Double Ratchet Messaging Encryption - Computerphile
HTML-код
- Опубликовано: 22 ноя 2018
- How does instant messaging encryption protect against attack? Dr Mike Pound on the double ratchet.
Diffie Hellman Key Exchange Explained: • Secret Key Exchange (D...
Signal Protocol: • How Signal Instant Mes...
Endianness Explained with an Egg: • Endianness Explained W...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Dr. Mike Pound is my favorite person that you have ever had on. His explanations are always very clear
Not to mention he's quite charismatic.
Please do a video on how group conversations are encrypted :)
Earthcomputer
That would be an interesting one 👌🏻
I would guess every person has a "receiving ratchet" for every other person in the group and then just applys the same principle. But it would be an interesting video for sure :D
A group conversation... between Alice, Bob, Carol and Ted!
They said another video about it at the end, and that it's messy. I'm looking forward to it.
I'm also looking forward to this one
Mike should get his own BBC series.
Spoken like a truly naive person. Sure way to make it so that he could no longer be impartial, nor say anything that could be construed as impinging on Big Brother
@@stupidtreehugger The fact that you're able to tell everyone about conspiracies and no one's stopped you should be an indication that your conspiracies are wrong.
At some point, there needs to be an Alice and Bob wedding video. Unless it is done in complete secrecy of course.
Mallory will show up and ruin the wedding.
Oscar will appear at the wedding, for sure.
We can perform a nan in the middle attack, and watch the wedding anyway
The wedding location will be obfuscated.
Dr. Pound, thanks to you and your crew for all you do. You bring a lot of clarity to a subject that can be convoluted.
I'm just writing a comment knowing that YT rates the videos with comments higher than those without, and Mr. Pence deserves every bit of attention he can get. Much love
Doctor Mike is my favorite doctor. My father will have to be content with only being the best father in the world. Sorry dad.
Computerphile, we've entrusted you with the Earth's remaining supply of tractor fed paper for impact printers. Please consider using it more sparingly.
matt b use it as you see fit, it's recyclable.
Wowthatsfail but it recycles into other paper types, soon the planet will be all out of tractor fed paper for impact printers!
I
I bet they use it unsparingly because they must have a room full of this paper dating from an older time when someone thought they'd use a lot over time so better order it all at once to pay smaller price and then it got outdated and they're left with tons of this paper in their hands not knowing what to do with it
I am a simple man. I see Dr Mike Pound in the thumbnail, I click.
You Pound.... _pound_
Always a pleasure to watch Dr. Mike Pound :)
Excellent information from Mike as always and great visuals to help show the ratchet in action. The visuals really helped me out
Thank you 😊🙏
This by far is the best channel. Alongside Numberphile of course 😜
The world needed that animation. Wish I'd have had stuff like that in my university courses.
Please keep up the messaging protocol content. Great stuff as usual!
I liked your video a lot. It has helped me study for a far too soon exam.
Nevertheless, I find it worth mentioning, how the DH key pairs are changed in a ping-pong effect in the Signal Protocol. When A receives a message from B with a new public key e_B, A changes it's root key once, with the new K_DH=DH(d_A, e_B) key, the it re-initializes the read chain. After that, A creates a new DH key pair and then re-initializes the send chain. So when A sends a message again, it will come with A's new publih DH key and start the same procedure for B.
Really good graphics along with well explained content. Thanks for this. I've been reading up on Signal and this video helps a great deal.
Great video, well explained and answered all my questions! Thanks Mike. Now it's time to watch the video
Been curious about this for a while but too lazy to look into it myself, thanks!
Really reminds me of the wheels turning in an Enigma machine.
Please do a video on why his hands look so strange when the view of the paper is rotated
It's to do with filming angles. The guy filming is sitting next to them as they write stuff, so he has to go back in and stretch/shrink things to get the "top-down" view. That makes the paper look normal, but his hands get distorted.
I'd still like a video about it, though! Probably some really interesting tech behind it.
The video renderer is using matrix multiplication to orient the paper properly by stretching and rotating the video. As a side effect, it also makes his hands stretched.
These encryption videos are wonderful! Can we have a video on initialization vectors plz?
Yes!!! Dr Pound!!!
The starting at the same position and the synchronized ratcheting part strongly resemble (electro)mechanical cryptographic machines IMO. The Enigma for example would use a single set of ratchets for the send and recieve parts, because it was self-reciprocal, i.e. inputting the encoded message would output the cleartext message.
