The Making of “End-to-End Encrypted Messaging” with Rolf Oppliger

Artech House author and series editor Rolf Oppliger gave us insight into how his book, End-to-End Encrypted Messaging, came to be:

In 2001, I wrote “Secure Messaging with PGP and S/MIME” (ISBN ISBN 978-1-58053-161-0) that was published as the fourth title in the then newly established Information Security and Privacy book series of Artech House (https://www.esecurity.ch/serieseditor.html). At this point in time, the topic of the book, i.e., secure messaging, was largely dominated by PGP and S/MIME, and both technologies were sufficiently stable and significant to be addressed in a book of its own. Due to their maturity and significance, the acronyms PGP and S/MIME were included in the book title.

But secure messaging with PGP and S/MIME turned out to be not as successful as originally anticipated. When I revisited the topic in 2014, I had to realize that I could not produce a second edition of “Secure Messaging with PGP and S/MIME.” Instead, several trends had changed the field fundamentally

– Purely text-based messaging had been replaced or at least complemented by multimedia messaging, simultaneously comprising text, voice, and video;
– The asynchronous nature of messaging (e-mail) had been replaced or at least complemented by synchronous messaging called instant messaging;
– People had realized that hybrid encryption and digital signatures are not the only cryptographic techniques in town, and that certain use cases require other techniques and properties, such as forward secret encryption and plausible deniability;
– The distributed and open nature of Internet messaging had been challenged by large companies providing centralized and proprietary messaging services (that are very convenient to use).

All of these trends led to a situation in which PGP and S/MIME were not the only technologies for secure messaging, and I therefore had to expand the scope of the revised book a little bit. The resulting book was entitled “Secure Messaging on the Internet,” and it was published as the 39th book in the series.

In the past six years, the above-itemized trends have intensified a lot, and several new approaches and respective messaging protocols have evolved over time. Similar to e-mail, some of these protocols are based on standards, while others are based on nonstandard and proprietary protocols. Like PGP and S/MIME, some protocols provide end-to-end encrypted (E2EE) messaging using similar technologies. But some protocols go one step further and provide additional features that are more in line with the requirements of today’s messaging users, such as OTR messaging that provides forward secret encryption and plausible deniability. Also, some large companies have come up with E2EE-enabled messengers, such as Apple with iMessage and Google with Allo’s Incognito Mode (the development of Google Allo was stopped in 2018). Furthermore – and even more after the revelations of Edward Snowden in 2013 – several E2EE messengers have been launched, such as Threema, Viber, Wickr, Telegram, Wire, and maybe most importantly, TextSecure, which has been the starting point for Signal and the E2EE messaging feature of WhatsApp. The cryptographic protocol that was originally developed for TextSecure and later used in Signal and WhatsApp was originally called Axolotl and later renamed to Signal. Today, Signal is the protocol of choice for most E2EE messengers and respective apps used in the field. As PGP and S/MIME dominated the field in the 1990s and 2000s, the Signal protocol clearly dominates the field in E2EE messaging today, and this is not likely to change anytime soon.

Against this background, I had to realize that the field had again changed substantially, and that the topic, secure messaging on the Internet, deserved another update. This insight was even fortified by EFAIL and some related attacks that demonstrated that the cryptographic primitives used in most S/MIME and OpenPGP implementations was buggy and somewhat out of date. Since 2017, the S/MIME and OpenPGP specifications have been adapted to comprise more modern cryptographic primitives, such as authenticated encryption and elliptic curve cryptography (ECC). This has improved the situation considerably, but it has not led to a revitalization of OpenPGP or S/MIME.

The evolution and mode of operation of the Signal protocol is key to understand E2EE messaging as it stands today. Any book about this topic needs to explain the Signal protocol from scratch and explain the rationale behind its design in greater detail. This is the major purpose my new book entitled “End-to-End Encrypted Messaging” that is to be released soon. In addition to the conventional approaches to secure messaging, it explains the modern approaches messengers like Signal are based on. OpenPGP and S/MIME are still addressed to explain the roots and origins of secure messaging, but the focal point of the new book is indeed the Signal protocol and its implementation and use in WhatsApp. For the sake of completeness, some other E2EE messengers are explained, as well. Some of them may not withstand the proof of time; we will see.

The bottom line is that “End-to-End Encrypted Messaging” is an entirely new book. In some sense, it can be seen as a third edition of “Secure Messaging with PGP and S/MIME” or a second edition of “Secure Messaging on the Internet.” This means that there are some parts of these books that have been reused, but most parts are new and written from scratch (this even applies to the parts that refer to OpenPGP and S/MIME). I hope that the new structure of the book better reflects the shift in industry, and that the book better serves the needs of today’s practitioners working in the messaging field. Its main goal is to introduce, explain, fully discuss, and put into perspective the Signal protocol that represents the state of the art in secure and E2EE messaging on the Internet.

For more information or to order, click here.

Leave a Reply

Your email address will not be published.