Signal security revealed: A triple-Diffie-Hellman with a double ratchet
Secure messaging app invites you to dive in and figure out if it's done anything wrong
Signal developer Open Whisper Systems has quietly posted some important documents for developer consumption: the specifications of its signature verification, key agreement, and secret key protocols.
The posts are dated 20 November, although a Tweet from 4 November suggests the documentation was stealth-published earlier.
The three specs cover the XEdDSA and VXEdDSA signature schemes; the Extended Triple Diffie-Hellman (X3DH) key agreement protocol; and what the outfit calls the “Double Ratchet” protocol, which Signal uses for message encryption.
With the Signal Service API and Signal Protocol API already public, Whisper Systems is giving outsiders a deep view of the operations of the popular privacy-messaging system.
So what's in the box?
X3DH kicks things off, providing key agreement between Bob and Alice, even if only one is online at the time. It uses the familiar public key infrastructure approach – Alice retrieves Bob's key from the server he published it to – and they use that information to establish communication and choose their shared private key.
The document's in-short version of what happens is a three-phase process:
- Bob publishes his identity key and prekeys to a server;
- Alice fetches a "prekey bundle" from the server, and uses it to send an initial message to Bob;
- Bob receives and processes Alice's initial message.
X3DH can use X25519 or X448 elliptic curves, and for hashing it requires SHA 256 or SHA 512, and the document notes that the protocol “provides forward secrecy and cryptographic deniability”.
The signatures X3DH uses are described in XEdDSA and VXEdDSA Signature Schemes. The focus of the schemes is twofold: to ensure that the encrypted signatures look random to anybody sniffing them (a “verifiable random function”); and to make the schemes resistant to timing side-channel attacks.
And we still haven't gotten to the users exchanging messages, because this only gets us as far as Bob and Alice setting up their message-passing. The last part, protecting the messages, is the job of the Double Ratchet Algorithm.
Defeating the snoops
To make Signal resistant to decryption using a bunch of sniffed messages, the algorithm creates new keys for each message, and here Bob and Alice's public Diffie-Hellman values come back into play:
“The parties also send Diffie-Hellman public values attached to their messages. The results of Diffie-Hellman calculations are mixed into the derived keys so that later keys cannot be calculated from earlier ones. These properties gives some protection to earlier or later encrypted messages in case of a compromise of a party's keys.”
A “KDF chain” (key derivation function) in Double Ratchet protects Bob and Alice's message keys “even if the adversary can control the KDF inputs”, the document says; because a key is never used twice, the messages get forward security; and as long as the system is running enough entropy, Double Ratchet's also designed to be resistant to a snoop breaking into a server and recovering user messages.
For non-cryptographers, the term “Double Ratchet” comes from how the protocol makes sure each message gets a new key: their Diffie-Hellman keys are “ratcheted” by each new message exchange; and so are the send/receive chains (the “symmetric-key ratchet”).
The Register will watch with interest to see if any cryptanalysts can spot any gaps in the specs. ®