Bloody genius! Can we get one on group messages in Signal?
Please send my regards to Dr Mike, my dream is to study under this guy
You said that video packets are encrypted the same way. Since they can arrive out of order (hence the sequence numbers), how are they gonna sync the keys appropriately in order for the message to be decrypted?
I honestly can't wait for the video that talks about how this applies to more than 2 people.
honestly cant believe this is free. AWESOMEEEEEEEEEEEEEEE
Hi
I keep watching your (awesome) vedios again and again , but I still can't manage to answer about ssl attacks that I have to do ( as work sheet ) . How do I reach you in person. To get some help answering the questions?
Love your video!
@Michael Pound / @ Computerphile How does the KDF ratchet impact the entropy of the derived keys? Will it degrade over time if a new DH ratchet is not performed?
That was an awesome explanation... THANKS!!!! Does any one know how to create those wheels for a demo purposes...??
I watch almost all of the videos on this channel and I have no idea what 99% of them are about. Still love it though. Everytime I get something out of that 1%.
I'm sorry, they *do* carry out a DH exchange on every message?
So, by the time I went online and sent receipt acknowledgements, our ratchets have been updated?
When are they incremented normally then, only while one of the parties is offline, for that chunk of messages?
And in that case, only one attempt at DH is "in-flight", since the further "offline" messages don't yet have a completed DH result to use?
Or in reality, both parties store a queue of incomplete DH exchanges, so each message sent can complete one exchange and begin another?
I think I'm a Mike Pound phile.
Mike*
Mike*
I love this guy.
Love this guy
Please do a video on threshold cryptography!!
9:05 I can just imagine the debug log: user:alice: "well that's, not right".
"in practice they [the DH ratchets] are sent every message" but why would one need the other ratchets then, if they get reset on each message? just so Alice goes through more than one key even though Bob never sent her a new DH one because his phone was off/he wasn't replying/etc?
Wondering about that too...
Hi! Great question, you're exactly right. The KDF ratchet helps when the messaging is one way, e.g. Alice sends 10 messages when Bob sends none. She doesn't continue to send new DH keys for these messages.
Michael Pound thank you, that was really bugging me!
@@michaelpound9891 am I right in thinking that the keys produced by the ratchet are symmetric keys (since these are faster for encrypting messages with) whereas the already established assymetric keys are used for the Diffie Helman exchanges?
joebloggsgogglebox
Yupe,
Will in applied cryptography ..specially in chatting ...Asymmetric encryption is only used to form a secret channel where we can send a symmetric key something powerful and easily computable for a low end device like a phone (compared with a full PC Graphic Card )
If you do DH on every message do you need the other key derivation ratchets anymore?
Can you guys do a video on how the TFA in USB security keys works? And is there an independent way to verify that all these apps and TFA's and ciphers etc are doing what they say they're doing? Or do we just "trust" them.
Alice and Bob in chains
lmao
aaaayyyyy nice one!
Question: if someone finds out a key at some point, if they don't miss out on any messages, why can they still figure out the next messages? i.e. why doesn't the DH ratchet exclude the intruders from future communication if they have the current keys?
in your original DH vid, you mentioned in passing that if Eve can modify parts of the DH exchange then all bets were off. does this protocol do anything to ameliorate that problem?
thanks for the vids, Mike.
This is handled by the identity keys during the initial exchange, back in the previous video. By the time we're using the ratchets, we assume noone else is involved.
I see I'm a bit late in this conversation, but I'd like a bit of clarification about the DH ratchet: I use Signal app, and want to know how this correlates; would this be the operation of manually resetting the session, or am I way off? Thanks for your time and consideration. Also gave this channel a thumb and a sub!
No, it just happens every few messages automatically.
KDF is gonna rock you
If the keys are deleted as soon as the message is decrypted, how do you read messages from a long time ago? Are they encrypted on disk using a different mechanism?
Exactly that
Who else is watching this in 2021? suddenly super relevant!
Did they make that "other video" i rly want to know how this works in a group chat.
Ho does group chats work then? Do they use multiple keys for each pair or one single key for a group? @computerphile
@Computerphile so if DH rtchet is being reset so often that means that endpoint device is either storing the history of the reset values or rather more worringsome unencrypted messages. Is it actually the case or am I missing something?
