Wikipedia

Double Ratchet Algorithm: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Dubidubno (talk | contribs)
362 edits
m wikilink to Algorithm
 
(20 intermediate revisions by 13 users not shown)
Line 1:
{{short description|Cryptographic key management algorithm}}
{{Redirect|Double ratchet|the hand tool|Wrench}}
[[File:Double Ratchet Algorithm.png|350px|thumb|right|Full ratchet step in the double ratchet algorithm. The Key Derivation Function (KDF) provides the ratcheting mechanism. The first "ratchet" is applied to the symmetric root key, the second ratchet to the asymmetric Diffie Hellman (DH) key.<ref>Trevor Perrin (editor), Moxie Marlinspike, "[https://signal.org/docs/specifications/doubleratchet/ The Double Ratchet Algorithm]. Revision 1, 2016-11-20</ref>]]
In [[cryptography]], the '''Double Ratchet Algorithm''' (previously referred to as the '''Axolotl Ratchet'''<ref name="Perrin-2016-03-30">{{cite web|last1=Perrin|first1=Trevor|title=Compare Revisions|url=https://github.com/trevp/double_ratchet/wiki/Home/_compare/6fa4a516b01327d736df1f52014d8b561a18189a...ab41721f9ed7ca0bdac3e24ce9fc573750e0614d|website=GitHub|access-date=9 April 2016|date=30 March 2016}}</ref><ref name="signal-inside-and-out">{{cite web|last1=Marlinspike|first1=Moxie|title=Signal on the outside, Signal on the inside|url=https://whispersystems.org/blog/signal-inside-and-out/|publisher=Open Whisper Systems|access-date=31 March 2016|date=30 March 2016}}</ref>) is a [[Key (cryptography)|key]] management algorithm that was developed by [[Trevor Perrin]] and [[Moxie Marlinspike]] in 2013. It can be used as part of a [[cryptographic protocol]] to provide [[end-to-end encryption]] for [[instant messaging]]. After an initial [[key-agreement protocol|key exchange]] it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the [[Diffie–Hellman key exchange]] (DH) and a ratchet based on a [[key derivation function]] (KDF), such as a [[hash function]], and is therefore called a double ratchet.
 
In [[cryptography]], the '''Double Ratchet Algorithm''' (previously referred to as the '''Axolotl Ratchet'''<ref name="Perrin-2016-03-30">{{cite web|last1=Perrin|first1=Trevor|title=Compare Revisions|url=https://github.com/trevp/double_ratchet/wiki/Home/_compare/6fa4a516b01327d736df1f52014d8b561a18189a...ab41721f9ed7ca0bdac3e24ce9fc573750e0614d|website=GitHub|access-date=9 April 2016|date=30 March 2016}}</ref><ref name="signal-inside-and-out">{{cite web|last1=Marlinspike|first1=Moxie|title=Signal on the outside, Signal on the inside|url=https://whispersystems.org/blog/signal-inside-and-out/|publisher=Open Whisper Systems|access-date=31 March 2016|date=30 March 2016}}</ref>) is a [[Key (cryptography)|key]] management [[algorithm]] that was developed by [[Trevor Perrin]] and [[Moxie Marlinspike]] in 2013. It can be used as part of a [[cryptographic protocol]] to provide [[end-to-end encryption]] for [[instant messaging]]. After an initial [[key-agreement protocol|key exchange]] it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the [[Diffie–Hellman key exchange]] (DH) and a ratchet based on a [[key derivation function]] (KDF), such as a [[hash function]], and is therefore called a double ratchet.
The algorithm provides forward secrecy for messages, and implicit renegotiation of forward keys; properties for which the protocol is named.<ref>{{cite journal|last1=Cohn-Gordon|first1=K.|last2=Cremers|first2=C.|last3=Garratt|first3=L.|title=On Post-compromise Security|journal=2016 IEEE 29th Computer Security Foundations Symposium (CSF)|year=2016|pages=164–178|doi=10.1109/CSF.2016.19|isbn=978-1-5090-2607-4|s2cid=5703986|url=https://ora.ox.ac.uk/objects/uuid:241da365-1c73-4b6a-826c-f122c4c1e1b8}}</ref>
 
