implementations of the E2EE feature in various
a notification message at the beginning of the conversation. This E2EE apps, particularly in the opportunistic E2EE mode, can defeat
message can help inform users about the importance of completing a passive MitM attacker but cannot defeat an active MitM attacker.
the authentication ceremony to prevent MitM attacks. Also, we sug- We also found that their actual implementations of the E2EE feature
gest that E2EE apps should give users the possibility of navigating in authenticated E2EE mode depend crucially on users to success-
to the authentication ceremony from the conversation interface if fully perform and complete authentication ceremonies. However,
they want to. This is because the primary task of the users in all cur- several studies have shown that users are unable to successfully
rent E2EE apps is to pursue a conversation, and the authentication perform and complete the authentication ceremony and, therefore,
ceremony is only an optional task. On the other hand, many but become vulnerable to active MitM attacks due to usability issues and
not all E2EE apps analyzed in this study do not provide a feature for human errors. This systematization reveals avenues that require
directly exchanging the key fingerprint from inside the app using further investigation. First, further research is needed to automate
an OOB channel, e.g., a text message or email. This feature can help the authentication ceremony or implement a semi-automated au-
users complete the authentication ceremony, especially if they are thentication ceremony to reduce the effort on the part of the user
not nearby. Therefore, we think that all E2EE apps should have when performing the authentication ceremony. Additionally, more
this feature so that users can exchange their key fingerprints from research is needed to extend studies to the context of group com-
inside the app via an OOB channel. munication. Most research studies focus only on two-party E2EE
Most of the E2EE apps mentioned in Section 4 still use numeric but having more than two parties will make the authentication
or hexadecimal representations of fingerprints, even though many ceremony more challenging to perform. Lastly, new research can be
studies have shown that other representations, like words and sen- focused on running the E2EE protocol over the audio channel only.
tences, are better at helping users detect attacks. Dechand et al. [9] Most research studies focus only on phones, which always have
conducted a user study to investigate the performance and usabil- two channels (a data channel and an audio channel). Therefore,
ity of six textual key-fingerprint representations. They found that new research is needed to demonstrate how to establish this E2EE
participants were more resistant to attacks when using words and protocol on line phones, which have only audio channels.
sentences as compared to numeric or alphanumeric (Hexadecimal
and Base32) representations. The authors reported that the hexa- ACKNOWLEDGMENTS
decimal representation scheme fared considerably worse than other We would like to give special thanks to our shepherd and the anony-
representation schemes in terms of detecting attacks and usability mous reviewers for their valuable feedback on this paper.
evaluations. Similarly, another work by Tan et al. [57] examined
the usability and security of eight textual and visual fingerprint REFERENCES
representations. They found that visual fingerprint representations [1] Ruba Abu-Salma, Kat Krol, Simon Parkin, Victoria Koh, Kevin Kwan, Jazib Mah-
boob, Zahra Traboulsi, and M Angela Sasse. 2017. The Security Blanket of the
were more vulnerable to attacks than other methods, even though Chat World: An Analytic Evaluation and a User Study of Telegram. Internet
they were easy to use and quick to process. In [64], the authors Society. https://doi.org/10.14722/eurousec.2017.23006
investigated the authentication ceremony in WhatsApp, Viber and [2] Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena
Naiakshina, and Matthew Smith. 2017. Obstacles to the Adoption of Secure
Facebook Messenger. During this study, the authors observed that Communication Tools. In 2017 IEEE Symposium on Security and Privacy (SP).
many participants felt that the string of digits and the hexadecimal IEEE, 137–153. https://doi.org/10.1109/SP.2017.65

