Axolotl (protocol)
Axolotl is a cryptographic key management protocol that was developed by Trevor Perrin with support from Moxie Marlinspike in 2013. It can be used to provide end-to-end encryption for instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic ratchet based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF) like e.g. a hash function and is therefore called a double ratchet.
The name refers to the critically endangered, aquatic salamander Axolotl, which has extraordinary self-healing capabilities. The developers refer to the protocol as self-healing because it automatically disables an attacker from accessing the cleartext of later messages after having compromised a session key.[1]
Origin
Axolotl was developed by Trevor Perrin with support from Moxie Marlinspike (Open Whisper Systems) and introduced in TextSecure (now Signal) in 2013. The design is based on the DH ratchet that was introduced by Off-the-Record Messaging and combines it with a symmetric-key ratchet modeled after the Silent Circle Instant Messaging Protocol (SCIMP).
Properties
Axolotl features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well as authentication of the remote peer and protection against manipulation of messages. As a hybrid of DH and KDF ratchets, it combines several desired features of both principles. From OTR messaging it takes the properties of forward secrecy and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, and plausible deniability for the authorship of messages. Additionally, it enables for session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering the following keys.
It is said to detect reordering, deletion and replay of sent messages and improve forward secrecy properties in comparison to OTR messaging.
Combined with public key infrastructure for the retention of pregenerated one-time keys, it allows for the initialization of messaging sessions without the presence of the remote peer (asynchronous communication). The usage of triple Diffie–Hellman key exchange (3DH) as initial key exchange method (e.g. in Signal) improves the deniability properties.
Functioning
A client renews session key material in interaction with the remote peer using Diffie–Hellman ratchet whenever possible, otherwise independently by using a hash ratchet. Therefore, with every message an Axolotl client advances one of two hash ratchets (one for sending, one receiving) which get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialized.
As cryptographic primitives Axolotl uses
- for the DH ratchet
- Elliptic curve Diffie–Hellman (ECDH) with Curve25519,
- for message authentication codes (MAC, authentication)
- Keyed-Hash Message Authentication Code (HMAC) based on SHA-256,
- for symmetric encryption
- the Advanced Encryption Standard (AES), partially in Cipher Block Chaining mode (CBC) with padding as per PKCS #5 and partially in Counter mode (CTR) without padding,
- for the hash ratchet
- HMAC.[2]
Usage
Axolotl is being used by hundreds of thousands of Signal users. In the last quarter of 2013, Axolotl was integrated into the Android-based open-source operating system CyanogenMod, which counted over 10 million users at that time.[3][4][5] In November 2013, Axolotl was integrated into an experimental asynchronous messaging system called Pond.[6] In September 2014, Axolotl's integration into WhatsApp spawned some headlines in newspapers. Through a cooperation with Open Whisper Systems, since version 2.11.448 Axolotl is used in the Android version of WhatsApp.[7]
In the summer of 2015, an XMPP extension named OMEMO was developed as a Google Summer of Code project. OMEMO integrates the Axolotl ratchet. It was introduced in an instant messaging app called Conversations and submitted to the XMPP Standards Foundation (XSF) in the autumn of 2015.[8][9]
In September 2015, G Data launched a new messaging app called Secure Chat which uses Axolotl.[10] On September 28, 2015, Silent Circle replaced their own SCIMP protocol with Axolotl when they merged their Silent Text app into their Silent Phone app.[11]
Literature
- Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Avrum Goldberg, Matthew Smith (2015). "SoK: Secure Messaging" (PDF). Proceedings of the 2015 IEEE Symposium on Security and Privacy (IEEE Computer Society's Technical Committee on Security and Privacy): 232–249.
References
- ↑ Marlinspike, Moxie (26 November 2013). "Advanced cryptographic ratcheting". whispersystems.org. Open Whisper Systems. Retrieved 16 January 2016.
The OTR style ratchet has the nice property of being 'self healing.'
- ↑ Frosch, Tilman; Mainka, Christian; Bader, Christoph; Bergsma, Florian; Schwenk, Jörg; Holz, Thorsten. "How Secure is TextSecure?" (PDF). Horst Görtz Institute for IT Security, Ruhr University Bochum. Retrieved 16 January 2016.
- ↑ Greenberg, Andy (9 December 2013). "Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default". Forbes. Retrieved 16 January 2016.
- ↑ Seth Schoen (28 December 2013). "2013 in Review: Encrypting the Web Takes A Huge Leap Forward". Electronic Frontier Foundation. Retrieved 16 January 2016.
- ↑ Marlinspike, Moxie (9 December 2013). "TextSecure, Now With 10 Million More Users". Open Whisper Systems. Retrieved 16 January 2016.
- ↑ Langley, Adam (9 November 2013). "Wire in new ratchet system". GitHub (GitHub contribution). Retrieved 16 January 2016.
- ↑ Schartel, Christian (19 November 2014). "WhatsApp für Android: nach Update mit Verschlüsselung". CNET (in German). Retrieved 16 January 2016.
- ↑ Straub, Andreas (25 October 2015). "OMEMO Encryption". XMPP Standards Foundation website. Retrieved 16 January 2016.
- ↑ Gultsch, Daniel (2 September 2015). "OMEMO Encrypted Jingle File Transfer". XMPP Standards Foundation website. Retrieved 16 January 2016.
- ↑ Seals, Tara (17 September 2015). "G DATA Adds Encryption for Secure Mobile Chat". Infosecurity Magazine. Reed Exhibitions Ltd. Retrieved 16 January 2016.
- ↑ "What is Silent Phone?". Support.silentcircle.com. Silent Circle. 17 September 2015. Retrieved 16 January 2016.
External links
- Specification
- "Advanced cryptographic ratcheting", abstract description by Moxie Marlinspike