Page 1
Moving forward Forward Secrecy in OpenPGP
Justus Winter ltjustussequoia-pgporggt
DeltaX Freiburg 2018-07-21
httpssequoia-pgporgtalks2018-08-moving-forward
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 1 19
Forward Secrecy
compromise of long-term keys does not compromise session keysnot Backward Secrecy aka Future Secrecy aka Post CompromiseSecurity
TLS (DHE-) OTR Signal OMEMOin short
use Diffie-Hellman key exchange to derive session keysuse long-term keys to authenticate the exchange
Forward Secrecy is a property of transport security
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 2 19
Data at rest vs data in motion
OpenPGP may also be used for backups archives etcOpenPGP already supports this distinction
Key Flags1 to the rescue
0x04 - This key may be used to encrypt communications
0x08 - This key may be used to encrypt storage
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 7 7 7
1Section 52321 of RFC4880Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 3 19
Approximating Forward Secrecy I
suggested by Brown et al in 20012
use short-lived encryption subkeysgenerate and publish in advancetrivial to implement requires no changes to peers
gpg -k futurapub ed25519 2018-06-11 [SC] [expires 2019-06-10]
D2784F6DDEB59AB4162CCD3E0F08F2796B0B71E2uid [ unknown] Futura Proofa ltfuturaexampleorggt[]sub cv25519 2018-07-23 [E] [expires 2018-07-30]sub cv25519 2018-07-16 [E] [expires 2018-07-23]sub cv25519 2018-07-09 [E] [expires 2018-07-16]
2httpstoolsietforghtmldraft-brown-pgp-pfs-03Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 4 19
Approximating Forward Secrecy II
exampleencryption keys valid for a weekpublish half a year worth of keys
consall messages sent in a week are encrypted using the same keygenerating keys in advance is a window for compromise
prosgood backwards compatibilityway better than the status quo
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 3 3 3 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 5 19
Interludum Multi-device support
OpenPGP lacks a convincing story for multi-device support Two options31 sharing decryption-capable keys across devices
+ hides number of devicesndash requires synchronization between co-agents
2 distinct per-device decryption-capable keys+ requires synchronization only at setupplusmn requires synchronization with remote peers+ still possible to hide number of devices by sharingndash requires minor modificationsndash size of the certificatendash complexity
pequivp and Autocrypt synchronize using hidden mailsOpenPGP is transport protocol independenthow does that work in practice
3dkgrsquos post to the MLS listJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 6 19
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 2
Forward Secrecy
compromise of long-term keys does not compromise session keysnot Backward Secrecy aka Future Secrecy aka Post CompromiseSecurity
TLS (DHE-) OTR Signal OMEMOin short
use Diffie-Hellman key exchange to derive session keysuse long-term keys to authenticate the exchange
Forward Secrecy is a property of transport security
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 2 19
Data at rest vs data in motion
OpenPGP may also be used for backups archives etcOpenPGP already supports this distinction
Key Flags1 to the rescue
0x04 - This key may be used to encrypt communications
0x08 - This key may be used to encrypt storage
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 7 7 7
1Section 52321 of RFC4880Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 3 19
Approximating Forward Secrecy I
suggested by Brown et al in 20012
use short-lived encryption subkeysgenerate and publish in advancetrivial to implement requires no changes to peers
gpg -k futurapub ed25519 2018-06-11 [SC] [expires 2019-06-10]
D2784F6DDEB59AB4162CCD3E0F08F2796B0B71E2uid [ unknown] Futura Proofa ltfuturaexampleorggt[]sub cv25519 2018-07-23 [E] [expires 2018-07-30]sub cv25519 2018-07-16 [E] [expires 2018-07-23]sub cv25519 2018-07-09 [E] [expires 2018-07-16]
2httpstoolsietforghtmldraft-brown-pgp-pfs-03Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 4 19
Approximating Forward Secrecy II
exampleencryption keys valid for a weekpublish half a year worth of keys
consall messages sent in a week are encrypted using the same keygenerating keys in advance is a window for compromise
prosgood backwards compatibilityway better than the status quo
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 3 3 3 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 5 19
Interludum Multi-device support
OpenPGP lacks a convincing story for multi-device support Two options31 sharing decryption-capable keys across devices
+ hides number of devicesndash requires synchronization between co-agents
2 distinct per-device decryption-capable keys+ requires synchronization only at setupplusmn requires synchronization with remote peers+ still possible to hide number of devices by sharingndash requires minor modificationsndash size of the certificatendash complexity
pequivp and Autocrypt synchronize using hidden mailsOpenPGP is transport protocol independenthow does that work in practice
3dkgrsquos post to the MLS listJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 6 19
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 3
Data at rest vs data in motion
OpenPGP may also be used for backups archives etcOpenPGP already supports this distinction
Key Flags1 to the rescue
0x04 - This key may be used to encrypt communications
0x08 - This key may be used to encrypt storage
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 7 7 7
1Section 52321 of RFC4880Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 3 19
Approximating Forward Secrecy I
suggested by Brown et al in 20012
use short-lived encryption subkeysgenerate and publish in advancetrivial to implement requires no changes to peers
gpg -k futurapub ed25519 2018-06-11 [SC] [expires 2019-06-10]
