Signal Protocol
With the surge of messaging applications in the past decade, businesses and individuals have turned to these applications for personal and professional communication.
It is imperative that end-to-end encryption (E2EE) in a messaging service is ensured so that the contents of any given message are only available to the sender and receiver.
With E2EE, one’s message is encrypted at all times as it makes it way through possible intermediaries. No one except the intended recipient has the key to decrypt it. Signal, a messaging application used by Open Whisper Systems (OWS) is gaining popularity everyday among people all over the world as it provides end-to-end encryption to its users. It uses Signal Protocol, an open source end-to-end encryption protocol.
Key Generation and Registration
The first step in establishing an end-to-end encrypted connection between two users using Open Whisper System’s Signal Protocol is generating a set of long-term identity key pair, medium-term signed prekey pair, and several ephemeral prekey pairs. These keys are generated on the client side and stored locally somewhere secure.
The second step involves packaging all of the public keys and registration ID into an object (known as the “key bundle”) and registering it with a Key Distribution Center.
In order for Alice to send messages to Bob, Alice must know and have access to Bob’s registration ID and public keys to start a session. Thus, Alice must first generate her own keys and register herself with the key distribution center and request Bob’s key bundle.
Starting a Session
Once Alice receives Bob’s key bundle from the key distribution, she uses her own identity and medium-term private keys and Bob’s set of private keys to compute a master shared secret.
This master secret is used to start a session with Bob. Once Alice computes the master shared secret, she sends it to Bob so he can decipher it and validate it. Upon validation of the master shared secret on Bob’s device, Alice and Bob can start sending messages to each other.
Sending Messages
This process relies on the X3DH (or “Extended Triple-Diffie-Hellman”) key agreement. X3DH establishes a shared secret key between two parties who mutually authenticate each other based on public keys.
It is designed for asynchronous settings where the receiver can be offline but has published information to a server. The sender can use that information to send encrpyted data to the receiver but can also establish a shared key for future communication.
Forward Secrecy
Following the agreement on the shared secret key, both parties will use Dobule Ratchet Algorithm to send and receive encrypted messages.
They derive new keys for every Double Ratchet message so earlier keys cannot be calculated from later ones.