# [[Signal]] Protocol ## See Also ### - [[Double Ratchet]] ### - [[X3DH]] ### - [[Ed25519]] ### - ["The XEdDSA and VXEdDSA Signature Schemes"](https://signal.org/docs/specifications/xeddsa/) ### Integrated Services - [[WhatsApp]] - [[Google]] ([[Allo]]) - [[Facebook]] (Messenger) - [[Skype]] ## [[Wikipedia]] https://www.wikiwand.com/en/Signal_Protocol ### Properties Definitions of these properties pulled from [[SoK - Secure Messaging (2015)]] - **Confidentiality**: Only the intended recipients are able to read a message. Specifically, the message must not be readable by a server operator that is not a conversation participant. - **Integrity**: No honest party will accept a message that has been modified in transit. - **Authentication**: Each participant in the conversation re- ceives proof of possession of a known long-term secret from all other participants that they believe to be participating in the conversation. In addition, each participant is able to verify that a message was sent from the claimed source - **Participant Consistency**: At any point when a message is accepted by an honest party, all honest parties are guaranteed to have the same view of the participant list. - **Destination Validation**: When a message is accepted by an honest party, they can verify that they were included in the set of intended recipients for the message. - **Forward Secrecy**: Compromising all key material does not enable decryption of previously encrypted data. - **Backward Secrecy (post-compromise secrecy, future secrecy)**: Compromising all key material does not enable decryption of succeeding encrypted data. This property is also often called future secrecy. The terms are controversial and vague in literature - **Causality Preserving**: Implementations can avoid displaying a message before messages that causally precede it. - **Message Unlinkability**: If a judge is convinced that a participant authored one message in the conversation, this does not provide evidence that they authored other messages. - **Message Repudiation**: Given a conversation transcript and all cryptographic keys, there is no evidence that a given message was authored by any particular user. We assume that the accuser has access to the session keys because it is trivial to deny writing a plaintext message when the accuser cannot demonstrate that the ciphertext corresponds to this plaintext. We also assume that the accuser does not have access to the accused participant’s long-term secret keys because then it is simple for the accuser to forge the transcript (and thus any messages are repudiable). - **Participation Repudiation**: Given a conversation transcript and all cryptographic key material for all but one accused participant, there is no evidence that the honest participant was in a conversation with any of the other participants. - **Asynchronous**: - Trust establishment can occur asynchronously without all conversation participants online. - Messages can be sent securely to disconnected recipients and received upon their next connection. - Messages sent to recipients who are offline will be delivered when the recipient reconnects, even if the sender has since disconnected. *It does not provide anonymity preservation and requires servers for the relaying of messages and storing of public key material.[18]* *The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and multicast encryption.[18] In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership.[18]* ### Authentication For authentication, users can manually compare public key fingerprints through an outside channel.[19] This makes it possible for users to verify each other's identities and avoid a man-in-the-middle attack.[19] An implementation can also choose to employ a trust on first use mechanism in order to notify users if a correspondent's key changes.[19] ### Metadata The Signal Protocol does not prevent a company from retaining information about when and with whom users communicate.[20][21] There can therefore be differences in how messaging service providers choose to handle this information. Signal's privacy policy states that recipients' identifiers are only kept on the Signal servers as long as necessary in order to transmit each message.[22] In June 2016, Moxie Marlinspike told The Intercept: "the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second."[21] In October 2018, Signal Messenger announced that they had implemented a "sealed sender" feature into Signal, which reduces the amount of metadata that the Signal servers have access to by concealing the sender's identifier.[23][24] The sender's identity is conveyed to the recipient in each message, but is encrypted with a key that the server does not have.[24] This is done automatically if the sender is in the recipient's contacts or has access to their Signal Profile.[24] Users can also enable an option to receive "sealed sender" messages from non-contacts and people who do not have access to their Signal Profile.[24] A contemporaneous wiretap of the user's device and/or the Signal servers may still reveal that the device's IP address accessed a Signal server to send or receive messages at certain times.[23] ### Usage (excerpts) In November 2014, Open Whisper Systems announced a partnership with WhatsApp to provide end-to-end encryption by incorporating the Signal Protocol into each WhatsApp client platform.[25] Open Whisper Systems said that they had already incorporated the protocol into the latest WhatsApp client for Android and that support for other clients, group/media messages, and key verification would be coming soon after.[26] On April 5, 2016, WhatsApp and Open Whisper Systems announced that they had finished adding end-to-end encryption to "every form of communication" on WhatsApp, and that users could now verify each other's keys.[27][28] In February 2017, WhatsApp announced a new feature, WhatsApp Status, which uses the Signal Protocol to secure its contents.[29] In October 2016, WhatsApp's parent company Facebook also deployed an optional mode called Secret Conversations in Facebook Messenger which provides end-to-end encryption using an implementation of the Signal Protocol.[30][31][32][33] In September 2016, Google launched a new messaging app called Allo, which featured an optional Incognito Mode that used the Signal Protocol for end-to-end encryption.[37][38] In March 2019, Google discontinued Allo in favor of their Messages app on Android.[39][40] In November 2020, Google announced that they would be using the Signal Protocol to provide end-to-end encryption by default to all RCS-based conversations between users of their Messages app, starting with one-to-one conversations.[4][41] In January 2018, Open Whisper Systems and Microsoft announced the addition of Signal Protocol support to an optional Skype mode called Private Conversations.[42][43] ### Influence The Signal Protocol has had an influence on other cryptographic protocols. In May 2016, Viber said that their encryption protocol is a custom implementation that "uses the same concepts" as the Signal Protocol.[44][45] Forsta's developers have said that their app uses a custom implementation of the Signal Protocol.[46][47][third-party source needed] The Double Ratchet algorithm that was introduced as part of the Signal Protocol has also been adopted by other protocols. OMEMO is an XMPP Extension Protocol (XEP) that was introduced in the Conversations messaging app and approved by the XMPP Standards Foundation (XSF) in December 2016 as XEP-0384.[48][2] [[Matrix]] is an open communications protocol that includes Olm, a library that provides for optional end-to-end encryption on a room-by-room basis via a Double Ratchet algorithm implementation.[2] The developers of Wire have said that their app uses a custom implementation of the Double Ratchet algorithm.[49][50][51] Messaging Layer Security, an IETF proposal, uses Asynchronous ratcheting trees to efficiently improve upon security guarantees over Signal's Double Ratchet.[52] ## Derived from [OTR Protocol](https://otr.cypherpunks.ca/)