signal and noise protocols

[aaannndddyyy]

Please consider using the signal and noise pipes protocols. Signal (formerly axolotl) and noise are very good protocols, well-reviewed and offering very desirable features that go beyond what otr has to offer, e.g.:

• end-to-end encryption
• deniable authentication
• perfect forward secrecy
• future secrecy
• deniability of the conversation (of having exchanged messages at all)
• group chat encryption

(c.f. #50, but since that ticket is about threat model and not concrete protocols, I opened this ticket. c.f. https://github.com/TokTok/c-toxcore/issues/426 ) Ref: https://eprint.iacr.org/2016/1013.pdf https://whispersystems.org/docs/ ps.: the pre-keys exist to enable offline messaging, but they do not require a server at all, so it can work in a p2p system like tox as well.

[GrayHatter]

Signal (formerly axolotl) and noise are very good protocols

[Citation needed.]

They're fine, and peer reviewed. But IMO excluding the issue of finding friends cheaply, and treating contacts as immutable IDs. The Tox protocol is better for what Tox actually is.

Also, I'm pretty sure that they both don't offer all of those features.

[aaannndddyyy]

@GrayHatter Can you please elaborate? what does "finding friends cheaply" mean, and why would a specific crypto protocol prevent that?

Also, I'm pretty sure that they both don't offer all of those features.

This is so far just a subjective impression of yours. Maybe you could provide some facts to make that statement solid?

The Tox protocol is better for what Tox actually is.

Same applies to this statement. It is vague and provides no information.

[GrayHatter]

This is so far just a subjective impression of yours. Maybe you could provide some facts to make that statement solid?

You're right, I should have been more specific. I don't believe that both signal and noise offer all the highlighted features you listed above. Do you have a citation suggesting they do?

Same applies to this statement. It is vague and provides no information.

Sure, the tox protocol also includes protection from the network as a whole. The noise protocol (from the few pages I've read) seems to merely be "here's how to do good key exchanges". Where as Signal requires you have a trusted server. Tox doesn't touch either of these by not needing anything resembling a server infrastructure, nor does it handle the key exchange for the user. While the last could be a downside, it's also intentional.

[aaannndddyyy]

You're right, I should have been more specific. I don't believe that both signal and noise offer all the highlighted features you listed above. Do you have a citation suggesting they do?

The features/properties I listed were:

• end-to-end encryption
• deniable authentication
• perfect forward secrecy
• future secrecy
• deniability of the conversation (of having exchanged messages at all)
• group chat encryption

Well, end-to-ned encryption is clear, I guess. For forward and future secrecy, asynchronous messages, deniabilities, c.f.

• https://whispersystems.org/blog/advanced-ratcheting/
• https://whispersystems.org/blog/simplifying-otr-deniability/

• https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm For group chat I took that info simply from wikipedia: https://en.wikipedia.org/wiki/Signal_Protocol

  Same applies to this statement. It is vague and provides no information.

Sure, the tox protocol also includes protection from the network as a whole. The noise protocol (from the few pages I've read) seems to merely be "here's how to do good key exchanges". Where as Signal requires you have a trusted server.

This ticket is precisely about that: about how to have secure trusted communication channels via authenticated encryption with many modern and desirable features. It's not about peer discovery, which is a network thing. Can you please provide a source that clearly states that signal requires a server, because to me this is absolutely not clear.

Tox doesn't touch either of these by not needing anything resembling a server infrastructure, nor does it handle the key exchange for the user.

This is not true. Tox users NEVER exchange session keys, Tox does that. And in signal, users can/should also exchange their long-time public keys or ckeck the fingerprints.

signal and/or noise are used by Signal, a very nice, secure messenger, by whatsapp (Which means that due to its mainstream character, it also will draw more attention and review to the noise and signal protocols), pond, Secure Chat, Google Allo, Facebook messenger, ...

And for a formal analysis of signal protocol, please see the link in my first post.

