Double Ratchet Algorithm on:
[Wikipedia]
[Google]
[Amazon]
In
The Double Ratchet Algorithm features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well as
Specification
by Open Whisper Systems *
Advanced cryptographic ratcheting
, abstract description by Moxie Marlinspike
Olm
C++ implementation under the Apache 2.0 license
Vodozemac
Rust implementation of the Olm variation, under the Apache 2.0 license * (exposition) {{FLOSS Cryptographic algorithms End-to-end encryption
In cryptography
Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
, the Double Ratchet Algorithm (previously referred to as the Axolotl Ratchet) is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike
Moxie Marlinspike is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal (messaging app), Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal M ...
in 2013. It can be used as part of a cryptographic protocol
A cryptographic protocol is an abstract or concrete Communications protocol, protocol that performs a information security, security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol desc ...
to provide end-to-end encryption
End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can ...
for instant messaging
Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate ( real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involv ...
. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange
Diffie–Hellman (DH) key exchangeSynonyms of Diffie–Hellman key exchange include:
* Diffie–Hellman–Merkle key exchange
* Diffie–Hellman key agreement
* Diffie–Hellman key establishment
* Diffie–Hellman key negotiation
* Exponential ke ...
(DH) and a ratchet based on a key derivation function
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...
(KDF), such as a hash function
A hash function is any Function (mathematics), function that can be used to map data (computing), data of arbitrary size to fixed-size values, though there are some hash functions that support variable-length output. The values returned by a ...
, and is therefore called a double ratchet.
The algorithm provides forward secrecy for messages, and implicit renegotiation of forward keys; properties for which the protocol is named.
History
The Double Ratchet Algorithm was developed by Trevor Perrin and Moxie Marlinspike ( Open Whisper Systems) in 2013 and introduced as part of the Signal Protocol in February 2014. The Double Ratchet Algorithm's design is based on the DH ratchet that was introduced byOff-the-Record Messaging
Off-the-record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of Advanced Encryption Standard, AES symmetric-key algorithm with 128 bits key length, the Diffie–Hel ...
(OTR) and combines it with a symmetric-key ratchet modeled after the Silent Circle Instant Messaging Protocol (SCIMP). The ratchet was initially named after the critically endangered aquatic salamander axolotl
The axolotl (; from ) (''Ambystoma mexicanum'') is a neoteny, paedomorphic salamander, one that Sexual maturity, matures without undergoing metamorphosis into the terrestrial adult form; adults remain Aquatic animal, fully aquatic with obvio ...
, which has extraordinary self-healing capabilities. In March 2016, the developers renamed the Axolotl Ratchet as the Double Ratchet Algorithm to better differentiate between the ratchet and the full protocol, because some had used the name Axolotl when referring to the Signal Protocol.
Overview
The Double Ratchet Algorithm features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well as authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
of the remote peer and protection against manipulation of messages. As a hybrid of DH and KDF ratchets, it combines several desired features of both principles. From OTR messaging it takes the properties of forward secrecy
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session ke ...
and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, and plausible deniability
Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to deny knowledge or responsibility for actions committed by or on behalf of members of their organizational hierarchy. They may ...
for the authorship of messages. Additionally, it enables session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering the following keys.
It is said to detect reordering, deletion, and replay of sent messages, and improve forward secrecy properties against passive eavesdropping in comparison to OTR messaging.
Combined with public key infrastructure
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
The purpose of a PKI is to fac ...
for the retention of pregenerated one-time keys (prekeys), it allows for the initialization of messaging sessions without the presence of the remote peer (asynchronous communication
In telecommunications, asynchronous communication is transmission of data, generally without the use of an external clock signal, where data can be transmitted intermittently rather than in a steady stream. Any timing required to recover data fro ...
). The usage of triple Diffie–Hellman key exchange (3-DH) as initial key exchange method improves the deniability properties. An example of this is the Signal Protocol, which combines the Double Ratchet Algorithm, prekeys, and a 3-DH handshake. The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity. It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material.
Functioning
A client attempts to renew session key material interactively with the remote peer using a Diffie-Hellman (DH) ratchet. If this is impossible, the clients renew the session key independently using a hash ratchet. With every message, a client advances one of two hash ratchets—one for sending and one for receiving. These two hash ratchets get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialized. As cryptographic primitives, the Double Ratchet Algorithm uses ; for the DH ratchet: Elliptic curve Diffie-Hellman (ECDH) with Curve25519, ; formessage authentication code
In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authentication, authenticating and Data integrity, integrity-checking a message. In other words, it is used t ...
s (MAC, authentication): Keyed-hash message authentication code (HMAC) based on SHA-256
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compressi ...
,
; for symmetric encryption: the Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
(AES), partially in cipher block chaining mode (CBC) with padding as per PKCS
Public Key Cryptography Standards (PKCS) are a group of public-key cryptography standards devised and published by RSA Security LLC, starting in the early 1990s. The company published the standards to promote the use of the cryptography te ...
#5 and partially in counter mode (CTR) without padding,
; for the hash ratchet: HMAC.
Applications
The following is a list of applications that use the Double Ratchet Algorithm or a custom implementation of it: * ChatSecure * Conversations *Cryptocat
Cryptocat is a discontinued open-source software, open-source Application software, desktop application intended to allow encrypted online chatting available for Microsoft Windows, Windows, OS X, and Linux. It uses end-to-end encryption to secur ...
* Facebook Messenger
* G Data Secure Chat
* Gajim
* GNOME Fractal
* Google Allo
* Google Messages
* Haven
* Pond
* Element
* Signal
A signal is both the process and the result of transmission of data over some media accomplished by embedding some variation. Signals are important in multiple subject fields including signal processing, information theory and biology.
In ...
* Silent Phone
* Skype
Skype () was a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for IP-based videotelephony, videoconferencing and voice calls. It also had instant messaging, file transfer, ...
* Viber
* WhatsApp
WhatsApp (officially WhatsApp Messenger) is an American social media, instant messaging (IM), and voice-over-IP (VoIP) service owned by technology conglomerate Meta. It allows users to send text, voice messages and video messages, make vo ...
* Wire
file:Sample cross-section of high tension power (pylon) line.jpg, Overhead power cabling. The conductor consists of seven strands of steel (centre, high tensile strength), surrounded by four outer layers of aluminium (high conductivity). Sample d ...
Notes
References
Literature
* * *External links
Specification
by Open Whisper Systems *
Advanced cryptographic ratcheting
, abstract description by Moxie Marlinspike
Olm
C++ implementation under the Apache 2.0 license
Vodozemac
Rust implementation of the Olm variation, under the Apache 2.0 license * (exposition) {{FLOSS Cryptographic algorithms End-to-end encryption