From 494d0a74bbd20bc82a95d1bdebc696fb4f9d2b26 Mon Sep 17 00:00:00 2001 From: Andrea Maria Piana Date: Tue, 10 Sep 2019 13:32:24 +0200 Subject: [PATCH] Update secure transport --- status-account-spec.md | 11 ++++------ status-secure-transport-spec.md | 13 +++++------- status-session-management-spec.md | 35 +++++-------------------------- 3 files changed, 14 insertions(+), 45 deletions(-) diff --git a/status-account-spec.md b/status-account-spec.md index f471b7d..be4f149 100644 --- a/status-account-spec.md +++ b/status-account-spec.md @@ -89,8 +89,8 @@ not do this. ### X3DH Prekey bundles - A client SHOULD regenerate a new X3DH prekey bundle every 24 hours. This MAY be done in a lazy way, such that a client that does not come online past this time period does not regenerate or broadcast bundles. -- The current bundle MUST be broadcast on a whisper topic specific to his Identity Key, `{IK}-contact-code`, intermittently. This MAY be done every 6 hours. -- A bundle MUST accompany every message sent. +- The current bundle SHOULD be broadcast on a whisper topic specific to his Identity Key, `{IK}-contact-code`, intermittently. This MAY be done every 6 hours. +- A bundle SHOULD accompany every message sent. - TODO: retreival of long-time offline users bundle via `{IK}-contact-code` ## Optional Account additions @@ -131,7 +131,7 @@ not do this. - is not a public key #### Private 1:1 messages -This can be done in a the following ways: +This can be done in the following ways: 1. scanning a user generated QR code 1. discovery through the Status app 1. asyncronous X3DH key exchange @@ -156,10 +156,7 @@ This can be done in a the following ways: - include BundleContainer??? - a new bundle SHOULD be created at least every 12 hours - a bundle is only generated when it is used -- a bundle MUST be distributed on the contact code channel (NOTE: define this where?) - -#### QR code -- A generated QR code should include a X3DH bundle set along with the contact code but I can't find the code to do so. +- a bundle SHOULD be distributed on the contact code channel. This is the whisper topic `{IK}-contact-code`, where `IK` is the hex encoded public key of the user, prefixed with `0x`. The channel is encrypted in the same way public chats are encrypted. ### Contact Verification Once you have the information of a contact, the following can be used to verify that the key material is as it should be. diff --git a/status-secure-transport-spec.md b/status-secure-transport-spec.md index 0cde88d..a9e689a 100644 --- a/status-secure-transport-spec.md +++ b/status-secure-transport-spec.md @@ -46,9 +46,9 @@ In this document we describe how a secure channel is established, and how variou - **Confidentiality**: The adversary should not be able to learn what data is being exchanged between two Status clients. - **Authenticity**: The adversary should not be able to cause either endpoint of a Status 1:1 chat to accept data from any third party as though it came from the other endpoint. - **Forward Secrecy**: The adversary should not be able to learn what data was exchanged between two Status clients if, at some later time, the adversary compromises one or both of the endpoint devices. +- **Integrity**: The adversary should not be able to modify the data. - - +All of these properties are ensured by the use of [Signal's Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) ### Conventions @@ -106,9 +106,7 @@ Every client initially generates some key material which is stored locally: More details can be found in the `X3DH Prekey bundle creation` section of [Account specification](./status-account-spec.md#x3dh-prekey-bundle-creation). -A `contact-code` is a protobuf `Bundle` message, encoded in `JSON` and converted to their `base64` string representation. - -Prekey bundles are can be extracted from any user's messages, or found via searching for their specific contact code topic, `{IK}-contact-code`. +Prekey bundles can be extracted from any user's messages, or found via searching for their specific topic, `{IK}-contact-code`. TODO: See below on bundle retrieval, this seems like enhancement and parameter for recommendation @@ -127,6 +125,8 @@ In the X3DH specification, a shared server is typically used to store bundles an +Currently only public and one-to-one message exchanges and Whisper is used to exchange bundles. + Since bundles stored in QR codes or ENS records cannot be updated to delete already used keys, the approach taken is to rotate more frequently the bundle (once every 24 hours), which will be propagated by the app through the channel available. ### 1:1 chat contact request @@ -190,8 +190,6 @@ The initial message sent by Alice to Bob is sent as a top-level `ProtocolMessage ``` protobuf message ProtocolMessage { - Bundle bundle = 1; - string installation_id = 2; repeated Bundle bundles = 3; @@ -205,7 +203,6 @@ message ProtocolMessage { } ``` -- `bundle`: optional bundle is exchanged with each message, deprecated; - `bundles`: a sequence