--- sip: x5 title: Initial Trust Establishment Specification status: Draft type: Standard author: Corey Petty , Oskar Thorén created: 2019-04-18 updated: --- # Trust Establishment Protocol Specification Draft ## Inspiration - https://datprotocol.github.io/how-dat-works/ - **Trust establishment deals with users verifying they are communicating with who they think they are.** ## Terms Glossary | term | description | | ---- | ----------- | | privkey | ECDSA secp256k1 private key | | pubkey | ECDSA secp256k1 public key | | whisper key | pubkey for chat with HD derivation path m/44'/60'/0'/0/0 | ## Initial Trust Establishment Specification ### 1. Contact Discovery #### 1.1 Public channels - Public group channels in Status are a broadcast/subscription system. All public messages are encrypted with a symmetric key drived from the channel name, `K_{pub,sym}`, which is publicly known. - A public group channel's symmetric key MUST creation must follow the [web3 API](https://web3js.readthedocs.io/en/1.0/web3-shh.html#generatesymkeyfrompassword)'s `web3.ssh.generateSymKeyFromPassword` function - In order to post to a public group channel, a client MUST have a valid account created (as per section [Account Creation Specification](./status-account-spec)). - In order to listen to a public group channel, a client must subscribe to the channel name. The sender of a message is derived from the message's signature. - Discovery of channel names is not currently part of the protocol, and is typically done out of band. If a channel name is used that has not been used, it will be created. - A client MUST sign the message otherwise it will be discarded by the recipients. - channel name specification: - matches `[a-z0-9\-]` - is not a public key #### 1.2 Private 1:1 messages This can be done in a the following ways: 1. scanning a user generated QR code 1. discovery through the Status app 1. asyncronous X3DH key exchange 1. public key via public channel listening - `status-react/src/status_im/contact_code/core.cljs` 1. contact codes 2. decentralized storage (not implemented) 3. whisper ### 2. Initial Key Exchange #### Contact Request #### Bundles - An X3DH prekey bundle is defined as ([code(https://github.com/status-im/status-go/messaging/chat/protobuf/encryption.pb.go)]): ``` Identity // Identity key SignedPreKeys // a map of installation id to array of signed prekeys by that installation id Signature // Prekey signature Timestamp // When the bundle was lasted created locally ``` - include BundleContainer??? - a new bundle SHOULD be created at least every 12 hours - a bundle is only generated when it is used - a bundle MUST be distributed on the contact code channel (NOTE: define this where?) #### QR code - A generated QR code should include a X3DH bundle set along with the contact code but I can't find the code to do so. ### 4. Contact Verification Once you have the information of a contact, the following can be used to verify that the key material is as it should be. #### Identicon A low-poly identicon is deterministically generated from the whisper chat public key. This can then be compared out of band to ensure the reciever's public key is the one you have locally. #### 3 word pseudonym / whisper key fingerprint Status generates a deterministic 3-word random pseudonym from the whisper chat public key. This pseudonym acts as a human readable fingerprint to the whisper chat public key. This name also shows when viewing a contact's public profile and in the chat UI. - implementation: [gfycat](https://github.com/status-im/status-react/tree/develop/src/status_im/utils/gfycat) #### ENS name Status offers the ability to register a mapping of a human readable subdomain of `stateofus.eth` to their whisper chat public key. This registration is purchased (currently by staking 10 SNT) and stored on the Ethereum mainnet blockchain for public lookup. ## Security Implications ## General Comments ### Possible Connection Breakdown possible connections - client - client (not really ever, this is facilitated through all other connections) - personal chat - ratcheted with X3DH - private group chat - pairwise ratcheted with X3DH - public chat - client - mailserver (statusd + ???) - a mailserver identifies itself by an [enode address](https://github.com/ethereum/wiki/wiki/enode-url-format) - client - whisper node (statusd) - a node identifies itself by an enode address - client - bootnode (geth) - a bootnode identifies itself by - an enode address - `NOTE: redezvous information here` - client - ENS registry (ethereum blockchain -> default to infura) - client - Ethereum RPC (custom geth RPC API -> default to infura API) - client - IPFS (Status hosted IPFS gateway -> defaults to ???) - we have a status hosted IPFS gateway for pinning but it currently isn't used much. ### Notes A user in the system is a public-private key pair using the Elliptic-Curve Cryptography secp256k1 that Ethereum uses. - A 3-word random name is derived from the public key using the following package - `NOTE: need to find package` - This provides an associated human-readble fingerprint to the user's public key - A user can optionally add additional layers on top of this keypair - Chosen username - ENS username All messages sent are encrypted with the public key of the destination and signed by the private key of the given user using the following scheme: - private chat - X3DH is used to define shared secrets which is then double ratcheted - private group chat - considered pairwise private chats - public group chat - the message is encrypted with a symmetric key derived from the chat name