ATT specifies an automatic transfer of trust in public identity keys used by the end-to-end encryption protocol OMEMO.
</abstract>
&LEGALNOTICE;
<number>xxxx</number>
<status>ProtoXEP</status>
<type>Standards Track</type>
<sig>Standards</sig>
<approver>Council</approver>
<dependencies>
<spec>XMPP Core</spec>
<spec>XEP-0001</spec>
<spec>XEP-0147</spec>
<spec>XEP-0384</spec>
</dependencies>
<supersedes/>
<supersededby/>
<shortname>NOT_YET_ASSIGNED</shortname>
<author>
<firstname>Melvin</firstname>
<surname>Keskin</surname>
<email>melvo@olomono.de</email>
<jid>melvo@olomono.de</jid>
</author>
<revision>
<version>0.0.1</version>
<date>2019-03-03</date>
<initials>mk</initials>
<remark><p>First draft.</p></remark>
</revision>
</header>
<section1topic='Introduction'anchor='intro'>
<p>
ATT is used for automatically establishing secure channels protected against active attacks between a new device and existing ones after a single mutual manual authentication between the new device and one of the existing ones.
It preserves the security level as if all devices had authenticated their keys manually.
A trusted third party is not required since a usual OMEMO message is used for transferring the information needed to authenticate a key or revoke the trust in that key.
Additionally, it will preserve the anonymity of the authentication and revocation since those messages are only sent to devices with authenticated keys.
That means that an attacker cannot detect whether an authentication or revocation took place.
</p>
<p>
End-to-end encryption without verifying the authenticity of the public keys enables users to protect their communication against passive attacks.
That means an attacker cannot read the transferred messages without manipulating the exchanged messages or key material.
But without any other precautions active attacks are still possible.
If the exchanged keys are replaced with the key of an attacker, the end-to-end encrypted messages can be read by the attacker.
</p>
<p>
When using &xep0384;, a public identity key is transmitted over a channel which is not protected against active attacks.
That key has to be authenticated by the receiving device over a channel which is protected against active attacks to maintain the confidentiality of sent OMEMO messages and ensuring the authenticity and integrity of received OMEMO messages.
</p>
<p>
When using OMEMO, each device has a different identity key.
That makes it possible for new devices to use end-to-end encryption protecting against passive attacks without transmitting the private key over a secure channel from an existing device to the new one.
However, the downside of this approach is that it increases the number of authentications.
</p>
<p>
The goal of key authentication is to build up an end-to-end encrypted communication network exclusively between devices with authenticated keys.
That network of devices trusting each other's keys can be seen as a complete graph with each device as a node and each authentication as an edge.
The number of edges grows for each new device by the number of existing nodes.
Without ATT all of those authentications have to be done manually.
With ATT though, only one mutal manual authentication is required.
</p>
<p>
This means that each communication channel between the devices is resistant against active attacks.
To sustain such a secure communication across all devices, the new key of an own device has to be authenticated by all n own devices and all m devices of a contact.
This leads to a total of n * m authentications.
Two of them require user interaction like scanning each other's QR codes or comparing the key identifiers by hand.
The remaining authentications can be automated relying on the secure channel established by the two inital authentications and the secure channels created by that procedure.
Thus, less user interaction is needed for authenticating all keys involved in the secure communication while preserving the same security level.
</p>
<p>
On the one hand, each new key has to be authenticated by a device that already belongs to the devices communicating with authenticated keys.
On the other hand, the device that introduces the new key has to authenticate the key of the device that already belongs to the devices communicating with authenticated keys.
</p>
<p>
More precisely, that means the following:
After device 1 manually authenticated the key of device 2, a message called authentication message for the key of device 2 is sent automatically from device 1 to devices with already authenticated keys.
They can use the authentication message for an automatic authentication of the key of device 2 after they authenticated the key of device 1.
</p>
<p>
When a key of an own device should not be trusted anymore by other own devices and devices of a contact, an appropriate message can be sent to those devices.
They can then revoke the trust in that key if the key of the sending device is already authenticated.