of bundles - `installation_id`: the installation id of the sender - `direct_message` is a map of `DirectMessageProtocol` indexed by `installation-id` diff --git a/status-session-management-spec.md b/status-session-management-spec.md index a9af205..40f36b1 100644 --- a/status-session-management-spec.md +++ b/status-session-management-spec.md @@ -39,11 +39,11 @@ A new session is initialized once a successful X3DH exchange has taken place. Su ## Concurrent sessions -If two sessions are created concurrently between two peers the one with the symmetric key, first in byte order should be used this marks that the other has expired. +If two sessions are created concurrently between two peers the one with the symmetric key first in byte order SHOULD be used, this marks that the other has expired. ## Re-keying -On receiving a bundle from a given peer with a higher version, the old bundle should be marked as expired and a new session should be established on the next message sent. +On receiving a bundle from a given peer with a higher version, the old bundle SHOULD be marked as expired and a new session SHOULD be established on the next message sent. ## Multi-device support @@ -51,7 +51,7 @@ Multi-device support is quite challenging as we don't have a central place where Furthermore we always need to take account recovery in consideration, where the whole device is wiped clean and all the information about any previous sessions is lost. -Taking these considerations into account, the way multi-device information is propagated through the network is through bundles/contact codes, which will contain information about paired devices as well as information about the sending device. +Taking these considerations into account, the way multi-device information is propagated through the network is through x3dh bundles, which will contain information about paired devices as well as information about the sending device. This mean that every time a new device is paired, the bundle needs to be updated and propagated with the new information, and the burden is put on the user to make sure the pairing is successful. @@ -59,6 +59,7 @@ The method is loosely based on https://signal.org/docs/specifications/sesame/ . + ## Pairing @@ -66,7 +67,7 @@ When a user adds a new account in the `Status` application, a new `installation- Any time a bundle from your `IK` but different `installation-id` is received, the device will be shown to the user and will have to be manually approved, to a maximum of 3. Once that is done any message sent by one device will also be sent to any other enabled device. -Once a new device is enabled, a new contact-code/bundle will be generated which will include pairing information. +Once a new device is enabled, a new bundle will be generated which will include pairing information. The bundle will be propagated to contacts through the usual channels. @@ -90,29 +91,3 @@ In this case an empty message containing bundle information is sent back, which ## Trust establishment Trust establishment deals with users verifying they are communicating with who they think they are. - - - -### Contact request - -Once two accounts have been generated (Alice and Bob), Alice can send a contact request with an introductory message to Bob. - -There are two possible scenarios, which dictate the presence or absence of a prekey bundle: -1. If Alice is using Bob's public chat key or ENS name, no prekey bundle is present; -1. If Alice found Bob through the app or scanned Bob's QR code, a prekey bundle is embedded and can be used to set up a secure channel as described in the [Initial key exchange flow X3DH](#initial-key-exchange-flow-X3DH) section. - -Bob receives a contact request, informing him of: -- Alice's introductory message. - -If Bob's prekey bundle was not available to Alice, Perfect Forward Secrecy hasn't yet been established. In any case, there are no implicit guarantees that Alice is whom she claims to be, and Bob should perform some form of external verification (e.g., using an Identicon). - -If Bob accepts the contact request, a secure channel is created (if it wasn't already), and a visual indicator is displayed to signify that PFS has been established. Bob and Alice can then start exchanging messages, making use of the Double Ratchet algorithm as explained in more detail in [Double Ratchet](#double-ratchet) section. -If Bob denies the request, Alice is not able to send messages and the only action available is resending the contact request. - -## Expired session - -Expired session should not be used for new messages and should be deleted after 14 days from the expiration date, in order to be able to decrypt out-of-order and mailserver messages. - -## Stale devices - -When a bundle is received from `IK` a timer is initiated on any `installation-id` belonging to `IK` not included in the bundle. If after 7 days no bundles are received from these devices they are marked as `stale` and no message will be sent to them.