PS Huge fan of all of the videos
yeah I'm wondering about that too
"You must never break the chain." -Stevie Nicks
How does this work for conversations with more than two people?
Is there the video for the group chat encryption?
I wonder if the ultimate potential for this is to integrate it with a blockchain like an Ethereum DAPP or put it on the IPFS, that way all the "server" computation is both decentralized and open to audit
Could you do a video on Telegram? Is it different? If I remember correctly, they got a lot of flak for implementing their own algorithm, but as far as I know, nobody could yet prove their implementation to be insecure.
The problem isn't as much that Telegram E2EE is bad, it's that it's not on by default, it's not available for group messaging, and it's not available at all for desktop clients. Signal is always E2EE.
Why would you not use a different KDF on the output of the ratchet, so that you can never know the state of the ratchet even if you have the message key?
HI All, somehow it's not clear to me ,when the Diffie hellman ratchet forwards !Any thoughts ?
It's like an enigma machine.
Very cool
Just curious. If people tend to tick Diffie Hellman Ratchet every message, and everything gets reset every message, why don't they just use the Diffie Hellman Ratchet?
Exactly, from the video it seems like the first ratchet never gets used.
I was thinking the same thing. My only guess is the DH ratchet only gets “ticked” when Alice sends and then Bob immediately replies. If Alice sends 10 messages before Bob replies, then Alice’s sending ratchet gets ticked 10 times (once for each message). When Bob finally reads the messages his receiving ratchet gets ticked 10 times. Then when Bob replies he includes a DH tick response back to Alice and both reset their send and receive ratchets. Just my guess, maybe an expert can confirm.
@@notreallyme425 I think you're correct here (or at least mostly so; I'm not sure your use of "tick" is consistent with the video content, but it's 3am so I may just be confused :)).
The video clarifies things at 7:40 when discussing asynchronous messages.
and how are the keys are communicated? how is the first key communicated?
Hang on. If DH is getting done with each message, how can one end 'catch up' if it recognises that some messages from the other party have been lost? The end that hasn't received messages can't do the DH exchanges for those lost messages can it? And how can the sender create new KDF keys using DH each time if the remote isn't about to dl the DH exchange with? DH is an exchange isn't it? I must be missing something.
Chris Nisbet Lost DH messages are a real problem. One way DH is fine if as long as at least one DH public key was sent in each direction.
Can you maybe do video on quantum computers but more in a way to how it’s related to breaking asymmetric encryption? And how Shor’s algorithm would would do this?
This would be an interesting topic, although quite advanced. JPA talked about Signal's DH ratchet making Shor's algorithm less effective in his book "Serious Cryptography (2018)".
6:30 - If Bob sends a new Diffie Hellman PK to make Alice's DH ratchet turn, can this PK not be copied by someone who is snooping, to turn their own DH ratchet, thus keeping in sync with Alice?
what about telegram and it's mtproto protocol?
Cataclysmal
That’s a nice wanna would love to see a video about that
...
And since singnal is open sourced (client part ) would love if they showed us some code
Telegram is not E2EE by default
*_...is he sending color-coded messages [_**_00:11_**_] red vs green [_**_00:31_**_]..._*
Maybe I'm misunderstanding this, but if the diffie-helman exchange is done for every message, doesn't that sort of make everything else redundant? The original goal of the ratchet algorithm was to make sure breaking a key didn't give access to all the past keys but that's not possible anyway if we keep resetting the ratchets everytime with a DH exchange right?
Could someone please clarify this for me?
Changeing the DH every message is not strictly necessary. I looked up the detailed specification and from what I understand, it does not update if Alice (or Bob) sends multiple messages in a row.
What about using multiple devices then? E.g. with Whatsapp you can use desktop app but you have to scan the QR from your mobile device, does it mean that's the moment when keys synchronization happens?
Ok now I'm just thinking about how the heck do the messages all synk up when you use desktop what's app?
Does Viber also use a double ratchet?
drink every time Dr. Mike Pound says diffie helman
How can we know if what's app is actually doing all the encryption? I know we had the out of band number from the last episode, but how do we know they aren't just sending random numbers? Basically, can we prove they're doing encryption, or do we just have to take their word for it?
@@00O3O1B since hes been using what's app and FB messenger as his examples, are they open source? Or do we just have to "trust" them. If they're not open source, what else would you use since almost everyone uses those to communicate. I'd hate to be that one person that says "you can only chat with me if you use this obscure third party open source app".
