First draft.
ATT is used in conjunction with &xep0384; for automatically establishing secure channels protected against active attacks between a new device and existing ones after a single mutual manual authentication between the new device and one of the existing ones. It preserves the security level as if all devices had authenticated their keys manually. A trusted third party is not required since an ordinary OMEMO message is used for transferring the information needed to authenticate a public identity key or revoke the trust in that key. Additionally, it preserves the anonymity of the authentication and revocation since those messages are only sent to devices with authenticated public identity keys. That means an attacker cannot detect whether an authentication or revocation took place.
End-to-end encryption without verifying the authenticity of the exchanged public identity keys only enables users to protect their communication against passive attacks. This means an attacker cannot read encrypted messages in transit without actively intervening in the key exchange. However, without any other precautions active attacks are still possible. If an attacker replaces the exchanged keys with malicious ones, the end-to-end encrypted messages can be read and manipulated by the attacker.
When using OMEMO, a public identity key is transmitted over a channel which is not protected against active attacks. That key has to be authenticated by the receiving device over a channel which is protected against active attacks to maintain the confidentiality of sent OMEMO messages and ensuring the authenticity and integrity of received OMEMO messages.
When using OMEMO, each device has a unique identity key. For that reason it is not necessary to copy an existing private identity key to a new device enabling it to use end-to-end encryption. Additionally, it can be used to stop encrypting for a specific device. For example, that could be done automatically after a given number of sent messages without any reaction from the receiving device that would forward the double ratchet to ensure forward and backward secrecy.
However, the downside of that approach is that it increases the number of key authentications users need to do for each new device to be protected against active attacks. Without ATT all n-1 mutual authentications per new key have to be done manually. With ATT though, only one mutual manual authentication per new key is required.
The goal of key authentication is to create an end-to-end encrypted communication network exclusively of devices with authenticated keys. As a result every communication channel between those devices is resistant against active attacks.
The network of devices which authenticated each other's keys can be seen as a complete graph where each device is a node and each mutual authentication is an edge. The number of edges grows for each new device by the number of existing nodes. This is due to the fact that in order to sustain secure channels between all devices, a new key has to be authenticated by all n existing devices and vice versa.
One of those n mutual authentications requires user interaction like scanning each other's QR code or comparing each other's key identifier by hand. That is the initial mutual manual authentication. The remaining authentications can be automated relying on the secure channel established by the inital mutual manual authentication and the secure channels already created by the same procedure between the rest of the devices.
For creating the described complete graph with n nodes, a total of T(n) = (n*(n-1))/2 ∊ O(n²) mutual authentications are needed. When using ATT, only T(n) = n-1 ∊ O(n) of them have to be made manually. All remaining authentications can be performed automatically. Thus, less user interaction is needed for authenticating all keys involved in the secure communication while preserving the same security level.
This section explains the basic procedure of autmomatically authenticating or revoking a key by a trust message. It does not specify the detailed behaviour which can be found in section Use Cases. Instead, this section should rather show the fundamental idea behind ATT.
Device 1 manually authenticates the key of device 2. Device 1 automatically sends an authentication message for device 2's key to devices whose keys it has already authenticated and another authentication message for the keys of those devices to device 2.
Device 2 manually authenticates the key of device 1. Device 2 automatically sends an authentication message for device 1's key to devices whose keys it has already authenticated and another authentication message for the keys of those devices to device 1.
Device 1 automatically authenticates the keys of the authentication message from device 2. Each device receiving an authentication message from device 1 automatically authenticates device 2's key, if device 1's key has already been authenticated by it. Each device receiving an authentication message from device 2 automatically authenticates the corresponding keys, if device 2's key has been authenticated by it.
Device 2 automatically authenticates the keys of the authentication message from device 1. Each device receiving an authentication message from device 2 automatically authenticates device 1's key, if device 2's key has already been authenticated by it. Each device receiving an authentication message from device 1 automatically authenticates the corresponding keys, if device 1's key has been authenticated by it.
Device 1 manually revokes the trust in the key of device 2. Device 1 automatically sends a revocation message for device 2's key to devices whose keys it has already authenticated. Each device receiving a revocation message from device 1 automatically revokes the trust in device 2's key, if device 1's key has already been authenticated by it.
A trust message contains an XMPP URI (see &xep0147;) defined by the following scheme:
Alice would like to use OMEMO when communicating with Bob. Alice has the devices A1, A2 and A3. Bob has the device B1. A1 has already authenticated A2's key. The other devices have not authenticated each other's key.
Note that the examples in the following use cases are consecutive and therefore must be read chronologically to properly understand them.
Example: A1 authenticates B1's key.
A device that manually authenticates the key of a contact's device MUST send an authentication message for
the key that has been authenticated, to each own device with an already authenticated key.
