Content deleted Content added
Added link to "ratchet" |
Sauces1313 (talk | contribs) m →Properties: Added punctuation for clarity. |
||
Line 16:
The Double Ratchet Algorithm features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well as [[authentication]] of the remote peer and protection against manipulation of messages. As a hybrid of [[Diffie–Hellman key exchange|DH]] and [[Key derivation function|KDF]] ratchets, it combines several desired features of both principles. From [[Off-the-Record Messaging|OTR]] messaging it takes the properties of [[forward secrecy]] and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, and [[deniable encryption|plausible deniability]] for the authorship of messages. Additionally, it enables session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering the following keys.
It is said{{By whom|date=April 2018}} to detect reordering, deletion, and replay of sent messages, and improve forward secrecy properties in comparison to OTR messaging.
Combined with [[public key infrastructure]] for the retention of pregenerated one-time keys (prekeys), it allows for the initialization of messaging sessions without the presence of the remote peer ([[asynchronous communication]]). The usage of triple Diffie–Hellman key exchange (3-DH) as initial key exchange method improves the deniability properties. An example of this is the Signal Protocol, which combines the Double Ratchet Algorithm, prekeys, and a 3-DH handshake.<ref name="Unger-2015-p241">{{harvnb|Unger|Dechand|Bonneau|Fahl|2015|p=241}}</ref> The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.<ref name="Unger-2015-p239"/> It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material.<ref name="Unger-2015-p239">{{harvnb|Unger|Dechand|Bonneau|Fahl|2015|p=239}}</ref>
| |||