The attacks in this paper are much less damaging than the attacks in the Nebuchadnezzar paper were against Matrix. But somehow, Threema comes out looking even worse:<p>* Threema's end-to-end inner protocol, the one used to exchange messages between actual humans, is based on a single X25519 key, used bidirectionally. It has no forward secrecy. Worse, to prevent otherwise-trivial replay attacks made possible by the simplistic structure of the protocol, both sides have to cache every nonce they've seen used to encrypt a message. This breaks down when users change devices, which, due to the structure of the protocol, is trivially detectable.<p>* The Threema E2E protocol includes enough metadata to ostensibly enforce message ordering, <i>but they don't authenticate it</i>, so attackers can (1) strip the metadata off and (2) hold back and/or reorder messages at their luxury.<p>* Threema has the hello-world of E2E protocols, but for reasons not made clear has chosen to build their own transport protocol for client-server transactions (ie, login), rather than using TLS or NoiseIK. The C2S handshake has the raw material to do an authenticated DH key exchange, ala 3DH (both sides have long-term and ephemeral secrets), but they freelanced it instead and come up with a proof-of-identity round trip that is trivially replayable, and which destroys the forward secrecy of the C2S protocol.<p>* One form of Threema backup uses encrypted ZIPs, which reveal the names of files, which files apparently (according to the paper) reveal the identity of counterparties you've been talking to. Also: the ZIP library the client uses didn't verify MACs, and while Threema fixed that, the maintainer of the ZIP library Threema chose hasn't responded, which is :grimace-emoji:.<p>* You can "lock" your Threema app, but it does so much background processing that attackers can extract your private key if they have access to the device (or, maybe, all its traffic?) --- to wit, Threema does automated backups, the backups are compressed-then-encrypted, Threema processes messages in the background even when locked, one of those messages runs an automatic contact discovery protocol, and attackers can inject contact-discovery messages to do a byte-by-byte CRIME-style recovery of the private key, which is embedded in the same JSON document(!) as contact information in the backup system.<p>There is a very funny bit in the middle of the paper where they reconstitute the C2S proof-of-identity replay attack, this time minting a new identity proof rather than replaying it. To pull this off, they bounce the C2S protocol off of the E2E protocol: because, and I cannot believe I am saying this, Threema uses PKCS7 padding (ie, "I'm 3 bytes short of my block size, so I'll pad with 03h 03h 03h"), you can trick a Threema client into sending a message which, once encrypted, will have the 01h-delimited format of the identity proof (because 1/254 validly padded messages will happen to end in 01h). I didn't read closely enough to figure out if there was any reason you would go to the trouble of executing this attack variant, and it is entirely possible that they are just showing off. But: that's why you read these kinds of papers! For the stunt cryptography!<p>A bit of advice: read these papers for the cryptographic design and pitfall ideas, not for verdicts on which messaging systems to use. Maybe there are very good reasons to use Threema besides its flimsy protocol design; the point is: we know how to design better protocols that don't have these problems, and so (1) here are some more examples for the textbooks on why you should domain-separate your keys (for instance, to make it impossible to bounce the C2S protocol off the E2E protocol in the first place), and (2) Threema could drastically improve their system simply by adopting a known-good protocol rather than freelancing their own.<p>Great stuff.<p>[1] <a href="https://nebuchadnezzar-megolm.github.io/" rel="nofollow">https://nebuchadnezzar-megolm.github.io/</a>