# Status Secure Transport Specification > Version: 0.2 > > Status: Stable > > Authors: Andrea Piana , Pedro Pombeiro , Corey Petty , Oskar Thorén , Dean Eigenmann X3DH works by having client apps create and make available a bundle of prekeys (the X3DH bundle) that can later be requested by other interlocutors when they wish to start a conversation with a given user. In the X3DH specification, a shared server is typically used to store bundles and allow other users to download them upon request. Given Status' goal of decentralization, Status chat clients cannot rely on the same type of infrastructure and must achieve the same result using other means. By growing order of convenience and security, the considered approaches are: - contact codes; - public and one-to-one chats; - QR codes; - ENS record; - Decentralized permanent storage (e.g. Swarm, IPFS). - Whisper Currently only public and one-to-one message exchanges and Whisper is used to exchange bundles. Since bundles stored in QR codes or ENS records cannot be updated to delete already used keys, the approach taken is to rotate more frequently the bundle (once every 24 hours), which will be propagated by the app through the channel available. ### 1:1 chat contact request There are two phases in the initial negotiation of a 1:1 chat: 1. **Identity verification** (e.g., face-to-face contact exchange through QR code, Identicon matching). A QR code serves two purposes simultaneously - identity verification and initial bundle retrieval; 1. **Asynchronous initial key exchange**, using X3DH. For more information on account generation and trust establishment, see [Status Account Specification](status-account-spec.md) #### Initial key exchange flow (X3DH) The initial key exchange flow is described in [section 3 of the X3DH protocol](https://signal.org/docs/specifications/x3dh/#sending-the-initial-message), with some additional context: - The users' identity keys `IK_A` and `IK_B` correspond to their respective Status chat public keys; - Since it is not possible to guarantee that a prekey will be used only once in a decentralized world, the one-time prekey `OPK_B` is not used in this scenario; - Bundles are not sent to a centralized server, but instead served in a decentralized way as described in [bundle retrieval](#bundle-retrieval). Bob's prekey bundle is retrieved by Alice, however it is not specific to Alice. It contains: ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L12)) ``` protobuf // X3DH prekey bundle message Bundle { bytes identity = 1; map signed_pre_keys = 2; bytes signature = 4; int64 timestamp = 5; } ``` - `identity`: Identity key `IK_B` - `signed_pre_keys`: Signed prekey `SPK_B` for each device, indexed by `installation-id` - `signature`: Prekey signature Sig(`IK_B`, Encode(`SPK_B`)) - `timestamp`: When the bundle was created locally ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L5)) ``` protobuf message SignedPreKey { bytes signed_pre_key = 1; uint32 version = 2; } ``` The `signature` is generated by sorting `installation-id` in lexicographical order, and concatenating the `signed-pre-key` and `version`: `installation-id-1signed-pre-key1version1installation-id2signed-pre-key2-version-2` #### Double Ratchet Having established the initial shared secret `SK` through X3DH, we can use it to seed a Double Ratchet exchange between Alice and Bob. Please refer to the [Double Ratchet spec](https://signal.org/docs/specifications/doubleratchet/) for more details. The initial message sent by Alice to Bob is sent as a top-level `ProtocolMessage` ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L65)) containing a map of `DirectMessageProtocol` indexed by `installation-id` ([protobuf](https://github.com/status-im/status-go/blob/1ac9dd974415c3f6dee95145b6644aeadf02f02c/services/shhext/chat/encryption.proto#L56)): ``` protobuf message ProtocolMessage { string installation_id = 2; repeated Bundle bundles = 3; // One to one message, encrypted, indexed by installation_id map direct_message = 101; // Public chats, not encrypted bytes public_message = 102; } ``` - `bundles`: a sequence of bundles - `installation_id`: the installation id of the sender - `direct_message` is a map of `DirectMessageProtocol` indexed by `installation-id` - `public_message`: unencrypted public chat message. ``` protobuf message DirectMessageProtocol { X3DHHeader X3DH_header = 1; DRHeader DR_header = 2; DHHeader DH_header = 101; // Encrypted payload bytes payload = 3; } ``` - `X3DH_header`: the `X3DHHeader` field in `DirectMessageProtocol` contains: ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L47)) ``` protobuf message X3DHHeader { bytes key = 1; bytes id = 4; } ``` - `key`: Alice's ephemeral key `EK_A`; - `id`: Identifier stating which of Bob's prekeys Alice used, in this case Bob's bundle signed prekey. Alice's identity key `IK_A` is sent at the transport layer level (Whisper); - `DR_header`: Double ratchet header ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L31)). Used when Bob's public bundle is available: ``` protobuf message DRHeader { bytes key = 1; uint32 n = 2; uint32 pn = 3; bytes id = 4; } ``` - `key`: Alice's current ratchet public key (as mentioned in [DR spec section 2.2](https://signal.org/docs/specifications/doubleratchet/#symmetric-key-ratchet)); - `n`: number of the message in the sending chain; - `pn`: length of the previous sending chain; - `id`: Bob's bundle ID. - `DH_header`: Diffie-Helman header (used when Bob's bundle is not available): ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L42)) ``` protobuf message DHHeader { bytes key = 1; } ``` - `key`: Alice's compressed ephemeral public key. - `payload`: - if a bundle is available, contains payload encrypted with the Double Ratchet algorithm; - otherwise, payload encrypted with output key of DH exchange (no Perfect Forward Secrecy). ## Security Considerations The same considerations apply as in [section 4 of the X3DH spec](https://signal.org/docs/specifications/x3dh/#security-considerations) and [section 6 of the Double Ratchet spec](https://signal.org/docs/specifications/doubleratchet/#security-considerations), with some additions detailed below.