--- permalink: /spec/5 parent: Stable specs title: 5/SECURE-TRANSPORT --- # Status Secure Transport Specification > Version: 0.2 > > Status: Stable > > Authors: Andrea Piana , Pedro Pombeiro , Corey Petty , Oskar Thorén , Dean Eigenmann X3DH works by having client apps create and make available a bundle of prekeys (the X3DH bundle) that can later be requested by other interlocutors when they wish to start a conversation with a given user. In the X3DH specification, a shared server is typically used to store bundles and allow other users to download them upon request. Given Status' goal of decentralization, Status chat clients cannot rely on the same type of infrastructure and must achieve the same result using other means. By growing order of convenience and security, the considered approaches are: - contact codes; - public and one-to-one chats; - QR codes; - ENS record; - Decentralized permanent storage (e.g. Swarm, IPFS). - Whisper Currently only public and one-to-one message exchanges and Whisper is used to exchange bundles. Since bundles stored in QR codes or ENS records cannot be updated to delete already used keys, the approach taken is to rotate more frequently the bundle (once every 24 hours), which will be propagated by the app through the channel available. ### 1:1 chat contact request There are two phases in the initial negotiation of a 1:1 chat: 1. **Identity verification** (e.g., face-to-face contact exchange through QR code, Identicon matching). A QR code serves two purposes simultaneously - identity verification and initial bundle retrieval; 1. **Asynchronous initial key exchange**, using X3DH. For more information on account generation and trust establishment, see [Status Account Specification](status-account-spec.md) #### Initial key exchange flow (X3DH) The initial key exchange flow is described in [section 3 of the X3DH protocol](https://signal.org/docs/specifications/x3dh/#sending-the-initial-message), with some additional context: - The users' identity keys `IK_A` and `IK_B` correspond to their respective Status chat public keys; - Since it is not possible to guarantee that a prekey will be used only once in a decentralized world, the one-time prekey `OPK_B` is not used in this scenario; - Bundles are not sent to a centralized server, but instead served in a decentralized way as described in [bundle retrieval](#bundle-retrieval). Bob's prekey bundle is retrieved by Alice, however it is not specific to Alice. It contains: ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L12)) ``` protobuf // X3DH prekey bundle message Bundle { bytes identity = 1; map signed_pre_keys = 2; bytes signature = 4; int64 timestamp = 5; } ``` - `identity`: Identity key `IK_B` - `signed_pre_keys`: Signed prekey `SPK_B` for each device, indexed by `installation-id` - `signature`: Prekey signature Sig(`IK_B`, Encode(`SPK_B`)) - `timestamp`: When the bundle was created locally ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L5)) ``` protobuf message SignedPreKey { bytes signed_pre_key = 1; uint32 version = 2; } ``` The `signature` is generated by sorting `installation-id` in lexicographical order, and concatenating the `signed-pre-key` and `version`: `installation-id-1signed-pre-key1version1installation-id2signed-pre-key2-version-2` #### Double Ratchet Having established the initial shared secret `SK` through X3DH, we can use it to seed a Double Ratchet exchange between Alice and Bob. Please refer to the [Double Ratchet spec](https://signal.org/docs/specifications/doubleratchet/) for more details. The initial message sent by Alice to Bob is sent as a top-level `ProtocolMessage` ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L65)) containing a map of `DirectMessageProtocol` indexed by `installation-id` ([protobuf](https://github.com/status-im/status-go/blob/1ac9dd974415c3f6dee95145b6644aeadf02f02c/services/shhext/chat/encryption.proto#L56)): ``` protobuf message ProtocolMessage { string installation_id = 2; repeated Bundle bundles = 3; // One to one message, encrypted, indexed by installation_id map direct_message = 101; // Public chats, not encrypted bytes public_message = 102; } ``` - `bundles`: a sequence of bundles - `installation_id`: the installation id of the sender - `direct_message` is a map of `DirectMessageProtocol` indexed by `installation-id` - `public_message`: unencrypted public chat message. ``` protobuf message DirectMessageProtocol { X3DHHeader X3DH_header = 1; DRHeader DR_header = 2; DHHeader DH_header = 101; // Encrypted payload bytes payload = 3; } ``` - `X3DH_header`: the `X3DHHeader` field in `DirectMessageProtocol` contains: ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L47)) ``` protobuf message X3DHHeader { bytes key = 1; bytes id = 4; } ``` - `key`: Alice's ephemeral key `EK_A`; - `id`: Identifier