当前位置:首页 > 报告详情

我们也应该聊天吗?微信MMTLS加密协议的安全分析.pdf

上传人: 竿*** 编号:981830 2025-11-29 48页 3.85MB

1、Security Analysis of WeChats MMTLS Encryption ProtocolPellaeon Lin,Mona WangThursday,April 3 2025AgendaSecurity Analysis of WeChats MMTLS Encryption ProtocolIntroduction,motivation,methodologiesWeChat network request lifecycleMMTLS encryption,Business-layer encryptionDiscussion,recommendations,futur

2、e workPellaeon LinResearcher at Citizen Lab,University of TorontoSecurity and privacy of mobile appsPast studiesTikTok vs Douyin-A Security and Privacy AnalysisUnmasked II:An Analysis of Indonesia and the Philippines Government-launched COVID-19 AppsUnmasked:COVID-KAYA and the Exposure of Healthcare

3、 Worker Data in the PhilippinesMona WangNetworking security researcher,PhD student at Princeton CITPOTF Information Controls Research Fellow at Citizen LabPreviously technologist at EFFOther workNetwork measurement(CoNEXT 22)Traffic fingerprinting resistance and censorship circumvention(PETS 22)Thre

4、at modelling and security training for organizers(CSCW 22)https:/MotivationWhats being sent?Is the encryption sound?Why custom encryption?MotivationWeChat MMTLSSecures 1+billion users trafficDeployed for 8 yearsOne public blog postSSL/TLSSecures billions of users traffic30+years of developmentOpen s

5、tandard,lots of academic and public scrutinyMMTLS deserves just as much scrutiny as TLS!WeChat network request lifecycleAnatomy of a Wechat network requestAPI endpoint is referred to as“Scene”,has unique“type”number and URIAnatomy of a Wechat network requestRequest and response formats are defined u

6、sing ProtobufScreenshot shows a portion of the request Protobuf fieldsAPI object(NetSceneBase)Defines structure of API data,what type of encryption to useSerializer(reqToBuf)Serialize the object into bytearraysEncryptor(MMProtocalJni.so)Encrypts byte arrays using crypto specified by API typeOpenSSLO

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《WeChat’s MMTLS Encryption Protocol 安全分析》报告,以下为全文关键点: 1. **研究背景**:WeChat的MMTLS加密协议保护着超过10亿用户的流量,已部署约8年。 2. **加密协议分析**:MMTLS基于TLS 1.3,但存在一些修改,如有限的加密套件选择和缺乏前向安全性。 3. **业务层加密**:WeChat使用两种业务层加密方式,登录状态和非登录状态,均存在安全漏洞。 4. **安全漏洞**:研究发现MMTLS存在多个安全漏洞,包括缺乏前向安全性、重用会话导致无重放保护等。 5. **中国应用加密现状**:65.4%的顶级1千款应用发送明文流量,47.6%使用专有加密。 6. **建议**:建议WeChat升级业务层加密,并提高整体应用安全。
"微信加密协议安全漏洞揭秘" 安全还是隐患?" 自主还是风险?"
客服
商务合作
小程序
服务号
折叠