Documente Academic
Documente Profesional
Documente Cultură
OTR
Applied Cryptography, Lecture 13
Ruben Niederhagen
Solution:
Use ephemeral keys.
Ephemeral:
I adjective:
1. Lasting a very short time; short-lived;
transitory: the ephemeral joys of childhood.
2. Lasting but one day: an ephemeral flower.
I noun:
3. Anything short-lived, as certain insects. [dictionary.com]
Ephemeral:
I adjective:
1. Lasting a very short time; short-lived;
transitory: the ephemeral joys of childhood.
2. Lasting but one day: an ephemeral flower.
I noun:
3. Anything short-lived, as certain insects. [dictionary.com]
Ephemeral key:
“A cryptographic key is called ephemeral if it is generated for each
execution of a key establishment process.” [Wikipedia]
Example: Keys derived from Diffie-Hellman key exchange.
Introduction:
I Standard key agreement and encryption protocol on top of XMPP
(Jabber).
I Available natively or as plug-in for most XMPP clients.
I Provides forward secrecy and deniable authentication.
I Designed by Ian Goldberg and Nikita Borisov.
Authentication:
I Key exchange is signed with each user’s public key.
Authentication:
I Key exchange is signed with each user’s public key.
Confidentiality:
I Data exchange is encrypted with AES-CTR with a secret key.
Authentication:
I Key exchange is signed with each user’s public key.
Confidentiality:
I Data exchange is encrypted with AES-CTR with a secret key.
Integrity:
I An HMAC is used for all encrypted messages.
Forward secrecy:
I If a long term private key (kA , kB ) becomes public, all ephemeral
encryption keys (k1 , k2 , . . . ) are still secret.
I If an ephemeral encryption key becomes public, only a few messages
are revealed.
Repudiation:
I Bob can not blame Alice to have send him a specific message, since
Bob is in possession of both the encryption and the MAC key and
thus could have written the message himself.
I If Eve get hold on an encryption key, she can not proof that either
Alice or Bob have written a certain message, since Eve is in
possession of the MAC key as well.
I Someone who can forge a valid cipher text can not convince anybody
else that either Alice or Bob have written that message, since the
MAC key is made public after it’s expiry.
Disadvantage:
Both users must be online, no offline messaging.
Disadvantage:
Both users must be online, no offline messaging.
Advantage:
No ephemeral keys are stored persistently.
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA )) verify hmac, decrypt XA
MA = hmacm1 (g x1 ||g y1 ||vA )
XA = vA , signkA (MA )
verify signature on MA
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA )) verify hmac, decrypt XA
MA = hmacm1 (g x1 ||g y1 ||vA )
XA = vA , signkA (MA )
verify signature on MA
MB = hmacm3 (g x1 ||g y1 ||vB )
XB = vB , signkB (MB )
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA )) verify hmac, decrypt XA
MA = hmacm1 (g x1 ||g y1 ||vA )
XA = vA , signkA (MA )
verify signature on MA
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA )) verify hmac, decrypt XA
MA = hmacm1 (g x1 ||g y1 ||vA )
XA = vA , signkA (MA )
verify signature on MA
verify hmac, decrypt XB enck2 (XB ), hmacm4 (enck2 (XB )) MB = hmacm3 (g x1 ||g y1 ||vB )
MB = hmacm3 (g x1 ||g y1 ||vB )
XB = vB , signkB (MB )
verify signature on MB
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA )) verify hmac, decrypt XA
MA = hmacm1 (g x1 ||g y1 ||vA )
XA = vA , signkA (MA )
verify signature on MA
verify hmac, decrypt XB enck2 (XB ), hmacm4 (enck2 (XB )) MB = hmacm3 (g x1 ||g y1 ||vB )
MB = hmacm3 (g x1 ||g y1 ||vB )
XB = vB , signkB (MB )
verify signature on MB
Authentication:
Users must use an out-of-band channel for authentication!
Authentication:
Users must use an out-of-band channel for authentication!
Authentication:
Users must use an out-of-band channel for authentication!
Authentication:
Users must use an out-of-band channel for authentication!
Introduction:
I Idea: Two millionaires want to figure out if their wealth is equal
without revealing to the public how much money they own.
(Millionaire’s Problem: Compare the wealth and figure out who is richer
without revealing the actual amount of money each owns.)
Introduction:
I Idea: Two millionaires want to figure out if their wealth is equal
without revealing to the public how much money they own.