196
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

[3] Dieter Bohn. 2020. Google is rolling out end-to-end encryption for RCS in Android [29] Max Krohn. 2020. Zoom Rolling Out End-to-End Encryption Offering. Re-
Messages beta. Retrieved July 11, 2022 from https://www.theverge.com/2020/11/ trieved July 11, 2022 from https://blog.zoom.us/zoom-rolling-out-end-to-end-
19/21574451/android-rcs-encryption-message-end-to-end-beta encryption-offering/
[4] Nikita Borisov, Ian Goldberg, and Eric Brewer. 2004. Off-the-Record Communica- [30] Max Krohn. 2022. End-to-End Encryption Expands to Zoom Phone and Break-
tion, or, Why Not to Use PGP. In Proceedings of the 2004 ACM Workshop on Privacy out Rooms. Retrieved August 11, 2022 from https://blog.zoom.us/end-to-end-
in the Electronic Society (WPES ’04). Association for Computing Machinery, New encryption-zoom-phone-breakout-rooms/
York, NY, USA, 77–84. https://doi.org/10.1145/1029179.1029200 [31] Adam Langley. 2009. Opportunistic encryption everywhere. In W2SP (2009).
[5] Pew Research Center. 2017. Most Americans think the government could be [32] Line 2022. https://line.me/en/.
monitoring their phone calls and emails. Retrieved July 03, 2022 from https: [33] Linphone 2020. https://www.linphone.org/.
//pewrsr.ch/3nI8hIf [34] Linphone. 2020. LIME. Retrieved August 17, 2022 from https://www.linphone.
[6] Don Clark. 2015. Microsoft to Alert Users to Suspected Government Snooping. org/technical-corner/lime
Retrieved July 03, 2022 from https://www.wsj.com/articles/microsoft-to-alert- [35] MARY MADDEN. 2014. Public Perceptions of Privacy and Security in the Post-
users-to-suspected-government-snooping-1451528624 Snowden Era. Retrieved July 03, 2022 from https://www.pewresearch.org/
[7] Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Dou- internet/2014/11/12/public-privacy-perceptions/
glas Stebila. 2020. A formal security analysis of the signal messaging protocol. [36] Moxie Marlinspike. 2013. Advanced cryptographic ratcheting. Retrieved July 11,
Journal of Cryptology 33, 4 (2020), 1914–1983. https://doi.org/10.1007/s00145- 2022 from https://signal.org/blog/advanced-ratcheting/
020-09360-1 [37] Moxie Marlinspike and Trevor Perrin. 2016. The x3dh key agreement protocol.
[8] LINE Corporation. 2021. LINE Encryption Overview. Retrieved Au- Open Whisper Systems (2016).
gust 17, 2022 from https://d.line-scdn.net/stf/linecorp/en/csr/line-encryption- [38] Matrix 2022. https://matrix.org/.
whitepaper-ver2.1.pdf [39] Messages by Apple 2022. https://support.apple.com/explore/messages.
[9] Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, [40] Messages by Google 2022. https://messages.google.com/.
and Matthew Smith. 2016. An Empirical Study of Textual Key-Fingerprint Repre- [41] Microsoft. 2018. Skype Private Conversation. Technical white paper. Retrieved
sentations. In Proceedings of the 25th USENIX Conference on Security Symposium July 21, 2022 from https://az705183.vo.msecnd.net/onlinesupportmedia/
(SEC’16). USENIX Association, USA, 193–208. onlinesupport/media/skype/documents/skype-private-conversation-white-
[10] Kitty Donaldson and Mark Burton. 2019. Facebook, WhatsApp Will paper.pdf
Have to Share Messages With U.K. Retrieved July 03, 2022 from [42] Emad Omara. 2020. Google Duo End-to-End Encryption Overview. Retrieved July