</p>
</section1>
<section1topic='Glossary'anchor='glossary'>
<dl>
<di>
<dt>OMEMO message</dt>
<dd>Message encrypted with OMEMO</dd>
</di>
<di>
<dt>Device</dt>
<dd>See <cite>Device</cite> in &omemo-glossary;</dd>
</di>
<di>
<dt>Key</dt>
<dd>Public part of <cite>IdentityKey</cite> in &omemo-glossary;</dd>
</di>
<di>
<dt>Key identifier</dt>
<dd>Identifier for a key (e.g., a fingerprint or the key itself)</dd>
</di>
<di>
<dt>Key authentication</dt>
<dd>Verifying that a key received over an insecure channel is actually the one of the assumed device</dd>
</di>
<di>
<dt>Manual key authentication</dt>
<dd>Key authentication with user interaction (e.g., QR code scanning, fingerprint verification)</dd>
</di>
<di>
<dt>Automatic key authentication</dt>
<dd>Key authentication without user interaction (e.g., ATT)</dd>
A trust message for a device's key sent to another device is a trust message that contains the key identifer of the given key for authentication or revocation.
If a trust message only contains key identifiers for authentication, it is called <cite>authentication message</cite>.
A trust message contains an <cite>XMPP URI</cite> (see &xep0147;) defined by the following scheme:
</p>
<examplecaption='Scheme of a Trust Message URI'><![CDATA[xmpp:<bare-jid>?omemo-trust;<auth|revoke>=<key-identifier-1>;<auth|revoke>=<key-identifier-2>;<...>;<auth|revoke>=<key-identifier-n>]]></example>
<examplecaption='Example of a Trust Message URI'><![CDATA[xmpp:user@example.org?omemo-trust;auth=623548d3835c6d33ef5cb680f7944ef381cf712bf23a0119dabe5c4f252cd02f;auth=d9f849b6b828309c5f2c8df4f38fd891887da5aaa24a22c50d52f69b4a80817e;revoke=b423f5088de9a924d51b31581723d850c7cc67d0a4fe6b267c3d301ff56d2413]]></example>
A device that receives an authentication message for a key of an own device from another own device MUST authenticate the key as soon as the key of the device that sent the authentication message is authenticated by the receiving device.
</p>
<p>
Example:
A2 authenticates A3's key by the authentication message from A1 as soon as A2 authenticated A1's key.
</p>
</section3>
</section2>
<section2topic='Revoking the Trust in a Key'anchor='usecases-revocation'>
<p>
A client MAY send a revocation message for a key that is not trusted anymore by the sending client so that key will no longer be trusted by the receiving client.
A client receiving a revocation message SHOULD revoke the trust in the corresponding key.
</p>
<p>
// TODO Further discussion has to take place before finalizing this section.
<section2topic='Storing Trust Message Information from Devices with Unauthenticated Keys'anchor='impl-storing-trust-message-information-unauthenticated-keys'>
<p>
A client MUST save the information of a trust message until the key of the device which sent the trust message is authenticated, so that the key can then be authenticated or revoked.
Afterwards the information of the trust message MAY be deleted.
</p>
<p>
Example:
When Alice's device A1 authenticates the key of Bob's device B1, A1 sends a trust message containing the keys of Alice's other device A2 to B1.
If B1 has not already authenticated A1's key, B1 stores the information provided by the trust message.
B1 authenticates A1's key and is then able to automatically authenticate A2's key.
</p>
</section2>
<section2topic='Storing Trust Message Information for Unknown Keys'anchor='impl-storing-trust-message-information-unknown-keys'>
<p>
A client MUST save the information of a trust message until it has fetched the corresponding key so that the key can then be authenticated or revoked.
Afterwards the information of the trust message can be deleted.
</p>
<p>
Example:
Alice's device A1 receives an authentication message from Bob's device B1.
That authentication message contains the key for Bob's other device B2.
If A1 has not already fetched B2's key, A1 stores the information provided by the trust message.
A1 fetches B2's key and is then able to automatically authenticate A2's key.
It is more secure to be protected against passive attacks instead of not using any encryption.
If it is not possible to authenticate a key before encrypting with it but it is desired to communicate with the key's device, it is RECOMMENDED to blindly trust new keys until the first authentication has been made.
</p>
<p>
Even ATT cannot protect the user against an attacker with a blindly trusted and undetected malicious key.
For this reason it is important to take special care of the following security aspects.
</p>
<p>
If keys are blindly trusted until the first authentication, keys which are not authenticated by then MUST NOT be used any longer for encryption until they have been authenticated too.
New keys MUST also only be used for encryption after they have been authenticated.
Without these two additional precautions it is not possible to protect the user against attackers who introduced malicious keys before or after the first authentication.