The algorithm provides forward secrecy for messages, and implicit renegotiation of forward keys; properties for which the protocol is named.<ref>{{cite journalbook|last1=Cohn-Gordon|first1=K.|last2=Cremers|first2=C.|last3=Garratt|first3=L.|title=On Post-compromise Security|journal=2016 IEEE 29th Computer Security Foundations Symposium (CSF) |chapter=On Post-compromise Security |year=2016|pages=164–178|doi=10.1109/CSF.2016.19|isbn=978-1-5090-2607-4|s2cid=5703986|chapter-url=https://ora.ox.ac.uk/objects/uuid:241da365-1c73-4b6a-826c-f122c4c1e1b8}}</ref>
 
== History ==
Line 26 ⟶ 28:
| caption2 = Diagram of the working principle
}}
A client renewsattempts to renew session key material in interactioninteractively with the remote peer using Diffie–Hellmana Diffie-Hellman (DH) ratchet. wheneverIf possiblethis is impossible, otherwisethe independentlyclients byrenew the session key independently using a hash ratchet. Therefore, withWith every message, a client using the double ratchet advances one of two hash ratchets (oneratchets—one for sending, and one for receiving). whichThese two hash ratchets get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialized.
 
As cryptographic primitives, the Double Ratchet Algorithm uses
; for the DH ratchet: Elliptic curve Diffie–HellmanDiffie-Hellman (ECDH) with [[Curve25519]],
; for [[message authentication code]]s (MAC, authentication): [[Hash-based message authentication code|Keyed-hash message authentication code]] (HMAC) based on [[SHA-256]],
; for symmetric encryption: the [[Advanced Encryption Standard]] (AES), partially in cipher block chaining [[block cipher mode of operation|mode]] (CBC) with [[padding (cryptography)|padding]] as per [[PKCS]]&nbsp;#5 and partially in counter mode (CTR) without padding,
Line 42 ⟶ 44:
* [[Conversations (software)|Conversations]]{{efn|name=OMEMO|Via the [[OMEMO]] protocol}}
* [[Cryptocat]]{{efn|name=OMEMO}}<ref>{{Cite web|url=https://crypto.cat/security.html|title=Security|publisher=Cryptocat|access-date=14 July 2016|archive-url=https://web.archive.org/web/20160407125207/https://crypto.cat/security.html|archive-date=7 April 2016|url-status=dead}}</ref>
* [[Facebook Messenger]]{{efn|Only in "secret conversations"}}{{efn|name=SIGNAL|Via the [[Signal Protocol]]}}<ref>{{cite webmagazine|last1=Greenberg|first1=Andy|url=https://www.wired.com/2016/10/facebook-completely-encrypted-messenger-update-now/|title=You Can All Finally Encrypt Facebook Messenger, So Do It|websitemagazine=Wired|publisher=Condé Nast|access-date=5 October 2016|date=4 October 2016}}</ref>
* [[G Data CyberDefense|G Data]] Secure Chat{{efn|name=SIGNAL}}<ref name="G Data"/><ref>{{cite web|title=SecureChat|url=https://github.com/GDATASoftwareAG/SecureChat|website=GitHub|publisher=G Data|access-date=14 July 2016}}</ref>
* [[Gajim]]{{efn|name=OMEMO}}{{efn|name=Plugin|A third-party [[Plug-in (computing)|plug-in]] must be installed separately}}
* [[Fractal (software)|GNOME Fractal]]{{efn|name=Matrix}}
* [[Google Allo]]{{efn|Only in "incognito mode"}}{{efn|name=SIGNAL}}<ref name="Greenberg-2016-05-18">{{Cite webmagazine|last=Greenberg|first=Andy|url=https://www.wired.com/2016/05/allo-duo-google-finally-encrypts-conversations-end-end/|title=With Allo and Duo, Google Finally Encrypts Conversations End-to-End|websitemagazine=Wired|publisher=Condé Nast|date=18 May 2016|access-date=14 July 2016}}</ref>
* [[Messages (Google)|Google Messages]]{{efn|Only in one-to-one [[Rich Communication Services|RCS chats]]}}{{efn|name=SIGNAL|Via the [[Signal Protocol]]}}<ref>{{Cite web |last=Amadeo |first=Ron |date=2021-06-16 |title=Google enables end-to-end encryption for Android's default SMS/RCS app |url=https://arstechnica.com/gadgets/2021/06/google-enables-end-to-end-encryption-for-androids-default-sms-rcs-app/ |access-date=2022-03-03 |website=Ars Technica |language=en-us}}</ref>