https://www.bloomberg.com/news/articles/2019-09-28/facebook-whatsapp- 18, 2022 from https://www.gstatic.com/duo/papers/duo_e2ee.pdf
will-have-to-share-messages-with-u-k-police [43] Trevor Perrin and Moxie Marlinspike. 2016. The double ratchet algorithm. GitHub
[11] Element 2022. https://element.io/. wiki (2016).
[12] Ksenia Ermoshina, Francesca Musiani, and Harry Halpin. 2016. End-to-End [44] Pidgin 2020. https://pidgin.im/.
Encrypted Messaging Protocols: An Overview. In International Conference on [45] Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. 2005. Secure Off-
Internet Science. Springer, 244–254. https://doi.org/10.1007/978-3-319-45982-0_22 the-Record Messaging. In Proceedings of the 2005 ACM Workshop on Privacy in
[13] Facebook. 2017. Messenger Secret Conversations. Technical Whitepaper. Retrieved the Electronic Society (WPES ’05). Association for Computing Machinery, New
July 18, 2022 from https://about.fb.com/wp-content/uploads/2016/07/messenger- York, NY, USA, 81–89. https://doi.org/10.1145/1102199.1102216
secret-conversations-technical-whitepaper.pdf [46] Dawin Schmidt. 2016. A security and privacy audit of KakaoTalk’s end-to-end
[14] Facebook Messenger 2022. https://www.messenger.com/. encryption. Master’s thesis.
[15] FaceTime 2022. https://support.apple.com/en-us/HT204380. [47] Svenja Schröder, Markus Huber, David Wind, and Christoph Rottermanner. 2016.
[16] Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art
Schwenk, and Thorsten Holz. 2016. How Secure is TextSecure?. In 2016 IEEE Secure Mobile Messaging. In European Workshop on Usable Security. IEEE. 1–7.
European Symposium on Security and Privacy (EuroSP). IEEE, 457–472. https: https://doi.org/10.14722/eurousec.2016.23012
//doi.org/10.1109/EuroSP.2016.41 [48] Maliheh Shirvanian and Nitesh Saxena. 2014. Wiretapping via Mimicry: Short
[17] Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Voice Imitation Man-in-the-Middle Attacks on Crypto Phones. In Proceedings
Rushanan. 2016. Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks of the 2014 ACM SIGSAC Conference on Computer and Communications Security
on Apple Imessage. In Proceedings of the 25th USENIX Conference on Security (CCS ’14). Association for Computing Machinery, New York, NY, USA, 868–879.
Symposium (SEC’16). USENIX Association, USA, 655–672. https://doi.org/10.1145/2660267.2660274
[18] Wire Swiss GmbH. 2021. Wire Security Whitepaper. Retrieved August 20, 2022 [49] Maliheh Shirvanian and Nitesh Saxena. 2015. On the Security and Usability of
from https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf Crypto Phones. In Proceedings of the 31st Annual Computer Security Applications
[19] Google. 2022. Messages End-to-End Encryption Overview. Retrieved July 18, 2022 Conference (ACSAC ’15). Association for Computing Machinery, New York, NY,
from https://www.gstatic.com/messages/papers/messages_e2ee.pdf USA, 21–30. https://doi.org/10.1145/2818000.2818007
[20] Google Meet 2022. https://apps.google.com/meet/. [50] Maliheh Shirvanian, Nitesh Saxena, and Jesvin James George. 2017. On the Pitfalls
[21] Amir Herzberg and Hemi Leibowitz. 2016. Can Johnny Finally Encrypt? Eval- of End-to-End Encrypted Communications: A Study of Remote Key-Fingerprint