D2784F6DDEB59AB4162CCD3E0F08F2796B0B71E2uid [ unknown] Futura Proofa ltfuturaexampleorggt[]sub cv25519 2018-07-23 [E] [expires 2018-07-30]sub cv25519 2018-07-16 [E] [expires 2018-07-23]sub cv25519 2018-07-09 [E] [expires 2018-07-16]
2httpstoolsietforghtmldraft-brown-pgp-pfs-03Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 4 19
Approximating Forward Secrecy II
exampleencryption keys valid for a weekpublish half a year worth of keys
consall messages sent in a week are encrypted using the same keygenerating keys in advance is a window for compromise
prosgood backwards compatibilityway better than the status quo
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 3 3 3 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 5 19
Interludum Multi-device support
OpenPGP lacks a convincing story for multi-device support Two options31 sharing decryption-capable keys across devices
+ hides number of devicesndash requires synchronization between co-agents
2 distinct per-device decryption-capable keys+ requires synchronization only at setupplusmn requires synchronization with remote peers+ still possible to hide number of devices by sharingndash requires minor modificationsndash size of the certificatendash complexity
pequivp and Autocrypt synchronize using hidden mailsOpenPGP is transport protocol independenthow does that work in practice
3dkgrsquos post to the MLS listJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 6 19
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 4
Approximating Forward Secrecy I
suggested by Brown et al in 20012
use short-lived encryption subkeysgenerate and publish in advancetrivial to implement requires no changes to peers
gpg -k futurapub ed25519 2018-06-11 [SC] [expires 2019-06-10]
D2784F6DDEB59AB4162CCD3E0F08F2796B0B71E2uid [ unknown] Futura Proofa ltfuturaexampleorggt[]sub cv25519 2018-07-23 [E] [expires 2018-07-30]sub cv25519 2018-07-16 [E] [expires 2018-07-23]sub cv25519 2018-07-09 [E] [expires 2018-07-16]
2httpstoolsietforghtmldraft-brown-pgp-pfs-03Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 4 19
Approximating Forward Secrecy II
exampleencryption keys valid for a weekpublish half a year worth of keys
consall messages sent in a week are encrypted using the same keygenerating keys in advance is a window for compromise
prosgood backwards compatibilityway better than the status quo
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 3 3 3 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 5 19
Interludum Multi-device support
OpenPGP lacks a convincing story for multi-device support Two options31 sharing decryption-capable keys across devices
+ hides number of devicesndash requires synchronization between co-agents
2 distinct per-device decryption-capable keys+ requires synchronization only at setupplusmn requires synchronization with remote peers+ still possible to hide number of devices by sharingndash requires minor modificationsndash size of the certificatendash complexity
pequivp and Autocrypt synchronize using hidden mailsOpenPGP is transport protocol independenthow does that work in practice
3dkgrsquos post to the MLS listJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 6 19
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 5
Approximating Forward Secrecy II
exampleencryption keys valid for a weekpublish half a year worth of keys
consall messages sent in a week are encrypted using the same keygenerating keys in advance is a window for compromise
prosgood backwards compatibilityway better than the status quo
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 3 3 3 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 5 19
Interludum Multi-device support
OpenPGP lacks a convincing story for multi-device support Two options31 sharing decryption-capable keys across devices
+ hides number of devicesndash requires synchronization between co-agents
2 distinct per-device decryption-capable keys+ requires synchronization only at setupplusmn requires synchronization with remote peers+ still possible to hide number of devices by sharingndash requires minor modificationsndash size of the certificatendash complexity
pequivp and Autocrypt synchronize using hidden mailsOpenPGP is transport protocol independenthow does that work in practice
3dkgrsquos post to the MLS listJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 6 19
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 6
Interludum Multi-device support
OpenPGP lacks a convincing story for multi-device support Two options31 sharing decryption-capable keys across devices
+ hides number of devicesndash requires synchronization between co-agents
2 distinct per-device decryption-capable keys+ requires synchronization only at setupplusmn requires synchronization with remote peers+ still possible to hide number of devices by sharingndash requires minor modificationsndash size of the certificatendash complexity
pequivp and Autocrypt synchronize using hidden mailsOpenPGP is transport protocol independenthow does that work in practice
3dkgrsquos post to the MLS listJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 6 19
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 7
Simple per-device encryption keys
gpg -k twopub ed25519 2018-06-08 [SC] [expires 2019-06-07]
2B7757D8AF283468A0574699910E554478CCDE00uid [ unknown] Two Fish lttwoexampleorggtsub cv25519 2018-06-08 [E] [expires 2019-06-07]sub cv25519 2018-06-08 [E] [expires 2019-06-07]
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp3 7 3 7 7
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 7 19
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 8
Certification-capable subkeys
short-lived encryption subkeys require recurrent synchronizationour proposal4
use a set of keys per devicea certification subkey to issue their own subkeysa signing subkeyn encryption subkeys