(Millionaire’s Problem: Compare the wealth and figure out who is richer
without revealing the actual amount of money each owns.)
I Application: Two parties want to figure out if they share a common
secret value without revealing the value to the public.
Alice, x x = y? Bob, y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2
Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Pa = g2s , Qa = g s g1x
Ra = (Qa /Qb )a2
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Pa = g2s , Qa = g s g1x Pa , Qa , Ra
Ra = (Qa /Qb )a2
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Rab = Rba2 = (Qa /Qb )b2 a2 = (g s g1x g −r g1−y )b2 a2 = (g s−r g1x−y )b2 a2
Alice, x x = y? Bob, y
a1 = rand(), a2 = rand()
g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y
Rab = Rba2 = (Qa /Qb )b2 a2 = (g s g1x g −r g1−y )b2 a2 = (g s−r g1x−y )b2 a2
s−r
Pa /Pb = g2s g2−r = g2s−r = g a2 b2
all operations performed modulo a prime p
Introduction:
https://tobtu.com/decryptocat.php
/ department of mathematics and computer science
Cryptocat 16/42
Problem:
Passing an integer encoded as base-10 string
to a function expecting an array of bytes.
Cryptographic Primitives:
I AES-CTR-256 with randomized IV for data encryption and
decryption.
I Curve25519 for Elliptic Curve public key generation.
I SHA-512 for generating 512-bit message authentication codes,
shared secrets, fingerprints, and message tags.
I HMAC-SHA512 for message authentication (Encrypt-then-MAC).
Key Generation:
For each chat room, each user creates a private/public key pair.
Generating the private key relies on a cryptographically secure
pseudo-random number generator.
The private key n is a random 256-bit string, the public key q is
computed as
q = x(n · G )
where the x() returns the x-coordinate of a point and
g is the base point (the point with x-coordinate 9).
Key Agreement:
Alice may send her/his public key to Bob using a JSON object formatted
as follows:
{"type":"publicKey", Alice:{"message": PublicKeyBob}}
where PublicKeyBob is encoded using Base64.
Once Bob receives Alice’s public key, he must send his own public key in
return.
If a client receives a public key from another user but there already is a
public key on record for them, the new public key is not accepted.
User Authentication:
The fingerprint of a public key is computed as:
Fingerprint = hex(SHA-512(PublicKey )).substring(0, 40)
Users can verify someone else’s identity simply by confirming his/her
fingerprints over a trusted out-of-band channel (which may be public, but
difficult to impersonate) such as a telephone.
Shared Secrets:
Each two parties use a shared secret to encrypt and auth messages.
In a chat between Alice, Bob and Carol, Alice uses the following formula
to establish her shared secret with Bob:
SharedSecretAB = SHA-512(scalarMult(privateKeyA, publicKeyB))
and the following formula to establish her shared secret with Carol:
SharedSecretAC = SHA-512(scalarMult(privateKeyA, publicKeyC ))
Bob similarly calculates SharedSecretBA and SharedSecretBC.
Carol also creates SharedSecretCA and SharedSecretCB.
The first 256 bits of shared secrets are used as the encryption key for
AES-CTR-256 operations, while the last 256 bits are used as the key for
HMAC-SHA-512 operations.
Messaging:
A message being sent by user Alice to a chat with users Alice, Bob and
Carol is a JSON object structured as follows:
{"type":"message",
"text": {
Bob: {"message":CiphertextB,"iv":ivB,"hmac":hmacB},
Carol:{"message":CiphertextC,"iv":ivC,"hmac":hmacC }},
"tag":Tag }
All binary data (ciphertexts, IVs, and HMACs) is encoded as Base64.
64 random bytes are added to the end of the message before encryption.
The IV is composed of 16 bytes: 12 bytes that are randomly generated,
followed by 4 bytes acting as a counter, incremented once per block.
Message Authentication:
HMACs are generated as follows:
HMAC-SHA-512(BiphertextB || ivB || CiphertextC || ivC || ...}
The sender N uses the last 256 bits of SharedSecretNM as the HMAC key
for the ciphertext sent to the user M.
The message tag is calculated by hashing the plaintext concatenated with
the HMAC of every recipient
plaintext || hmacB || hmacC || ...
through 8 passes of SHA-512.
Disadvantages:
I One-to-one encryption:
• Many messages in order to exchange keys.