Example: A1 sends an authentication message for B1's key to A2.
each already authenticated key of all own devices, to the device whose key has been authenticated.
Example: A1 sends an authentication message for A2's key to B1.
A device that receives an authentication message for a key of a contact's device from
an own device
Example: A2 authenticates B1's key by the authentication message from A1 as soon as A2 authenticated A1's key.
or another device of that contact
Example: B1 authenticates A2's key by the authentication message from A1 as soon as B1 authenticated A1's key.
MUST authenticate the key as soon as the receiving device authenticated the key of the device which sent the authentication message.
Example: A2 has already authenticated A1's and B1's key. A2 authenticates A3's key.
A device that manually authenticates the key of an own device MUST send an authentication message for
the key that has been authenticated to each other device with an already authenticated key.
Example: A2 sends an authentication message for A3's key to A1 and B1.
each already authenticated key of all devices to the device whose key has been authenticated.
Example: A2 sends an authentication message for A1's and B1's key to A3.
A device that receives an authentication message for a key of an own device from another own device MUST authenticate the key as soon as the receiving device authenticated the key of the device which sent the authentication message.
Example: A1 authenticates A3's key by the authentication message from A2 as soon as A1 authenticated A2's key.
A client MAY send a revocation message for a key that is not trusted anymore by the sending client so that key will no longer be trusted by the receiving client. A client receiving a revocation message SHOULD revoke the trust in the corresponding key.
// TODO Further discussion has to take place before finalizing this section.
A client MUST save the information of a trust message until the key of the device which sent the trust message is authenticated, so that the key can then be authenticated or revoked. Afterwards the information of the trust message MAY be deleted.
Example: When Alice's device A1 authenticates the key of Bob's device B1, A1 sends a trust message containing the keys of Alice's other device A2 to B1. If B1 has not already authenticated A1's key, B1 stores the information provided by the trust message. B1 authenticates A1's key and is then able to automatically authenticate A2's key.
A client MUST save the information of a trust message until it has fetched the corresponding key so that the key can then be authenticated or revoked. Afterwards the information of the trust message can be deleted.
Example: Alice's device A1 receives an authentication message from Bob's device B1. That authentication message contains the key for Bob's other device B2. If A1 has not already fetched B2's key, A1 stores the information provided by the trust message. A1 fetches B2's key and is then able to automatically authenticate A2's key.
For reducing the number of trust messages sent to a device, a client MAY use a URI containing multiple keys that have been authenticated shortly after another.
Example: Alice's device A1 authenticates the keys of Bob's devices B1 and B2 after scanning Bob's QR code containing their key identifiers. A1 sends one authentication message for all of the authenticated keys.
Furthermore, a client MAY use &xep0280; for sending a trust message to all devices of a contact or to all own devices at once. Then, by sending a trust message to the contact, each device of the contact and each own device gets the same trust message by the server. Thus, a client needs to send the same trust message only once. If not all devices of the contact should receive the trust message, the trust message MAY be sent to specific devices of the contact but for all own devices Message Carbons MAY be used and vice versa. Even when a client does not already have a contact, the client MAY use Message Carbons for delivering a trust message to all own devices.
Example: Alice's device A1 authenticates the key of her device A2. A1 sends the trust message for A2's key only once to all of Alice's and Bob's devices by using Message Carbons.
Attention: In that context, sending a trust message to all devices of a contact or to all own devices does not mean to encrypt it with the keys of all those devices. Instead, it only means that all of those devices should receive the trust message even if it is not encrypted for some of them and thereby not decryptable by those devices. Keep in mind that a trust message MUST only be encrypted for devices with authenticated keys.
The drawback of using Message Carbons is that clients may show a message to the user that an OMEMO message received which has not been encrypted for the corresponding device.
A client that receives a trust message SHOULD NOT display its bare content to the user. Instead, the message SHOULD be hidden and the automatic authentication or revocation SHOULD take place in the background. After a successful authentication or revocation, the user MAY be informed of that event. The client MAY offer an option for requesting the user's confirmation before any automatic authentication or automatic revocation is performed.
It is more secure to be protected against passive attacks instead of not using any encryption. If it is not possible to authenticate a key before encrypting with it but it is desired to communicate with the key's device, it is RECOMMENDED to blindly trust new keys until the first authentication has been made.
Even ATT cannot protect the user against an attacker with a blindly trusted and undetected malicious key. For this reason it is important to take special care of the following security aspects.
If keys are blindly trusted until the first authentication, keys which are not authenticated by then MUST NOT be used any longer for encryption until they have been authenticated too. New keys MUST also only be used for encryption after they have been authenticated. Without these two additional precautions it is not possible to protect the user against attackers who introduced malicious keys before or after the first authentication.
REQUIRED.
REQUIRED.
REQUIRED for protocol specifications.