Crypto features
Forwared secrecy
Authenticity
(Deniability)
Security in general and end-to-end encryption in particular is always a tradeoff. You can't have everything and you basically need to know what you to be secure agains.
Usability features
Reliable
Multiple devices
Existing XMPP servers
Aside from these cryptographic features we wanted OMEMO to have a few more features.
An Introduction to Ratchets
Key exchange at beginning of ‘session’
Message keys within a ‘session’ are derived from each other
Message keys are destroyed after decryption
Our cryptographic requirements can be implement with what is commonly know as a Ratchet.
OTR vs Axolotl
Lifelong sessions
First part of key exchange stored on server (pre keys)
Resilient against lost messages, reordering, replay
OTR uses such a ratchet. When TextSecure came along they introduced sort of an improved version of OTR called Axoltl that brought three important changes.
Naming confusion
Axolotl renamed to Signal Protocol
Copyright claims by OWS lead to several third party libraries with the same algorithm
Actual algorithm public domain (Double Ratchet)
Libraries differ in wire (binary) format
A quick note; After the introduction of OMEMO Axolotl was renamed to Signal Protocol and after copyright claims by Open Whisper System several third party libraries were introduced that basically did the same thing.
History of OMEMO
Google Summer of Code 2015 (June - September)
Conversations release in September
protoXEP in October 2015
Gajim Plugin Christmas 2015
ChatSecure Beta November 2016
As of yesterday: XEP-0384
Just for a very brief history of OMEMO
Integrating Axolotl in XMPP
Session for every device
Pre keys are stored in PEP for each device
Index node holds list with devices
Clients subscribe (+notify) to index node
How does one integrate Axolotl into XMPP?
Integrating Axolotl in XMPP (2)
Individual node for every device (namespace contains device id)
Every node has >100 pre keys. Clients pick one at random
<body/> gets encrypted with random key (AES-GCM)Random key gets encrypted in n sessions
Since every device has it's own PEP node we have to abuse namespaces to carry the device id.
OMEMO over MUC
n * m sessions w/ n : average number of devices/participant, m : number of participantsRequires presence subscription with each participant
Reliably detect participants (retrieve member list) & changes (notification of affiliation changes even if participant is offline)
MUC MAM needs to communicate real JID
Using OMEMO over MUC works just the same way. You just encrypt to every device of every participant. Since there is no connection between resources and devices we have to encrypt to every device even though that device might not actually be in that conference at this time.
OMEMO over MIX
Presence subscription no longer required
Improved method to detect participant changes
OMEMO over MIX will probably work very similar to the way it works in MUC.
Accomplishments
Hassle-free communication between multiple devices
Works with carbons and MAM
Even in (private, non-anonymous) conferences
Existing servers not so much. PEP was a rocky road
So what can we do right now? We set out to create an end-to-end encryption that is reliable enough to be always on without the user noticing it. We wanted the user to be able to switch between multiple devices. Thats totally possible now if you use Conversations and Gajim. I'm using it on a daily basis with several of my contacts. Even in MUC.
Future
Provide a way to optionally encrypt XML
No plan to support large conferences
The next revison of OMEMO will probably contain a way to optionally encrypt an XML payload as well but keep the plain text encryption as a fallback for clients who don't want to start an XML parser from their XML parser.
Trust multiple devices
TOFU doesn’t work if you can’t judge plausibility
Signal/WhatsApp are migrating to trust everything
Conversations >1.15.0 had manual mode
BTBV (Blind Trust Before Verification)
OMEMO is capable of encryption but OMEMO doesn't have an answer on how to verify the indivdual devices.
