X3Dh Key Agreement Protocol

If I have access to the prekeys, I can try to calculate DH1, DH2 and DH3 (although I think it is difficult without the ephemeral and identity keys) and perform spoofing attacks of key compromise; see this informal overview. Basically, I can calculate the shared secret key if I have an SK secret key and pretend to be someone in a conversation. For this reason, the protocol suggests regularly uploading prekeys to the server, as these attacks become invalid (the secret key depends on the prekey). After receiving a response from the server, Alice checks Bob`s pre-keyed signature and cancels the log if the signature is incorrect. If the signature is correct, Alice generates a temporary key pair with the EKA public key. With each log leak, Alice generates a new short-lived key pair with the EKA public key. At a higher level, the signal protocol is a safety library on steroids. Despite its novelty and growing importance, there has been little formal analysis of this protocol, while it has been a driving force in the world of cybersecurity. So what makes it so powerful? Finally, I hope this article sparked your interest in researching other security protocols! The Extended Triple Diffie-Hellman Key Memorandum of Understanding is a common protocol for configuring secret keys with mutual party authentication based on public keys. Before or after agreeing on keys, the parties to the communication can compare their IKA and IKB identity public keys via an authenticated channel. For example, you can compare public key fingerprints manually or by scanning a QR code. The methods for this purpose go beyond the scope of this Protocol.

Given Bob`s 32-byte private key, Curve25519 generates its 32-byte public key. Given Bob`s 32-byte private key and Alice`s 32-byte public key, Curve25519 generates the master secret shared by both parties. The secret key is then used to authenticate and encrypt messages between them. This algorithm is carefully designed to allow all 32-byte strings as Diffie-Hellman public keys. The signal protocol uses Curve25519 for all asymmetric cryptographic operations. The goal is to provide a configurable and protocol-independent implementation while keeping the structure close to specification. The X3DH protocol provides mutual authentication and transfer secrets based on Diffie-Hellman calculations, and ignoring the pre-key signature seems quite acceptable. However, this can cause the malicious server to provide Alice with a “fake bundle of prekeys” and then compromise Bob`s identity key to calculate the SK value. It can also be tempting to replace mutual authentication based on DH1 and DH2 values with identity key signing. However, this reduces rejection, increases the size of initial messages, and increases damage to short-lived or pre-encrypted compromised private keys, or looking for vulnerabilities in the signature scheme.

After sending the first message, Alice can continue to use SK or SK-derived keys in the post-X3DH protocol to exchange messages with Bob. Bob also has an SPKBque pre-key that he will change regularly, and many OPKB-time pre-key, each of which will be used when the protocol is executed with a new user. .