use eg a QR-code containing an encrypted key and a bindingsignature to provision a new devicerequires clarification in the RFC minor changes in implementations
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnp7 7 7 7 3
4Post to openpgpietforgJustus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 8 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 9
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]
subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 10
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 11
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 12
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 13
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]subkey [C] laptop
subkey [S]n subkeys [Et]
subkey [C] mobile phonesubkey [S]n subkeys [Et]
new key maybe on a Gnuk
commission desktop
commission laptop fromdesktop
commission phone fromdesktop
decommissioning desktoprecursively decommissions alldevices
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 9 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 14
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptop
subkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 15
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]
subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 16
Per-device keys Example
Example keyprimary key [C]
subkey [Er]subkey [A]subkey [C] desktop
subkey [S]n subkeys [Et]
subkey [C] laptopsubkey [S]n subkeys [Et]subkey [C] mobile phone
subkey [S]n subkeys [Et]
desktop is decommissioned
commission laptop again fromGnuk
commission phone from laptop
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 10 19
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 17
Signalrsquos Double Ratchet
DH and KDFs ratchets toderive session keysa
also provides Backward Secrecysending and receiving ratchetsSK derived from KDF ratchetDH ratchet pingpongsper device keysone DR per device pairSignal and OMEMO use aserver for initial DH keys
aDouble Ratchet specification
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 11 19
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 18
Ditching the server
Initial messagePKESKSEIP
OPSLiteraldataSignature+DRInitMDC
SignalOMEMOgenerate n DH keys on devices publishinitiator picks one from the servernasty race condition in OMEMO
our ideaditch the server
sacrifice protecting the first mailinclude initialization in a traditionalOpenPGP encrypted message
multiple devicesinitiator generates all keys for onersquos owndevicesencrypts these keys with the per-deviceencryption subkeys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 12 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 19
Double Ratchet initialization - setting
Alice has two devices a laptop (L) and a phone (P) Bob has a desktop(D) Alice wants to send Bob a message from her laptop they have notused the ratchet algorithm before 3 ratchets (LD) (PD) and (LP)
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 13 19
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 20
Double Ratchet initialization I
Alice generates four DH pairsTwo for the laptop two for thephoneAlice sends a SEIP containerwith the message and the DHkeys
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceL -gt Bob
DRInitpub [DHpubLD DH
pubPD] sec [EncP(SgnL(DHPD DHPL DH
pubLP))]
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 14 19
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 21
Double Ratchet initialization II
Bob generates two DH keypairs initializes his ratchetsBob sends his DH public keyand reflects all secrets
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
Bob -gt Alice
DRESKpub DHpubDL sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
DRESKpub DHpubDP sec EncP(SgnL(DHPD DHPL DH
pubLP)) esk
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 15 19
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 22
Double Ratchet initialization III
Alicersquos phone decrypts theinitial DH key pairs generatedon the desktop and uses themto initialize her ratchetsThe Double Ratchet algorithminitialization is now completeTo send more messages sheadvances her two phoneratchets by creating two newDH pairs
L
P D
DHLD
DHDL
R(LD)
DHLP
DHPL
R(LP)
DHPD DHDP
R(PD)
AliceP -gt Bob
DRESKpub DHrsquopubPD sec empty esk CipherR(PD)(SK) PN Ns
DRESKpub DHrsquopubPL sec empty esk CipherR(PL)(SK) PN Ns
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 16 19
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 23
Double Ratchet in OpenPGP
What is needed to implement Forward Secrecy using the Double Ratchetalgorithm
per-device keystwo new packets DRInit and DRESKkeeping a lot of state in implementations
Juicy but tricky So letrsquos go for Brownrsquos short-lived encryption subkeysversion first
Ask questions Get involved Letrsquos get Forward Secrecy into OpenPGP
Checkout our repository of weird keys55httpsgitlabcomsequoia-pgpweird-keys
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 17 19
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 24
Bonus Long-term Storage
Users expect to be able to read past mails Two optionsstore session keys
we (Sequoia) want to do that anyway for speedcompromise of session key store compromises messagesneed to purge session key if message is deleted
deletability
requires one-time synchronization for new devicesre-encrypt with long-term archive key
not desirable if messages are on a server (IMAP)
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 18 19
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19
Page 25
Bonus Privacy-preserving keyservers
critical for revocationskey renewalsnew keystraditional keyservers are problematic
expose the social graphexpose namesemail addresses
idea strip 3rd-party-certificates uids
Compatibility
Sequoia GnuPG OpenKeychain openpgpjs rnpnull-uid 3 3 3 3 7
no-bound-uid 3 7 7 7 7
no-uid 3 7 7 7 7
direct-key 7 7 7 3
Justus Winter ltjustussequoia-pgporggtMoving forward Forward Secrecy in OpenPGPDeltaX Freiburg 2018-07-21 19 19