Safeum

I’m not going to do full protocol analysis for proprietary products with bad documentation. Here are some immediate thoughts based on content on their web page.

“We implemented most recent achievements and cutting-edge technologies in information technology security to develop cryptographic protection mechanisms for our instant messenger.”

Cutting edge is hardly the word when messags are signed with ECDSA: it lacks deniability.

“The level of encryption and its performance meets the most stringent banking standards.”

Marketing (Stef #6: uses marketing-terminology like “cyber”, “military-grade”)

“Your private or business information is totally safe and confidential when using our chat messenger”

Misleading marketing. Implicates lack of threat model.

“In case the user does not trust the cryptographic service provider”

I think this is supposed to say IM server, not cryptographic service provider; it’s the assumption user can trust the cryptographic services provided by Safeum.

“P2P mode which eliminates the technical possibility of interception”

It absolutely doesn’t. It only bypasses Safeum servers so they can not intercept messages.

“Digital signature is another reliable way of data protection during transfer.”

Digital signature is the old way. They take away the improtant aspect of deniability. This should be fixed by changing to MACs.

“Account and chat hacking  as well as spoofing are totally eliminated.”

There is no correlation and saying user can not be hacked is snake oil.

“Hybrid encryption scheme”

Marketing. Key exchange algorithms for symmetric ciphers are as old as Internet.

“This hybrid scheme allows to “take the best” out of each system”

“The round wheels make the car go much faster compared to using square shape tires!”

“SafeUM cryptography experts implemented complex algorithmic optimization”

Sounds like the crypto library used isn’t the standard anymore.

“Our servers have no hard drives.”

Quite frankly, the users don’t care about the server configuration. They want

  1. Functional end-to-end encryption to protect messages from Safeum and all other third parties.
  2. A way to register and use the service anonymously through Tor to hide metadata.

“Third parties can only access these data after going through a complicated legal and bureaucratic procedure.”

Or they can remotely exploit the server.

“We do not have private keys. They are generated on the basis of the pass-phrase that the user must remember.”

User is a bad entropy source; services provided by OS should be used. User passphrase should only protect message logs at rest.

“You can simultaneously use up to three accounts online”

Is same key generated for every device when user enters the same password?

“What do you think about the disable chat history saving feature?”

This is normal setting users are going to want.

“Screenshot protection?”

Yet another snake oil feature. There is no sender based control outside idiocracy.

“Sign up without mobile number using only login and password. This will keep your location secret.”

There’s no Tor/VPN/proxy used and users correlate account name with their banking information. This is an outrageous lie.

“Security is at the core of everything, even in the free version!”

Yet there is paid option for “enhanced encryption”. Boo.

“We do not ask you to take our word! You can check the reliability of SafeUM secure messenger if you wish.”

Great. Where’s the source code? Does your licence allow me to compile a client from the source, or do I need to download the binary and take your word?

Technologies

“Direct dynamic AES* key generation scheme”

If you’re generating new key per message, say so.

“It will take several decades and all the computing power of the globe to decrypt each of your messages.”

Crypto is not broken, it is bypassed / undermined. The figures are way below real numbers: It would take millions of years, not decades to decrypt a single message.

“Besides reliable encryption SafeUM also guarantees sender authenticity and data integrity by implementing digital signature mechanism.”

Nothing is said about fingerprint verification.

“AES block cipher with CBC mode used”

There are faster alternatives that are harder to implement incorrectly.

“PRNG generates a pseudo-random sequence of numbers”

The correct term is CSPRNG and it’s not generally advertised as a technology.

TLS v2.0 (SSL v3.0) is used as en encryption transport layer for WebSockets

There is no TLS 2.0. If it’s actually SSLv3 — they should immediately get rid of it: http://disablessl3.com/

“For data transfer and storage, the AES encryption is applied (256 bits key in CTR mode of operation).”

But, they just said it was CBC mode. Okay. CTR it is.

Conclusion

Would you pay for service that offers less features, less security, less privacy, less anonymity than a gratis alternative, such as Signal? Either the marketing hasn’t consulted the tech department, or the tech department has no real expertise in crypto. Avoid.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s