Disadvantages:
I One-to-one encryption:
• Many messages in order to exchange keys.
Disadvantages:
I One-to-one encryption:
• Many messages in order to exchange keys.
Introduction:
Based on the paper “Multi-party Off-the-Record Messaging” by Goldberg,
Ustaoğlu, Van Gundy, and Chen.
Introduction:
Based on the paper “Multi-party Off-the-Record Messaging” by Goldberg,
Ustaoğlu, Van Gundy, and Chen.
Setup Phase:
1. Perform an exchange with each member to derive a session id.
2. Do a pairwise, deniable, authenticated key exchange based on
long-term keys with each member.
3. Use the key exchange to exchange and prove possession of ephemeral
(thus deniable) signature keys with each member.
4. Perform a separate “group key agreement”, authenticated by the
signature keys.
5. Attest that everyone is seeing the same thing.
Communication Phase:
During the communication phase, members broadcast their messages to
the group by
I encrypting them with the group key and
I signing the ciphertext with their ephemeral signing key pair
(from step 3 in the Setup Phase).
Shutdown Phase:
1. All members agree that there are no more messages in transit.
2. All members calculate the hash of all messages they authored during
the session, sorted in lexicographical order, and send those to all
other members.
3. All members receive the hash values of all messages authored by
other members, and compare those to local values of what they
originally received.
Disadvantages:
I No implementation, yet?
I Overhead: Setup requires 4N to 12N round trip messages (N
participants).
I Ephemeral Session: No perfect forward secrecy within session,
session must be “short”.
I Consistency Surprise: User learns with the shutdown if all users
received all messages.
I Complexity: Protocol and building blocks are complex.
Disadvantages:
I No implementation, yet?
I Overhead: Setup requires 4N to 12N round trip messages (N
participants).
I Ephemeral Session: No perfect forward secrecy within session,
session must be “short”.
I Consistency Surprise: User learns with the shutdown if all users
received all messages.
I Complexity: Protocol and building blocks are complex.
Introduction:
I Developed by Vinnie Moscaritolo, Gary Belvin,
and Phil Zimmermann.
I Was used in Silent Circles app “Silent Text”.
I Discontinued on September 28, 2015;
replaced by Axolotl key management protocol when merged with the
app “Silent Phone”.
Alice Bob
x1 = rand()
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
k1 = kdf(g x1 y1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
hmack1 (“CONFIRM”)
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
hmack1 (“CONFIRM”)
C1 = auth-enck1 (M1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
hmack1 (“CONFIRM”)
C1 = auth-enck1 (M1 )
k2 = hash(k1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
hmack1 (“CONFIRM”)
C1 = auth-enck1 (M1 )
C1 = auth-enck2 (M2 )
k2 = hash(k1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
hmack1 (“CONFIRM”)
C1 = auth-enck1 (M1 )
C1 = auth-enck2 (M2 )
k2 = hash(k1 ) k2 = hash(k1 )
Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()
x1 x1
k1 = kdf(g x1 y1 ) g , hmack1 (g ) k1 = kdf(g x1 y1 )
s1 = sas(k1 ) s1 = sas(k1 )
hmack1 (“CONFIRM”)
C1 = auth-enck1 (M1 )
Authentication:
I A cached secret (if available) and a Short Authentication String
(SAS) is used to authenticate users; the SAS is compared by the
users out-of-band.
Authentication:
I A cached secret (if available) and a Short Authentication String
(SAS) is used to authenticate users; the SAS is compared by the
users out-of-band.
Confidentiality:
I Data exchange is encrypted with AES-CCM (Counter with
CBC-MAC) with a secret key.
Authentication:
I A cached secret (if available) and a Short Authentication String
(SAS) is used to authenticate users; the SAS is compared by the
users out-of-band.
Confidentiality:
I Data exchange is encrypted with AES-CCM (Counter with
CBC-MAC) with a secret key.
Integrity:
I An authenticated encryption scheme (AES-CCM) is used for all
encrypted messages.
Forward secrecy:
I There are no longterm keys; all keys are ephemeral.
I If an ephemeral encryption key becomes public, no previous messages
are revealed.
However, all following messages of that session are affected.
Repudiation:
I Bob can not blame Alice to have send him a specific message, since
Bob is in possession of the authenticated-encryption key and thus
could have written the message himself.