[GrayHatter]

This review of Signal shows a server is needed.

https://eprint.iacr.org/2016/1013.pdf

That's the one from your first post. They reference use of a server on page 3,4,6,7,8 and possibly later as well.

This is not true. Tox users NEVER exchange session keys, Tox does that.

No, tox generates them, but again, that's a semantic difference. They're created off a DHT key, and a ToxID (the public key).

signal and/or noise are used by Signal, a very nice, secure messenger, by whatsapp

Whatsapp is a fucking joke. And as such, no one who understands security or crypto should honestly suggest them in a scenario where security could be important.

[aaannndddyyy]

This review of Signal shows a server is needed.

https://eprint.iacr.org/2016/1013.pdf

That's the one from your first post. They reference use of a server on page 3,4,6,7,8 and possibly later as well.

That's not what I asked. Deducing from the use of servers the necesity of servers is a logical fallacy. Of course, signal protocol can be and in fact is used on servers. Whatsapp requires servers and so does Signal (the App). But that does not mean the protocol needs servers. The server is a convenience for storing things for others. It's like saying messengers need servers because Whatsapp is a messenger and Whatsapp needs a server. There are, however, messengers that do not need servers, like tox, torchat, ... Not having a server means, there is no place you can get prekeys from, other than your contact. That is no problem, since as of now you cannot send messages to contacts you have never seen before when they are offline, anyway. In fact, you cannot send messages to any offline contact in tox. On page four the cited paper says "Alice requests and receives some information about Bob (either from the central server or from Bob himself)". Note the "or from Bob himself" part, which clearly shows that the server is not a necessity.

This is not true. Tox users NEVER exchange session keys, Tox does that.

No, tox generates them, but again, that's a semantic difference. They're created off a DHT key, and a ToxID (the public key).

So? Anyway, aren't DHT keys totally unrelated? (metadata)

signal and/or noise are used by Signal, a very nice, secure messenger, by whatsapp

Whatsapp is a fucking joke. And as such, no one who understands security or crypto should honestly suggest them in a scenario where security could be important.

You misunderstood: I did not recommend using Whatsapp. Not becasue I distrust the crypto they use, quite the opposite, but mainly because it is closed source. I was talking about exposure.

[aaannndddyyy]

But IMO excluding the issue of finding friends cheaply, and treating contacts as immutable IDs.

I still don't understand what you want to say here. Finding friends is a matter of the DHT, not of key exchange or key derivation. And Tox also treats contacts as immutable, c.f. Tox ID - if your Tox ID changes you need to exchange that with your contact out of band again.

[nazar-pc]

I haven't finished reading The Noise Protocol Framework spec yet, also I'm not a professional cryptographer (only have some basic knowledge that allow me to read the spec), but what I've seen so far in the spec and elsewhere looks very promising. It specifies everything necessary in terms of crypto and should also fix https://github.com/TokTok/c-toxcore/issues/426 in a natural way.

It is designed in a way that is relatively easy to understand and implement and will also allow to simplify Tox specification by not describing every detail, but rather referencing familiar concepts from Noise.

I'd suggest to start from this to get an intro: https://www.youtube.com/watch?v=ceGTgqypwnQ

I've also tried to dive into Signal Protocol, but it is either structured worse than Noise or is generally more complex which is why I'm leaning towards Noise.

[aaannndddyyy]

both protocols have different focuses and complement each other well. Whatsapp uses signal for end-to-end encryption (online or offline messages) and noise for client-server communication, so it's signal encapsulated in noise. Tox does not have servers, but maybe noise can cater for some of our needs. I'm leaning more towards signal protocol (formely known as axolotl protocol) though - a highly respected protocol in the cryptographic community with many advantages over otr.

[TNTBOMBOM]

it has been more than 3 years since this ticket created , what are you guys doing? fixing microphone not connected and leaving crypto aside? cc @iphydf @JFreegman @endoffile78

[iphydf]

This is active work in progress.

[iphydf]

@goldroom is working on this.

[goldroom]

See https://github.com/TokTok/c-toxcore/pull/2450/