search

matrix-org / olm

An implementation of the Double Ratchet cryptographic ratchet in C++/C
https://gitlab.matrix.org/matrix-org/olm
63 stars 9 forks source link

X3DH in libolm #59

Closed karol-bisztyga closed 3 years ago

karol-bisztyga commented 3 years ago

Hey! I'm sorry if this issue is out of the story a bit but I got really confused about how things work in the olm library.

I want to implement X3DH + double ratchet using the olm library. Now, I followed the linked docs: this and from there I got to this one about X3DH. I think I more or less understand how things work, but I have a hard time connecting all those parts with what's in the olm codebase.

The first thing is integration with X3DH - How to do this exactly? First, I saw that here the shared secret key is calculated using triple DH:

// Calculate the shared secret S via triple DH

Is triple DH something else than extended triple DH(X3DH)? The reason it's confusing is that in the docs you have something like this:

Bob publishes a set of elliptic curve public keys to the server, containing:

  • Bob's identity key IKB
  • Bob's signed prekey SPKB
  • Bob's prekey signature Sig(IKB, Encode(SPKB))
  • A set of Bob's one-time prekeys (OPKB1, OPKB2, OPKB3, ...)

At the same time to successfully create sessions in olm, you only need identity keys and one-time keys(inbound, outbound). In the docs, it's said that you also need a signed prekey, a signature, and also that one-time keys are optional. I also understood from the code that after establishing sessions successfully you can just exchange messages and it works ok with the double ratchet, is that correct?

Am I missing anything? Do I have to implement x3dh on my own using some specific functions from the olm library or is it handled on a high level? What's a proper way of doing this?

Thanks in advance and sorry if this turns out silly, peace!

poljar commented 3 years ago

Is triple DH something else than extended triple DH(X3DH)?

It is, it differs slightly. The 3DH implementation used in libolm uses only IKB and OPKB mentioned in the Signal docs. The one-time key (OPKB) can be signed or not, depends on what clients want to do, the identity keys (IKB) are signed.

I also understood from the code that after establishing sessions successfully you can just exchange messages and it works ok with the double ratchet, is that correct?

Yes, once a Session is established the two ratchets are incremented inside the Session object.

Am I missing anything? Do I have to implement x3dh on my own using some specific functions from the olm library or is it handled on a high level? What's a proper way of doing this?

If you want x3dh you'll have to modify the source of libolm, it doesn't support picking a different implementation or providing an external shared secret to establish the Session.

Hope this helps somewhat.

karol-bisztyga commented 3 years ago

Thanks for the reply ❤️ Is there any doc describing 3DH maybe similar to this one so I could have an exact comparison of what are the differences? I haven't found any :(

Also what I'm interested in in the first place is whether 3DH provides forward secrecy. Do you happen to know that? Still, a detailed doc would be very helpful, thanks!

poljar commented 3 years ago

Thanks for the reply heart Is there any doc describing 3DH maybe similar to this one so I could have an exact comparison of what are the differences? I haven't found any :(

The docs can be found on the Gitlab, the 3DH setup is described here, albeit a bit briefly.

Also what I'm interested in in the first place is whether 3DH provides forward secrecy. Do you happen to know that? Still, a detailed doc would be very helpful, thanks!

It does, the usage of the one-time key in the 3DH step ensures forward secrecy.

karol-bisztyga commented 3 years ago

thanks for the info! You helped a lot 🙌