I If Eve gets hold on an encryption key, she can not proof that either
Alice or Bob have written a certain message for the same reason.
I There are no longterm identity keys, authentication is performed on
a different channel. Thus, anybody can produce a communication
transcript and claim to have had a conversation with Bob.
Introduction:
I Developed by Moxie Marlinspike and Trevor Perrin.
I Used by TextSecure and Signal from Open Whisper Systems.
I Used by WhatsApp (is it?).
I Designed for asynchronous, text-message-like communication:
Users do not need to be on-line at the same time.
Alice, aG Bob, bG
ea ← rand()
Alice, aG Bob, bG
ea ← rand()
ea G
Alice, aG Bob, bG
ea ← rand()
ea G
eb ← rand()
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G )
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r )
−
→
m ← hkdf→ −
→
−c (0); c ← hkdf→ −c (1)
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
−
−
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→
m ← hkdf→ −
→
c (0); c ← hkdf→
− c (1)
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
−
m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
c ) ← hkdfeb ea G (r )
←−
m ← hkdf← ←
−
− (0); c ← hkdf←− (1)
c c
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
eb G ; C2 = enc← − (M2 )
m (r , ←
−
c ) ← hkdfeb ea G (r )
hmac← − (C2 ||eb G ) ←−
m ← hkdf← ←
−
− (0); c ← hkdf←− (1)
m c c
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
c ) ← hkdfea eb G (r ) eb G ; C2 = enc← − (M2 )
m (r , ←
−
c ) ← hkdfeb ea G (r )
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
c ) ← hkdfea eb G (r ) eb G ; C2 = enc← − (M2 )
m (r , ←
−
c ) ← hkdfeb ea G (r )
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
−
→
m ← hkdf→ −
→ ←
− ← hkdf← ←−
c (0); c ← hkdf→
− c (1)
− m c (0); c ← hkdf←
− c (1)
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
c ) ← hkdfea eb G (r ) eb G ; C2 = enc← − (M2 )
m (r , ←
−
c ) ← hkdfeb ea G (r )
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
−
→
m ← hkdf→ −
→ ←
− ← hkdf← ←−
c (0); c ← hkdf→
− c (1)
− m c (0); c ← hkdf←
− c (1)
−
Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
c ) ← hkdfea eb G (r ) eb G ; C2 = enc← − (M2 )
m (r , ←
−
c ) ← hkdfeb ea G (r )
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
−
→
m ← hkdf→ −
→ ←
− ← hkdf← ←−
c (0); c ← hkdf→
− c (1)
− m c (0); c ← hkdf←
− c (1)
−
←
− ← hkdf← ←− −
→ −
→
m c (0); c ← hkdf←
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
ea eb G
ea eb G
Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G
ea eb G
ea eb G
ea eb G
Authentication:
I The initial root key is authenticated with the public keys of the
participants.
I Each root-key refresh is chained to the initial root key;
authentication is propagated.
Authentication:
I The initial root key is authenticated with the public keys of the
participants.
I Each root-key refresh is chained to the initial root key;
authentication is propagated.
Confidentiality:
I Data exchange is encrypted with AES-256 in counter mode with a
secret key.
Authentication:
I The initial root key is authenticated with the public keys of the
participants.
I Each root-key refresh is chained to the initial root key;
authentication is propagated.
Confidentiality:
I Data exchange is encrypted with AES-256 in counter mode with a
secret key.
Integrity:
I An HMAC is used for all encrypted messages.
Forward secrecy:
I Breaking long-term identity keys does not reveal any messages.
I Due to the root-key chain, breaking one single “key-exchange”
(ea , eb ) key does not reveal any messages.
I Breaking a message key only reveals the information of a single
message.
I Revealing a chain key only reveals messages up to the next key
exchange.
I Seizing a device does not reveal any messages (if they are nor stored
locally); however, possession of the chain key allows to decrypt future
messages, possession of the ephemeral key allows to perform future
root-key refresh, possession of the identity key allows impersonation.
Repudiation:
I Bob can not blame Alice to have send him a specific message, since
Bob is in possession of the authentication and encryption key and
thus could have written the message himself.
I If Eve gets hold on a message key, she can not proof that either Alice
or Bob have written a certain message for the same reason.
I Anybody can produce a fake transcript of a conversation with Bob
without ever actually having spoken to him.
Further optimized secure group chat: reuse K (with ratchet hashing) for
a certain amount of messages or a certain time.