Signal Protocol

The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

The protocol combines the Double Ratchet algorithm, prekeys, and a triple Elliptic-curve Diffie–Hellman (3-DH) handshake, and uses Curve25519, AES-256, and HMAC-SHA256 as primitives.

History

The Signal Protocol's development was started by Trevor Perrin and Moxie Marlinspike (Open Whisper Systems) in 2013. The first version of the protocol, TextSecure v1, was based on Off-the-Record Messaging (OTR).

On 24 February 2014, Open Whisper Systems introduced TextSecure v2, which migrated to the Axolotl Ratchet. The design of the Axolotl Ratchet is based on the ephemeral key exchange that was introduced by OTR and combines it with a symmetric-key ratchet modeled after the Silent Circle Instant Messaging Protocol (SCIMP). It brought about support for asynchronous communication ("offline messages") as its major new feature, as well as better resilience with distorted order of messages and simpler support for conversations with multiple participants. The Axolotl Ratchet was named after the critically endangered aquatic salamander Axolotl, which has extraordinary self-healing capabilities. The developers refer to the algorithm as self-healing because it automatically disables an attacker from accessing the cleartext of later messages after having compromised a session key.

The third version of the protocol, TextSecure v3, made some changes to the cryptographic primitives and the wire protocol. In October 2014, researchers from Ruhr University Bochum published an analysis of TextSecure v3. Among other findings, they presented an unknown key-share attack on the protocol, but in general, they found that it was secure.

In March 2016, the developers renamed the protocol as the Signal Protocol. They also renamed the Axolotl Ratchet as the Double Ratchet algorithm to better differentiate between the ratchet and the full protocol because some had used the name Axolotl when referring to the full protocol.

, the Signal Protocol is based on TextSecure v3, but with additional cryptographic changes. In October 2016, researchers from the UK's University of Oxford, Australia's Queensland University of Technology, and Canada's McMaster University published a formal analysis of the protocol, concluding that the protocol was cryptographically sound.

Another audit of the protocol was published in 2017.

Properties

The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, post-compromise security (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity. It does not provide anonymity preservation and requires servers for the relaying of messages and storing of public key material.

The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and multicast encryption. In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership.

Authentication

For authentication, users can manually compare public key fingerprints through an outside channel. This makes it possible for users to verify each other's identities and avoid a man-in-the-middle attack. An implementation can also choose to employ a trust on first use mechanism in order to notify users if a correspondent's key changes.

Metadata

The Signal Protocol does not prevent a company from retaining information about when and with whom users communicate. There can therefore be differences in how messaging service providers choose to handle this information. Signal's privacy policy states that recipients' identifiers are only kept on the Signal servers as long as necessary in order to transmit each message. In June 2016, Moxie Marlinspike told ''The Intercept'': "the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second."

In October 2018, Signal Messenger announced that they had implemented a "sealed sender" feature into Signal, which reduces the amount of metadata that the Signal servers have access to by concealing the sender's identifier. The sender's identity is conveyed to the recipient in each message, but is encrypted with a key that the server does not have. This is done automatically if the sender is in the recipient's contacts or has access to their Signal Profile. Users can also enable an option to receive "sealed sender" messages from non-contacts and people who do not have access to their Signal Profile. A contemporaneous wiretap of the user's device and/or the Signal servers may still reveal that the device's IP address accessed a Signal server to send or receive messages at certain times.

Usage

Open Whisper Systems first introduced the protocol in their TextSecure app. They later merged an encrypted voice calling application called RedPhone into the TextSecure app and renamed it as Signal.

In November 2014, Open Whisper Systems announced a partnership with WhatsApp to provide end-to-end encryption by incorporating the Signal Protocol into each WhatsApp client platform. Open Whisper Systems said that they had already incorporated the protocol into the latest WhatsApp client for Android and that support for other clients, group/media messages, and key verification would be coming soon after. On April 5, 2016, WhatsApp and Open Whisper Systems announced that they had finished adding end-to-end encryption to "every form of communication" on WhatsApp, and that users could now verify each other's keys. In February 2017, WhatsApp announced a new feature, WhatsApp Status, which uses the Signal Protocol to secure its contents. In October 2016, WhatsApp's parent company Facebook also deployed an optional mode called Secret Conversations in Facebook Messenger which provides end-to-end encryption using an implementation of the Signal Protocol.

In September 2015, G Data Software launched a new messaging app called Secure Chat which used the Signal Protocol. G Data discontinued the service in May 2018.

In September 2016, Google launched a new messaging app called Allo, which featured an optional Incognito Mode that used the Signal Protocol for end-to-end encryption. In March 2019, Google discontinued Allo in favor of their Messages app on Android. In November 2020, Google announced that they would be using the Signal Protocol to provide end-to-end encryption by default to all RCS-based conversations between users of their Messages app, starting with one-to-one conversations.

In January 2018, Open Whisper Systems and Microsoft announced the addition of Signal Protocol support to an optional Skype mode called Private Conversations.

Influence

The Signal Protocol has had an influence on other cryptographic protocols. In May 2016, Viber said that their encryption protocol is a custom implementation that "uses the same concepts" as the Signal Protocol. Forsta's developers have said that their app uses a custom implementation of the Signal Protocol.

The Double Ratchet algorithm that was introduced as part of the Signal Protocol has also been adopted by other protocols. OMEMO is an XMPP Extension Protocol (XEP) that was introduced in the Conversations messaging app and approved by the XMPP Standards Foundation (XSF) in December 2016 as XEP-0384. Matrix is an open communications protocol that includes Olm, a library that provides optional end-to-end encryption on a room-by-room basis via a Double Ratchet algorithm implementation. The developers of Wire have said that their app uses a custom implementation of the Double Ratchet algorithm.

Messaging Layer Security, an IETF proposal, uses ''Asynchronous ratcheting trees'' to efficiently improve upon security guarantees over Signal's ''Double Ratchet''.

Implementations

Signal Messenger maintains the following Signal Protocol libraries under the GPLv3 license on GitHub:
libsignal-protocol-c
A library written in C with additional licensing permissions for Apple's App Store.
libsignal-protocol-java
A library written in Java.

There also exist alternative libraries written by third-parties in other languages, such as TypeScript.

See also

* Comparison of instant messaging protocols
* Comparison of cryptography libraries

References

Literature

*
*
*
*
*
*

External links

*

"TextSecure Protocol: Present and Future"
talk by Trevor Perrin at NorthSec 2015 (video)

{{Cryptographic software

Application layer protocols
Cryptographic protocols