Verification of LINE Encryption Version 1.0 Using ProVerif

Cheng SHI  Kazuki YONEYAMA  

IEICE TRANSACTIONS on Information and Systems   Vol.E102-D   No.8   pp.1439-1448
Publication Date: 2019/08/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2018FOP0001
Type of Manuscript: Special Section PAPER (Special Section on Formal Approaches)
formal methods,  end-to-end encryption,  LINE Encryption,  ProVerif,  

Full Text: PDF(381.5KB)>>
Buy this Article

LINE is currently the most popular messaging service in Japan. Communications using LINE are protected by the original encryption scheme, called LINE Encryption, and specifications of the client-to-server transport encryption protocol and the client-to-client message end-to-end encryption protocol are published by the Technical Whitepaper. Though a spoofing attack (i.e., a malicious client makes another client misunderstand the identity of the peer) and a reply attack (i.e., a message in a session is sent again in another session by a man-in-the-middle adversary, and the receiver accepts these messages) to the end-to-end protocol have been shown, no formal security analysis of these protocols is known. In this paper, we show a formal verification result of secrecy of application data and authenticity for protocols of LINE Encryption (Version 1.0) by using the automated security verification tool ProVerif. Especially, since it is claimed that the transport protocol satisfies forward secrecy (i.e., even if the static private key is leaked, security of application data is guaranteed), we verify forward secrecy for client's data and for server's data of the transport protocol, and we find an attack to break secrecy of client's application data. Moreover, we find the spoofing attack and the reply attack, which are reported in previous papers.