uating E2E-Encryption in Popular IM Applications. In Proceedings of the 6th Verification. In Proceedings of the 33rd Annual Computer Security Applications
Workshop on Socio-Technical Aspects in Security and Trust (STAST ’16). Associa- Conference (ACSAC ’17). Association for Computing Machinery, New York, NY,
tion for Computing Machinery, New York, NY, USA, 17–28. https://doi.org/10. USA, 499–511. https://doi.org/10.1145/3134600.3134610
1145/3046055.3046059 [51] Signal 2022. https://signal.org/.
[22] Amir Herzberg, Hemi Leibowitz, Kent Seamons, Elham Vaziripour, Justin Wu, [52] Signal. 2022. Technical information. Retrieved July 21, 2022 from https://signal.
and Daniel Zappala. 2021. Secure Messaging Authentication Ceremonies Are org/docs/
Broken. IEEE Security & Privacy 19, 2 (2021), 29–37. https://doi.org/10.1109/ [53] Silent Phone 2022. https://www.silentcircle.com/products-and-solutions/silent-
MSEC.2020.3039727 phone/.
[23] Chris Howell, Tom Leavy, and Joël Alwen. 2017. Wickr Messaging Protocol. [54] Skype 2022. https://www.skype.com/en/.
TECHNICAL PAPER. Retrieved August 04, 2022 from https://wickr.com/wp- [55] Ryan Stedman, Kayo Yoshida, and Ian Goldberg. 2008. A User Study of Off-the-
content/uploads/2019/12/WhitePaper_WickrMessagingProtocol.pdf Record Messaging. In Proceedings of the 4th Symposium on Usable Privacy and
[24] Apple Inc. 2021. Apple Platform Security. iMessage security overview. Retrieved Security (SOUPS ’08). Association for Computing Machinery, New York, NY, USA,
July 27, 2022 from https://support.apple.com/guide/security/imessage-security- 95–104. https://doi.org/10.1145/1408664.1408678
overview-secd9764312f/web [56] Paul Szoldra. 2016. This is everything Edward Snowden revealed in one year
[25] Apple Inc. 2022. Apple Platform Security. FaceTime security. Retrieved July 27, 2022 of unprecedented top-secret leaks. Retrieved July 03, 2022 from https://www.
from https://support.apple.com/guide/security/facetime-security-seca331c55cd/ businessinsider.com/snowden-leaks-timeline-2016-9
web [57] Joshua Tan, Lujo Bauer, Joseph Bonneau, Lorrie Faith Cranor, Jeremy Thomas,
[26] Takanori Isobe and Kazuhiko Minematsu. 2018. Breaking Message Integrity of and Blase Ur. 2017. Can Unicorns Help Users Compare Crypto Key Fingerprints?.
an End-to-End Encryption Scheme of LINE. In European Symposium on Research In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems
in Computer Security, Javier Lopez, Jianying Zhou, and Miguel Soriano (Eds.). (CHI ’17). Association for Computing Machinery, New York, NY, USA, 3787–3798.
Springer, Springer International Publishing, Cham, 249–268. https://doi.org/10. https://doi.org/10.1145/3025453.3025733
1007/978-3-319-98989-1_13 [58] Telegram 2022. https://telegram.org/.
[27] KakaoTalk 2022. https://www.kakaocorp.com/service/KakaoTalk?lang=en. [59] Telegram. 2022. End-to-End Encryption, Secret Chats. Retrieved August 04, 2022
[28] Hugo Krawczyk. 2003. SIGMA: The ‘SIGn-and-MAc’approach to authenticated from https://core.telegram.org/api/end-to-end
Diffie-Hellman and its use in the IKE protocols. In Annual International Cryptology [60] Threema 2022. https://threema.ch/en.
Conference. Springer, 400–425. https://doi.org/10.1007/978-3-540-45146-4_24 [61] Threema. 2022. Cryptography Whitepaper. Retrieved December 24, 2022 from
https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdf

