Team Context Objective Specifications Recommendations Code

Berty project

Security analysis of a secure distributed messaging system

4INFO project 2024/2025

Team presentation

Supervisors : Gildas Avoine, Olivier Heen

Students : Pierre Hubert, Ala Alkhafaji, Salah Al-bakri, Paul Gasnier, Thibault Didier, Alexandre Leconte and Kevin Tollemer

Context

In a world where digital exchanges are omnipresent, guaranteeing the confidentiality of communications has become a priority. Conventional secure messaging solutions offer interesting levels of protection, but often rely on centralized infrastructures, making them vulnerable to attack and surveillance.

Berty sets itself apart by offering an innovative approach: distributed messaging, operating on a peer-to-peer (P2P) basis, eliminating single points of failure. Thanks to advanced encryption and a censorship-resistant architecture, Berty ensures secure exchanges, even without a stable Internet connection.

Project objective

The aim of this project is to evaluate the robustness of Berty by analyzing its protection mechanisms against potential against potential threats. The study aims to identify potential vulnerabilities in cryptographic protocols, data management and the system's resilience to system's resilience to attack. The analysis aims to verify whether Berty actually delivers on its promises in terms of confidentiality, integrity and availability of communications.

Specifications

Berty is based on a distributed architecture combining its user interface and the Weshnet, developed in-house. The latter uses technologies such as IPFS and libp2p to enable peer-to-peer communication without a central server. communication without a central server. End-to-end encryption is reinforced by a key rotation system inspired by system inspired by Signal, ensuring confidentiality even in the event of partial compromise.

Recommendations

Our analysis focuses on components developed by Berty Technologies, in particular Berty (v2.470) and Weshnet (v2.0.4). This approach makes it possible to target the critical parts of the system over which developers have direct control over.

The lack of regular updates and certain weaknesses observed in the code raise questions about Berty's ability to meet the requirements of daily and secure use. Furthermore, the service's relative instability and a more complex-than-expected application architecture suggest that this project is currently more suited for experimentation. Additionally, the presence of centralized elements in the network architecture and the lack of transparency regarding the procedures for becoming an active participant in the network may raise concerns about the guarantees provided by the developers.

Code

The code for the project's studied components is available on Berty Technologies' Github.

  • Berty is the repository hosting Berty's source code, developed in Go, as well as the mobile application developed in React Native.
  • Weshnet hosts the source code for Weshnet, the protocol on which Berty is based.

The Weshnet protocol relies on several network layers, which are out of scope for the security analysis project, but which are still important for understanding the project. They are :

  • OrbitDB is a distributed database based on IPFS addressing.
  • IPFS for InterPlanetary File System, is a standard used for content addressing, compatible with HTTP, and based on libp2p.
  • libp2p is an open source network library that enables peer-to-peer data exchange.