Daniel Gultsch

December 8th 2016 @ XMPP Security Meetup London

Crypto features

  • Forwared secrecy
  • Authenticity
  • (Deniability)

Usability features

  • Reliable
  • Multiple devices
  • Existing XMPP servers

An Introduction to Ratchets

  • Key exchange at beginning of ‘session’
  • Message keys within a ‘session’ are derived from each other
  • Message keys are destroyed after decryption

OTR vs Axolotl

  • Lifelong sessions
  • First part of key exchange stored on server (pre keys)
  • Resilient against lost messages, reordering, replay

Naming confusion

  • Axolotl renamed to Signal Protocol
  • Copyright claims by OWS lead to several third party libraries with the same algorithm
  • Actual algorithm public domain (Double Ratchet)
  • Libraries differ in wire (binary) format

History of OMEMO

  • Google Summer of Code 2015 (June - September)
  • Conversations release in September
  • protoXEP in October 2015
  • Gajim Plugin Christmas 2015
  • ChatSecure Beta November 2016
  • As of yesterday: XEP-0384

Integrating Axolotl in XMPP

  • Session for every device
  • Pre keys are stored in PEP for each device
  • Index node holds list with devices
  • Clients subscribe (+notify) to index node

Integrating Axolotl in XMPP (2)

  • Individual node for every device (namespace contains device id)
  • Every node has >100 pre keys. Clients pick one at random
  • <body/> gets encrypted with random key (AES-GCM)
  • Random key gets encrypted in n sessions


  • n * m sessions w/ n: average number of devices/participant, m: number of participants
  • Requires presence subscription with each participant
  • Reliably detect participants (retrieve member list) & changes (notification of affiliation changes even if participant is offline)
  • MUC MAM needs to communicate real JID


  • Presence subscription no longer required
  • Improved method to detect participant changes


  • Hassle-free communication between multiple devices
  • Works with carbons and MAM
  • Even in (private, non-anonymous) conferences
  • Existing servers not so much. PEP was a rocky road


  • Provide a way to optionally encrypt XML
  • No plan to support large conferences

Trust multiple devices

  • TOFU doesn’t work if you can’t judge plausibility
  • Signal/WhatsApp are migrating to trust everything
  • Conversations >1.15.0 had manual mode
    Let user decide for each and every new device
  • BTBV (Blind Trust Before Verification)
    Trust everything by default. After first actual verification (scanning barcode) go to manual mode and let user decide for subsequent devices

Reading material