FSMaxB
commented
8 years ago I'm not involved in the development of the double_ratchet but I feel qualified to comment because I implemented it.
- The keys are derived from a master key, not transmitted over some kind of channel. It isn't specified where the master key comes from, but WhatsApp and Signal do it via so called triple diffie hellman with the identity keypairs of Alice and Bob and two ephemeral keypairs.
About the 's': Either one of Alice and Bob could be the sender or receiver. And the header keys and chain keys are symmetrical, so they both use the same. It's not like it belongs to any one of them. Alice's send key is the same as the corresponding receive key on Bob's side and so on. Note that Alice's send keys are
<none>because Alice has theratchet_flagset totrueinitally. - If the
ratchet_flagis set, a new root key is required in order to start a new message chain. The KDF line means, that all those keys (RK, NHKs, CKs) are derived from the same secret. But those keys aren't identical. This would usually be done by using a key derivation function with subkey counter and using a different subkey counter for each of the three keys.
meLog
I´ve got several questions regarding the functioning of double_ratchet.
1 Initialization
The wiki says: Alice: KDF from master_key: RK, HKs=, HKr, NHKs, NHKr, CKs=, CKr
and
Bob:
KDF from master_key: RK, HKr=, HKs, NHKr, NHKs, CKr=, CKs
Does that mean that Alice and Bob derive each others' keys from the master key or that they just derive their own and the other is transmitted to them?
And does s = sender on bobs side stand for alices or for bobs keys?
2 Sending messages
The wiki says: if ratchet_flag: ... RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) )
Does that mean:
RK = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) NKHs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) and CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) )
A new NKHs and CKs for each new rachet key is clear, but why a new RK, too?
Currently I´m writing my bachelor thesis and I´m grateful for any helpful comments.