Jump to content

Double Ratchet Algorithm

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Pink kitty111 (talk | contribs) at 19:40, 15 January 2016 (Created by translating the page "Axolotl-Protokoll"). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

The Axolotl protocol serves the end-to-end encryption with instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys (cryptographic ratchet). It combines a cryptographic ratchet based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF) like e.g. a hash function and is therefore called a double ratchet.

The name refers to the critically endangered, aquatic salamander Axolotl, which has extraordinary self-healing capabilities. The developers refer to the protocol as self-healing because it automatically disables an attacker from accessing the cleartext of later messages after having compromised a session key.[1]

Origin

Axolotl was developed by Trevor Perrin with support fom Moxie Marlinspike (Open Whisper Systems) and introduced in TextSecure (now Signal) in 2013. The design is based on the DH ratchet that was introduced by Off-the-Record Messaging and combines it with a symmetric-key ratchet modeled after the Silent Circle Instant Messaging Protocol (SCIMP).

Properties

Axolotl features properties commonly available in end-to-end encryption systems since long time: encryption of contents on the entire way of transport as well as authentication of the remote peer and protection against manipulation of messages. As a hybrid of DH and KDF ratchets it combines several desired features of both principles. From OTR messaging it takes the properties of forward secrecy and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, and plausible deniability for the authorship of messages. Additionally it enables for session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering following keys.

It is said to detect reordering, deletion and replay of sent messages and improve forward secrecy properties in comparisson to OTR messaging.

Combined with public key infrastructure for the retention of pregenerated one-time keys it allows for the initialisation of messaging sessions without presence of the remote peer (asynchronous communication). The usage of triple Diffie–Hellman key exchange (3DH) as initial key exchange method (e.g. in Signal) improves the deniability properties.

A client renews session key material in interaction with the remote peer using Diffie–Hellman ratchet whenever possible, otherwise independently by using a hash ratchet. Therefore, with every message an Axolotl client advances one of two hash ratchets (one for sending, one receiving) which get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialised.

Functioning

As cryptographic primitives Axolotl uses

for the DH ratchet
Elliptic curve Diffie–Hellman (ECDH) with Curve25519,
for message authentication codes (MAC, authentication)
Keyed-Hash Message Authentication Code (HMAC) based on SHA-256,
for symmetric encryption
the Advanced Encryption Standard (AES), partially in Cipher Block Chaining mode (CBC) with padding as per PKCS #5 and partially in Counter mode (CTR) without padding,
for the hash ratchet
HMAC.[2]

Usage

In Signal it is being used in hundrets of thousands of devices. In the last quarter of 2013 integration into the text messaging feature of version 11 and later of the independent Android operating system CyanogenMod was announced, which counted over 10 million users at that time.[3][4][5] In November 2013 it was integrated into the experimantal asynchronous messaging system Pond.[6] In September 2014 the integration into WhatsApp spawned some headlines in newspapers. Through a cooperation with Open Whisper Systems, since version 2.11.448 Axolotl is found in the Android edition of the Messenger that is in hundredmillionfold use.[7] When merging Silent Text into Silent Phone as released on 28th of September 2015, Silent Circle replaced its own SCIMP with Axolotl.[8] In the course of a Google Summer of Code project an extension to the Extensible Messaging and Presence Protocol (XMPP, „Jabber“) named „OMEMO Multi-End Message and Object Encryption“ (OMEMO) which integrates the Axolotl ratchet was developed in 2015. It was introduced in the Android messenger Conversations and submitted to the XMPP Standards Foundation (XSF) in autumn.[9][10] Besides, G Data Secure Chat is known to use Axolotl.[11]

Literature

  •  Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Avrum Goldberg, Matthew Smith: SoK: Secure Messaging. In: IEEE Computer Society's Technical Committee on Security and Privacy (Hrsg.): Proceedings of the 2015 IEEE Symposium on Security and Privacy. 2015, S. 232–249 (http://ieee-security.org/TC/SP2015/papers-archived/6949a232.pdf).

References

Einzelnachweise

  1. ^ Moxie Marlinspike (26 November 2013). "Advanced cryptographic ratcheting". whispersystems.org. Open Whisper Systems. Retrieved 2016-01-11. The OTR style ratchet has the nice property of being 'self healing.'
  2. ^ Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, Thorsten Holz (Ruhr-Universität Bochum) (2014), "How Secure is TextSecure?" (PDF), Cryptology ePrint Archive, vol. Report 2014, no. 904{{citation}}: CS1 maint: multiple names: authors list (link)
  3. ^ Andy Greenberg (2013-12-09). "Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default". Forbes. Retrieved 2014-02-28.
  4. ^ Seth Schoen (2013-12-28). "2013 in Review: Encrypting the Web Takes A Huge Leap Forward". Electronic Frontier Foundation. Retrieved 2014-03-01.
  5. ^ Moxie Marlinspike (2013-12-09). "TextSecure, Now With 10 Million More Users". Open Whisper Systems. Retrieved 2014-02-28.
  6. ^ Beitrag von Adam Langley vom 9.
  7. ^ Christian Schartel, 19.
  8. ^ What is Silent Phone?
  9. ^ Andreas Straub (2015-10-25). "OMEMO Encryption". conversations.im. Retrieved 2016-01-04.
  10. ^ Daniel Gultsch (2015-09-02). "OMEMO Encrypted Jingle File Transfer". conversations.im. Retrieved 2016-01-04.
  11. ^ Seals, Tara (2015-09-17). "G DATA Adds Encryption for Secure Mobile Chat". Infosecurity Magazine. Reed Exhibitions Ltd. Retrieved 2015-09-18.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Double_Ratchet_Algorithm&oldid=700001595"