197
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

[62] Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Gold- offering the E2EE feature on one-to-one chats by default if both
berg, and Matthew Smith. 2015. SoK: Secure Messaging. In 2015 IEEE Symposium participants in the conversation are using the Google Messages app.
on Security and Privacy. IEEE, 232–249. https://doi.org/10.1109/SP.2015.22
[63] Serge Vaudenay. 2005. Secure Communications over Insecure Channels Based However, to utilize the E2EE feature in the Google Messages app,
on Short Authenticated Strings. In Annual International Cryptology Conference. both the sender and the receiver must use the Google Messages app
Springer, 309–326. https://doi.org/10.1007/11535218_19
[64] Elham Vaziripour, Justin Wu, Mark O’Neill, Ray Clinton, Jordan Whitehead, Scott
on their phone devices, have chat features enabled, and use data or
Heidbrink, Kent Seamons, and Daniel Zappala. 2017. Is That You, Alice? A Us- Wi-Fi for RCS messages.
ability Study of the Authentication Ceremony of Secure Messaging Applications.
In Proceedings of the Thirteenth USENIX Conference on Usable Privacy and Security A.1.3 Skype It is an IM and VoIP app [54]. Using the Signal pro-
(SOUPS ’17). USENIX Association, USA, 29–47.
[65] Sebastian R. Verschoor and Tanja Lange. 2016. (In-)Secure messaging with the tocol, it implements the E2EE feature as an optional property [41].
Silent Circle instant messaging protocol. Cryptology ePrint Archive, Paper Therefore, all Skype messages and calls are not E2EE by default.
2016/703. https://eprint.iacr.org/2016/703
[66] Viber 2022. https://www.viber.com/en/.
Users can protect their audio calls or messages by turning on an
[67] Rakuten Viber. 2022. Viber Encryption Overview. Retrieved July 21, 2022 from option called Private Conversation, which supports an E2EE scheme
https://www.viber.com/app/uploads/viber-encryption-overview.pdf based on the Signal protocol. This option only supports the E2EE
[68] WhatsApp. 2021. WhatsApp Encryption Overview. Technical white paper.
Retrieved July 21, 2022 from https://scontent-iad3-1.xx.fbcdn.net/v/t39.8562- feature in chats and audio calls between two users. There is no E2EE
6/326130579_868561330899040_2694856431949694281_n.pdf?_nc_cat=107& protection for either a video call or a group scenario. In one-to-one
ccb=1-7&_nc_sid=ae5e01&_nc_ohc=GiHwGuhmURAAX_u-okb&_nc_ht= audio calls, the Skype app uses an existing Private Conversation
scontent-iad3-1.xx&oh=00_AfDBUqimHHncuLDOeqED0EJOAeSSwksocCW-
XdIkabxGPA&oe=63DDCC24 session between two users to generate an encryption key and initi-
[69] WhatsApp 2022. https://www.whatsapp.com/. ate an E2EE audio call. After the E2EE audio call is set up, media
[70] Wickr 2022. https://wickr.com/.
[71] Wire 2022. https://wire.com/en/.
packets are encrypted with SRTP using the previously generated
[72] Ruishan Zhang, Xinyuan Wang, Ryan Farley, Xiaohui Yang, and Xuxian Jiang. encryption key.
2009. On the Feasibility of Launching the Man-in-the-Middle Attacks on VoIP
from Remote Attackers. In Proceedings of the 4th International Symposium on
Information, Computer, and Communications Security (ASIACCS ’09). Association A.2 Additional E2EE Applications Using
for Computing Machinery, New York, NY, USA, 61–69. https://doi.org/10.1145/ Proprietary Protocols
1533057.1533069
[73] Phil Zimmermann, Alan Johnston, and Jon Callas. 2011. ZRTP: Media path key A.2.1 Element It is an IM app and an independent communica-
agreement for unicast secure RTP. Internet Engineering Task Force (IETF) (2011), tion system connected via Matrix [11]. The Element app is built on