stating which of Bob's prekeys Alice used, in this case Bob's bundle signed prekey. Alice's identity key `IK_A` is sent at the transport layer level (Whisper); - `DR_header`: Double ratchet header ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L31)). Used when Bob's public bundle is available: ``` protobuf message DRHeader { bytes key = 1; uint32 n = 2; uint32 pn = 3; bytes id = 4; } ``` - `key`: Alice's current ratchet public key (as mentioned in [DR spec section 2.2](https://signal.org/docs/specifications/doubleratchet/#symmetric-key-ratchet)); - `n`: number of the message in the sending chain; - `pn`: length of the previous sending chain; - `id`: Bob's bundle ID. - `DH_header`: Diffie-Helman header (used when Bob's bundle is not available): ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L42)) ``` protobuf message DHHeader { bytes key = 1; } ``` - `key`: Alice's compressed ephemeral public key. - `payload`: - if a bundle is available, contains payload encrypted with the Double Ratchet algorithm; - otherwise, payload encrypted with output key of DH exchange (no Perfect Forward Secrecy). ## Security Considerations The same considerations apply as in [section 4 of the X3DH spec](https://signal.org/docs/specifications/x3dh/#security-considerations) and [section 6 of the Double Ratchet spec](https://signal.org/docs/specifications/doubleratchet/#security-considerations), with some additions detailed below. ## Session management A peer is identified by two pieces of data: 1) An `installation-id` which is generated upon creating a new account in the `Status` application 2) Their identity whisper key ### Initialization A new session is initialized once a successful X3DH exchange has taken place. Subsequent messages will use the established session until re-keying is necessary. ### Concurrent sessions If two sessions are created concurrently between two peers the one with the symmetric key first in byte order SHOULD be used, this marks that the other has expired. ### Re-keying On receiving a bundle from a given peer with a higher version, the old bundle SHOULD be marked as expired and a new session SHOULD be established on the next message sent. ### Multi-device support Multi-device support is quite challenging as we don't have a central place where information on which and how many devices (identified by their respective `installation-id`) belongs to a whisper-identity. Furthermore we always need to take account recovery in consideration, where the whole device is wiped clean and all the information about any previous sessions is lost. Taking these considerations into account, the way multi-device information is propagated through the network is through x3dh bundles, which will contain information about paired devices as well as information about the sending device. This mean that every time a new device is paired, the bundle needs to be updated and propagated with the new information, and the burden is put on the user to make sure the pairing is successful. The method is loosely based on https://signal.org/docs/specifications/sesame/ . ### Pairing When a user adds a new account in the `Status` application, a new `installation-id` will be generated. The device should be paired as soon as possible if other devices are present. Once paired the contacts will be notified of the new device and it will be included in further communications. Any time a bundle from your `IK` but different `installation-id` is received, the device will be shown to the user and will have to be manually approved, to a maximum of 3. Once that is done any message sent by one device will also be sent to any other enabled device. Once a new device is enabled, a new bundle will be generated which will include pairing information. The bundle will be propagated to contacts through the usual channels. Removal of paired devices is a manual step that needs to be applied on each device, and consist simply in disabling the device, at which point pairing information will not be propagated anymore. ### Sending messages to a paired group When sending a message, the peer will send a message to other `installation-id` that they have seen. The number of devices is capped to 3, ordered by last activity. Messages are sent using pairwise encryption, including their own devices. ### Account recovery Account recovery is no different from adding a new device, and it is handled in exactly the same way. ### Partitioned devices In some cases (i.e. account recovery when no other pairing device is available, device not paired), it is possible that a device will receive a message that is not targeted to its own `installation-id`. In this case an empty message containing bundle information is sent back, which will notify the receiving end of including this device in any further communication.