@@thejedijohn You either trust them, or you reverse engineer the machine code to figure out if it's actually doing what it's supposed to. If you don't want to do either, use an open source alternative.
@@maqp1492 Exactly. I would not trust Facebook. Not because I think they are "evil" but because they are so large that they would be under immense pressure to install backdoors for governments. I would be absolutely shocked if they have not already done so for various governments around the world.
attacking using ss7 will allow you to control the phone as if you was admin , you can then see all messages
How about images? How are those incorporated in the e2ee? Because you can download older images.
Images are encrypted with separate encryption key that is delivered inside normal Signal message. If the Signal client caches the image decryption key it its logfile, it can download and decrypt the image later. Everything is E2EE in Signal.
Why do u need a send and rec rachet, when u sent a DH with every Massage? Isnt it allrdy encrypted (enough) with a DH send?
There is another comment were your question got answered.
Why not derive 2 keys with kdf first one use as input for the next round and second one as encryption key. So even encryption key is compromised the attatacker can not caculate the next key? Sure dh should be done in intervals too.
Danke
What if somebody cracks the private key of the DH ratchet? How is it future proof after that?
Every DH step chooses a new private key.
9:15 so when a message gets sent by bob that says "ok this is message number 9 in the chain" and alice's chain is only 2 ticks long, she goes forward 7 ticks without DH exchanges? what if i send 100 messages while alice is offline and someone captures the first packet?
If someone captures a packet they probably won't be able to break the key. But you're right, if they did then the chain is broken until a DH message. This means that if you send 100 messages without a reply (and new DH) then that's technically not as strong as alternating messages. In general i'd say the risk probably isn't worth worrying about, as it's so low.
how do im applications that allow you to use multiple devices keep data secure? or do they just use have the server able to decrpyt it? eg i can send someone an im with facebook messenger on my phone, and then see there reply on my laptop?
robert moore They basically have to copy at least the keys between devices. Big companies like facebook and Google probably do this by storing it on their servers. Less "successful" companies may ask you to transport it yourself so they can't spy on you.
So forward secrecy is still broken if the DH gets revealed?
No. root chain KDF ratchet provides forward secrecy with the preimage resistance of the underlying hash function (SHA256 or SHA512).
oh god he put Diffie-Hellman on the screen instead of just saying it, i've thought it was "Tiffy Hellman" this whole time
I mean Mike Pound is great at explaining stuff but he does look a bit like a super villain.
transcriber is not enabled, what a pity!
RUclips community subtitles are switched on to allow the community to
help subtitle the films. Sadly this means the automatic subs don't show.
Perhaps go into community subs and look there? >Sean
Can someone please, please tell me how homomorphic encryption works (databases)
Vs traditional PGP who wins?
christmas came early!
nice!
Aren’t ratchet functions and trapdoor functions the same beast really? Cheers!
If I deleted the app in my device, does that mean I won't be able to read my previous messages even if I reinstall the app?
As long as you remember to save your backup phrase before hand and also have a copy of your chat backup on your microsd
Expectation: Perfect e2e encrypted messaging
Reality: “Error handling incoming message” for 15 messages in a row 😂
Whatsapp's backup and sync "feature" removes all the encryption and backs up the messages on their servers in plain text. So what's the point of their encryption, since pretty much everyone will have backup on by default, so even the messages you sent in Whatsapp will be backed up by the person you sent it to?
Whatsapp is going to implement encryption on google drive backups
Is this ratchet logic the reason why newly added participants to groups cannot usually see group message history?
If you have a decent production team and the subject is sitting. it may be a good idea to use mmanual focus and just sit the subject in the plane of focus.
Your video has some f focus hunting in the beginning. Hope that helps...
So, is messenger more secure than the NSA messaging app?
What?
this was amazing wow i didnt know signal was so epic. it sucks that nobody i know is interested in using signal ¯\_ಠ_ಠ_/¯
How dose diffie hellman work in i grupp chat ?
it doesnt. group chats aren't end-to-end encrypted.
Funny how it’s similar to how the Enigma works on a physical level.
The hash ratchet part is, except the period length is absolutely insane compared to Enigma :D
What I always wonder is: Are there any possibilities for the company (e.g. WhatsApp) to create a backdoor for secret services or anything like that?