2070–1721.
[74] Zoom 2022. https://zoom.us/. top of the Matrix protocol and uses the encryption implemented
[75] Zoom. 2022. Zoom End-to-End Encryption Whitepaper. Retrieved August 04, 2022 within the Matrix open standard [38]. In all one-to-one and group
from https://github.com/zoom/zoom-e2e-whitepaper
chats and calls, the Element app uses the Olm encryption library,
which is based on the Double Ratchet protocol popularized by Sig-
A APPENDIX nal, to implement the E2EE feature by default.
A.1 Additional E2EE Applications Using the
A.2.2 FaceTime It is a video and audio calling service devel-
Signal Protocol oped by the Apple company [15]. The Apple company claims that
A.1.1 Google Meet It is an app developed by Google for video the audio and video content of FaceTime calls is encrypted E2EE
meetings and calls [20]. Google has upgraded the Google Duo app by default in all one-to-one and group scenarios. FaceTime uses
and merged it into the Google Meet app to include both video the Apple Push Notification service (APNs) to establish the first
calling and meetings in one app. Therefore, the Google Meet app connection point to the user’s registered devices [25]. This first
claims to provide an E2EE feature in one-to-one and group video connection point is made via an Apple server infrastructure that
calling using Google Duo’s end-to-end encryption [42]. The Google transmits data packets between the users’ registered devices. Users’
Meet app uses the Signal protocol to implement the E2EE protocol. registered devices verify their identity certificates and establish a
It uses E2EE mode by default for all voice and video messages shared secret for each session by using APNs and Session Traversal
and calls in all one-to-one and group conversations. In one-to-one Utilities for NAT (STUN) messages through the relayed connection.
calls, the Google Meet app uses WebRTC which supports E2EE By using SRTP, the shared secret is used to obtain session keys for
for individual calls utilizing DTLS-SRTP. Datagram transport layer the streamed media channels.
security (DTLS) is used to establish a secure connection between the
two participants in the call, whereas SRTP is used to provide real- A.2.3 KakaoTalk It is an IM app created by the Kakao company
time and encrypted media streams. On the other hand, meetings in South Korea [27]. It allows users to implement E2EE function-
in the Google Meet app are not end-to-end encrypted. Instead of ality as an opt-in feature. Therefore, the KakaoTalk app does not
E2EE, the Google Meet app uses cloud encryption for its meetings. enable the E2EE feature by default, and users must select an option
called Secret Chat to chat in an E2EE manner. The E2EE feature
A.1.2 Messages by Google It is an app developed by Google was added to the KakaoTalk app on top of its LOCO Messaging
to send messages using Short Message Service (SMS)/Multimedia Protocol [46]. The LOCO E2EE messaging protocol uses Transport
Messaging Service (MMS) and chat with RCS [40]. Google provides Layer Security (TLS), a central public-key directory server, the AES
RCS chat services via its Android Messages app. Recently, Google encryption algorithm, and the RSA key-pair. When using the Secret
began rolling out the E2EE feature for RCS in the Android Mes- Chat feature, all messages are E2EE in one-to-one and group chat
sages app [3]. The Google Messages app uses the Signal protocol to rooms. However, audio and video calls are not available when using
implement the E2EE feature for RCS messages [19]. Google is only the Secret Chat feature.

