Verifying encryption in Facebook Messenger secret conversations

  • I've just tried Facebook Messenger's secret conversations feature. I started a conversation with Alice on Facebook Messenger for iOS. I noticed the following in Facebook's online help, under the heading How do I verify that my secret conversation in Messenger is encrypted?

    Both people in a secret conversation have a device key that you can compare to verify that the messages are end-to-end encrypted.

    To verify that the conversation is encrypted, compare your device key with the other person's device key to confirm that they match.

    When I tap through to the device keys pane for a secret conversation, I am presented with keys called "YOUR KEY" and "ALICE'S KEY". They do not match. The wording above implies to me that I should see two identical keys. Although if they are "device keys" then they should be unique to a device and therefore be different. I concluded the help's wording is just unclear.

    On that same screen displaying the keys, I read the following message.

    Your key is the same for all of your secret conversations on this device. Alice's key should match the one on their device.

    That seems to say that if Alice sees the same two keys on her device, encryption is "verified." So it seems that:

    1. A device key is the public key of a keypair generated by the Facebook Messenger app.
    2. By confirming with Alice that her device key is the one I'm using, I authenticate her public key and achieve the "verification" Facebook is talking about.

    If all of this is correct, then I have to ask:

    Is this verification process just here to provide some comfort? Or is Facebook Messenger actually vulnerable to MITM attacks? Do paranoid users require an already-secure channel over which to verify keys? Finally, how can I find out more about the implementation of Facebook's secret conversations?

  • jupenur

    jupenur Correct answer

    4 years ago

    Facebook Messenger uses the Signal Protocol. This is the same protocol used in Signal and WhatsApp, and works on standard public-key cryptography principles.

    Your key is your own public key, which others can use to encrypt messages intended for you. Alice's key is Alice's public key you (or anyone else) can use to encrypt messages intended for Alice. The strings presented in the app are actually cryptographic signatures of these keys.

    To verify that both you and Alice have the correct keys, you have to compare the cryptographic signature of your key on your device to the cryptographic signature of your key on Alice's device and the cryptographic signature of Alice's key on Alice's device to the cryptographic signature of Alice's key on your device. This should be done over a secure channel, e.g. by meeting with Alice in person and comparing the signatures visually.

    When you have verified both keys, MITM should not be possible. This is of course assuming Facebook's implementation of the Signal Protocol is correct and secure.

    You can also skip the verification entirely for what's known as Trust On First Use (TOFU). With the TOFU approach you simply blindly assume that the keys are correct the first time, and later if someone attempts a MITM attack, the app will notify you that the keys have changed.

    There's a Facebook whitepaper on Messenger Secret Conversations here and a formal audit report of the Signal Protocol itself here.

    Couldn't messenger just send the encryption keys to Facebook? How do we know they aren't doing that already?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM