A team of researchers including from King’s have won a prize only awarded to around 1% of paper submissions for their work revealing vulnerabilities in encryption technology used by public bodies like the French Government to protect their communication. Professor Martin Albrecht, Chair of Cryptography in the Department of Informatics, Sofía Celi from Brave Software, Benjamin Dowling from the University of Sheffield, and Daniel Jones from Royal Holloway, were awarded a distinguished paper award at the 44th IEEE Symposium on Security and Privacy (IEEE S&P).

In the paper titled “Practically-exploitable Cryptographic Vulnerabilities in Matrix” the authors report cryptographic vulnerabilities in the methods used to secure data in a platform called Matrix. Like other modern instant messaging systems (WhatsApp, Signal, etc) Matrix provides end-to-end encryption to protect the privacy of conversations even in the case that the chat server is compromised by a malicious party, leading many to adopt these platforms in the belief that their information is safe.

However, the research recognised at IEEE S&P revealed that there were several flaws in how end-to-end encryption was done in Matrix. The team disclosed their findings to the Matrix developers last summer, who in response patched some of these vulnerabilities and started re-designing their security processes to address a principal design flaw.

Reflecting on the award, Professor Martin Albrecht commented: “As you might imagine, finding and analysing these sort of vulnerabilities takes months of painstaking work . So we’re all extremely happy about our work being recognised by the information security community in this way."

In academia, cryptographic protocols or security measures must come with a mathematical proof that shows that if the attacker can break the protocol, then they must be able to do a number of things which are believed impossible. This can be established difficult computational problems, like factoring a large number.

Researchers still need to trust that these computational problems are indeed difficult, but the study of these problems is a much more narrow task than looking into the potential flaws of the wealth of protocols currently being used to encrypt data. Moreover, since many protocols are based on the same computational problem, the research community can come together to focus their efforts on these few problems, with the hope of arriving at new solutions and tougher protocols quicker.

The team discovered Matrix’s vulnerabilities when they tried to produce these formal proofs, soon realising that they could not. With these vulnerabilities now being fixed, the team now hopes to formally establish precisely what security Matrix does provide.

For more information on this work, check out this episode of the Security Cryptography Whatever podcast with Professor Martin Albrecht and Daniel Jones, as well as their presentation given to the Black Hat Europe security conference.