198
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

A.2.4 LINE It is an IM app that is popular in East Asia [32]. It curve cryptography. The Threema app uses the ECDH protocol to
implements E2EE functionality by default under a security feature establish a shared secret. It then uses the XSalsa20 stream cipher
called Letter Sealing [8]. Therefore, the Letter Sealing feature is to encrypt the plaintext, whereas a message authentication code
turned on by default for all text messages, location information, (MAC) is computed by Poly1305-AES. In Threema calls, WebRTC is
voice calls, and video calls between two users in one-to-one scenar- used to establish a secure peer-to-peer (P2P) connection. The audio
ios. However, only text messages and location information are E2EE stream is encrypted with the SRTP protocol, and the key exchange
by default on group chats. The LINE app does not support E2EE is done with the DTLS-SRTP protocol.
voice or video calls in group scenarios. To implement the E2EE
A.2.9 Wickr Wickr [70] has developed the Wickr Me app and
feature, the LINE app uses the elliptic curve Diffie-Hellman (ECDH)
the Wickr Pro app for individual and business uses, respectively.
protocol over Curve25519 and AES-256 in GCM mode. However, in
To provide the E2EE feature, Wickr uses its own protocol called
one-to-one voice and video calls, the LINE app utilizes the curve
the Wickr secure messaging protocol, which is based on standard
secp256r1 for the VoIP encryption protocol, AES for symmetric
cryptographic primitives [23]. It uses ECDH key exchange with
encryption, and HKDF for deriving symmetric keys.
P521 key pairs, ECDSA with P521 key pairs, AES 256 in GCM mode,
A.2.5 Linphone It is an audio and video calling app that supports and KDF. All messages and audio/video calls are E2EE by default in
IM [33]. It implements E2EE functionality as an opt-in feature for all one-to-one and group scenarios. Once Wickr generates keys for
one-to-one and group messages, as well as for audio and video calls. users and their first devices, it stores public keys and root identifiers
In order to implement E2EE in one-to-one and group IM features, on Wickr servers.
the Linphone app uses its own E2EE protocol called Linphone
A.2.10 Wire It is an IM and VoIP app created by the Wire Swiss
instant message encryption (LIME) [34]. This LIME protocol is
GmbH company [71]. It claims that all messages and calls are E2EE
inspired by the Signal protocol, allowing users to send and receive
by default in all one-to-one and group scenarios. Wire uses the Pro-
messages privately and asynchronously. On the other hand, the
teus protocol to implement the E2EE feature, which copies some
Linphone app implements the E2EE feature for one-to-one audio
features of the Signal protocol [18]. However, the Proteus proto-
and video calls using ZRTP and SRTP-DTLS, which are compatible
col has been customized as an independent implementation of the
with WebRTC. However, the E2EE feature is not available for voice
Signal protocol. The Proteus protocol uses the following crypto-
or video calls in group scenarios.
graphic primitives: the ChaCha20 stream cipher, HMAC-SHA256
A.2.6 Messages by Apple It is an IM app developed by the as MAC, ECDH key exchange, and HKDF for key derivation. In
Apple company to send messages with iMessage and SMS/MMS Wire calls, the call media session is encrypted by the SRTP protocol,
[39]. The Apple Messages app utilizes the iMessage protocol to whereas the DTLS handshake is used to negotiate the SRTP encryp-
implement the E2EE feature by default in all one-to-one and group tion algorithm, keys, and parameters. Once a client generates the
scenarios [24]. After switching on iMessage on a device, the device key material, the client uploads pre-keys bundled with its public
generates encryption and signing pairs of keys for use with the identity key to a Wire server, which can be used by other clients to
service. The Apple iMessage protocol uses an encryption RSA 1,280- asynchronously initiate an E2EE conversation.
bit key and an encryption EC 256-bit key on the NIST P-256 curve
for the encryption, whereas with the elliptic curve digital signature A.3 Additional Tables and Figures
algorithm (ECDSA), 256-bit signing keys are used for the signatures.
It also uses Apple Identity Service (IDS) to store public keys and Table 3: End-to-End Encrypted Applications Rating and Reviews on Google
maintain the mapping between them and the user’s phone number Play Store
or email address, along with the device’s APNs address, whereas Application
Installs on
Rating Reviews
Google Play
private keys are saved in the device’s keychain. The APNs are then WhatsApp 5,000,000,000+ 4.3 172,000,000
used to deliver the encrypted message text, the encrypted message Facebook
5,000,000,000+ 4.1 85,900,000
key, and the sender’s digital signature. Messenger
Google Meet 5,000,000,000+ 4.6 9,810,000
A.2.7 Silent Phone It is an IM and VoIP app developed by Silent Viber 1,000,000,000+ 4.5 16,200,000
Telegram 1,000,000,000+ 4.3 11,800,000
Circle [53]. It claims that all messages and calls are E2EE by default Skype 1,000,000,000+ 4.1 11,500,000
in all one-to-one and group scenarios. It uses its own protocol, based Messages
1,000,000,000+ 4.2 9,150,000
on the Signal protocol, to implement E2EE in IM features [65]. On by Google
LINE 500,000,000+ 4.1 13,700,000
the other hand, ZRTP is used to implement the E2EE feature in Zoom 500,000,000+ 4.2 3,980,000
audio and video calls [73]. ZRTP uses Diffie-Hellman key exchange KakaoTalk 100,000,000+ 4.3 3,160,000
and SRTP to establish a shared session key and encrypt data. Signal 100,000,000+ 4.4 2,190,000
Wickr Me 10,000,000+ 4.8 89,000
A.2.8 Threema It is an IM app that also allows users to make Threema 1,000,000+ 4.1 70,800
voice and video calls [60]. It claims that all messages and calls Wire 1,000,000+ 2.9 35,100
Linphone 500,000+ 3.8 5,350
are E2EE by default in all one-to-one and group scenarios. It uses Element 500,000+ 4.1 4,570
its own protocol to implement the E2EE feature in messages and Silent Phone 500,000+ 3.8 1,830
calls [61]. When the Threema application is installed on a user’s
phone device, it generates, for each user, a unique asymmetric key
pair consisting of a public key and a private key based on elliptic

199
WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom Mashari Alatawi & Nitesh Saxena

(b) WhatsApp (d) Skype

(c) Viber
(a) Telegram

Figure 3: Alerting users that the opportunistic E2EE mode is turned on and their messages are end-to-end encrypted by using different indicators, such as special
notification messages and lock icons.

(d) Telegram
(a) Signal (c) Skype
(b) KakaoTalk (e) Facebook Messenger

Figure 4: Some E2EE applications refer to the authentication ceremony using the terminology shown above.

200
SoK: An Analysis of End-to-End Encryption and Authentication Ceremonies in Secure Messaging Systems WiSec ’23, May 29-June 1, 2023, Guildford, United Kingdom

(b) WhatsApp
(c) Telegram
(d) Wickr
(a) Signal

(h) Silent Phone

(e) KakaoTalk

(f) Element (g) Linphone

Figure 5: Fingerprint representations in E2EE applications

201