* [[Haven (software)|Haven]]{{efn|name=SIGNAL}}<ref>{{cite web|title=Haven Attributions|url=https://github.com/guardianproject/haven#attributions|website=GitHub|publisher=Guardian Project|access-date=22 December 2017}}</ref><ref>{{cite web|last1=Lee|first1=Micah|title=Snowden's New App Uses Your Smartphone To Physically Guard Your Laptop|url=https://theintercept.com/2017/12/22/snowdens-new-app-uses-your-smartphone-to-physically-guard-your-laptop/|website=The Intercept|publisher=First Look Media|access-date=22 December 2017|date=22 December 2017}}</ref>
* Pond<ref name="Pond"/>
* [[Element (software)|Element]]{{efn|name=Matrix|Via the [[Matrix (communication protocol)|Matrix]] protocol}}<ref>{{Cite web|url=https://techcrunch.com/2016/09/19/riot-wants-to-be-like-slack-but-with-the-flexibility-of-an-underlying-open-source-platform/|title=Riot wants to be like Slack, but with the flexibility of an underlying open source platform|last=Butcher|first=Mike|website=TechCrunch|publisher=AOL Inc.|date=19 September 2016|access-date=20 September 2016}}</ref>
* [[Signal (softwaremessaging app)|Signal]]{{efn|name=SIGNAL}}
* [[Silent Circle (software)|Silent Phone]]{{efn|name=zina|Via the Zina protocol}}<ref name="libzina">{{cite web|title=Silent Circle/libzina |url=https://github.com/SilentCircle/libzina/ |website=Github|publisher=Silent Circle|access-date=19 December 2017}}</ref>
* [[Skype]]{{efn|Only in "private conversations"}}{{efn|name=SIGNAL}}<ref>{{cite web|last1=Lund|first1=Joshua|title=Signal partners with Microsoft to bring end-to-end encryption to Skype|url=https://signal.org/blog/skype-partnership/|publisher=Open Whisper Systems|access-date=11 January 2018|date=11 January 2018}}</ref>
* [[Viber]]{{efn|Viber "uses the same concepts of the "double ratchet" protocol used in Open Whisper Systems Signal application"}}<ref>{{cite web|title=Viber Encryption Overview|url=https://www.viber.com/app/uploads/viber-encryption-overview.pdf|publisher=Viber|date=25 July 2018|access-date=26 October 2018}}</ref>
* [[WhatsApp]]{{efn|name=SIGNAL}}<ref name="Metz-2016-04-05">{{cite webmagazine|last1=Metz|first1=Cade|title=Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People|url=https://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/|websitemagazine=Wired|publisher=Condé Nast|access-date=5 April 2016|date=5 April 2016}}</ref>
* [[Wire (software)|Wire]]{{efn|name=Proteus|Via the Proteus protocol}}<ref name="Wire Security Whitepaper">{{Cite web|url=https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf|title=Wire Security Whitepaper|publisher=Wire Swiss GmbH|date=17 August 2018|access-date=28 August 2020}}</ref>
{{end div col}}
Line 64 ⟶ 66:
== References ==
{{Reflist|colwidth=30em|refs=
<ref name="advanced-ratcheting">{{cite web|title = Advanced cryptographic ratcheting |url = https://whispersystems.org/blog/advanced-ratcheting/ |access-date = 20 January 2021|work = whispersystems.org |last = Marlinspike |first = Moxie |date = 26 November 2013 |quote = The OTR style ratchet has the nice property of being 'self healing.' |publisher = Open Whisper Systems}}</ref>
 
<ref name="Pond">{{cite web|url=https://github.com/agl/pond/commit/338395668fbb8a7819c0fccf54dccaa4d7f0ae9e |first= Adam|last=Langley|title=Wire in new ratchet system|type=GitHub contribution|date=9 November 2013|website=GitHub|access-date=16 January 2016}}</ref>
Line 91 ⟶ 92:
* [http://git.matrix.org/git/olm/about/docs/olm.rst Olm]: C++ implementation under the [[Apache license|Apache 2.0 license]]
* [https://matrix-org.github.io/vodozemac/vodozemac/index.html Vodozemac]: Rust implementation of the Olm variation, under the [[Apache license|Apache 2.0 license]]
* {{YouTube|id=7uEeE3TUqmU|title=Double ratchet algorithm: The ping-pong game encrypting Signal and WhatsApp}} (exposition)
 
{{Cryptography navbox | public-key}}
Line 96 ⟶ 98:
{{FLOSS}}
[[Category:Cryptographic algorithms]]
[[Category:End-to-end encryption]]
Retrieved from "https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm"