Forward secrecy with hash ratchets

Alice wants to send messages to Bob. These messages are sensitive, so Alice and Bob take precautions. When they meet, they decide on a shared secret S with which to encrypt the messages. Each sent message is encrypted with the shared secret, and each received message is decrypted with the shared secret.

Eve is interested in their conversation, but hasn’t been able to read anything, because she doesn’t have the shared secret. However, Eve is able to intercept the encrypted messages, and she has been storing them up, hoping to one day decrypt them. Then one day, Eve gets lucky: she discovers a vulnerability in Bob’s phone, and she manages to steal the shared secret! With this, Eve can now decrypt the entire message history!

Is Alice and Bob’s crypto-system “secure”? A traditional perspective assumes Alice and Bob have secure machines, and attackers only control the network. In this traditional perspective, the crypto-system described is secure, and Eve’s decryption of the message history was only possible because of faulty machines. But, in the real world, Alice and Bob’s machines do have bugs; they do have vulnerabilities; they do get stolen. We should design crypto-systems which minimize the damage that an attacker can do with a compromised machine.

Specifically, can we design the crypto-system so that, even after Eve compromises Bob’s phone, she cannot decrypt her cache of the previous messages? The answer is yes, and such a system is said to have “forward secrecy”.

Consider an old plaintext message M, which was encrypted with secret S yielding ciphertext C. To implement forward secrecy, we must ensure that Bob’s phone cannot recover M. The first implication is that Bob’s phone must not store the plaintext messages. Apps like WhatsApp claim to provide forward secrecy, but they trivially fail at the first hurdle, because the apps store a plaintext message log!

Let’s assume, then, that Bob’s phone discards the message shortly after decryption. The phone shows Bob the plaintext, then destroys the message. Destroying M is better, but not enough, because Bob’s phone still has the secret S, which can be used to recover M from Eve’s stashed ciphertext C. So Bob’s phone must also destroy the secret S!

By destroying the secret S after transmitting a message, Alice and Bob have a system which provides forward secrecy. The price they have paid is that they can now only send one message! Their crypto-system wants to use the secret S to encrypt the next message, but it can’t do so after destroying S.

To extend their conversation, Alice and Bob need to agree on more secrets. So they decide that, when they meet, instead of agreeing on one shared secret S, they will agree on a long series of shared secrets S1, S2, ..., Sn. They will transfer the first message M1 with S1 to produce ciphertext C1. They will then destroy M1 and S1, so that Eve can never discover M1, even if she compromises their machines. For message M2, they will use S2, and so on, sending up to n messages before they need to meet again.

In effect, S1 through Sn are a “one-time pad”. They are a big shared key, at least as large as the plaintext, only used once. By destroying the pad as they use it, Alice and Bob guarantee forward secrecy. But the one-time pad has a couple of problems: it’s big, and it has finite length.

Both of these problems with the one-time pad can be fixed by replacing randomness with pseudo-randomness. Alice and Bob will use the shared secret S as the seed to a pseudo-random number generator (PRNG), from which they can derive the infinite stream of pseudo-random keys S1, S2, ..., etc.

A PRNG has state, and a stepper function which yields a random number along with a new state. There are many ways to implement this. For example, the state could be the seed plus a counter, and the stepper function could increment the counter, and yield a random number by hashing the seed with the counter. Would this system provide forward secrecy? No! This system never destroys the initial secret seed, meaning the entire key stream is recoverable by Eve. The previous states of the PRNG are recoverable by decrementing the counter.

For forward secrecy, we must ensure that, when stepping the PRNG, the previous state becomes unrecoverable. In other words, the stepper function must be a one-way function. The most common one-way functions are cryptographic hash functions like SHA256. This is how WhatsApp works!

Each time a new Message Key is needed by a message sender, it is calculated as:

  1. Message Key = HMAC-SHA256(Chain Key, 0x01).
  2. The Chain Key is then updated as Chain Key = HMAC-SHA256(Chain Key, 0x02).

This causes the Chain Key to “ratchet” forward, and also means that a stored Message Key can’t be used to derive current or past values of the Chain Key.

The WhatsApp whitepaper talks of “message keys” and “chain keys”, but the structure is exactly that of a pseudo-random number generator. The “chain key” is the PRNG state. The “message key” is the random number output, to be used as a one-time key.

HMAC is usually a way to sign data: signature = HMAC-SHA256(secret, plaintext). In this terminology, the Message Key is the signature resulting from signing the message 0x01 with the secret Chain Key. But this is misleading. WhatsApp is using the HMAC-SHA256 function for a different purpose: a hash function with two inputs. I believe that instead of HMAC-SHA256(Chain Key, 0x01) they could have used something like SHA256(Chain Key + 0x01).

Tagged #programming, #crypto.
👋 I'm Jim, a full-stack product engineer. Want to build an amazing product and a profitable business? Read more about me or Get in touch!

Similar posts

How to hash multiple values
Methods for hashing multiple values, including hash-then-XOR, concat-then-hash, and serialize-then-hash. The only method that’s collision-resistant is serialize-then-hash! 2018-01-09
Group chat with end-to-end encryption
Group chat with end-to-end encryption can use “client-side fan-out” where the sender encrypts the message separately for each recipient, or “server-side fan-out” where the sender encrypts the message once using a shared secret, then the server distributes the ciphertext to the group. 2017-10-25
Making a stream cipher
A stream cipher in Go that generates an infinite keystream from a shared key using SHA-256. 2018-01-01
Asymmetric encryption with the Web Cryptography API
Generating ECDH keys and deriving a shared AES key. 2017-11-03
Symmetric encryption with the Web Cryptography API
Generating a key, encrypting and decrypting text, and explaining the implementation. 2017-11-02
Signing a string with HMAC using the Web Crypto API
A web page that allows you to sign a string using the HMAC algorithm with SHA-256, implemented using the Web Crypto API. 2017-10-31

Similar posts

How to hash multiple values
Methods for hashing multiple values, including hash-then-XOR, concat-then-hash, and serialize-then-hash. The only method that’s collision-resistant is serialize-then-hash! 2018-01-09
Group chat with end-to-end encryption
Group chat with end-to-end encryption can use “client-side fan-out” where the sender encrypts the message separately for each recipient, or “server-side fan-out” where the sender encrypts the message once using a shared secret, then the server distributes the ciphertext to the group. 2017-10-25
Asymmetric encryption with the Web Cryptography API
Generating ECDH keys and deriving a shared AES key. 2017-11-03
Symmetric encryption with the Web Cryptography API
Generating a key, encrypting and decrypting text, and explaining the implementation. 2017-11-02
Signing a string with HMAC using the Web Crypto API
A web page that allows you to sign a string using the HMAC algorithm with SHA-256, implemented using the Web Crypto API. 2017-10-31
Hashing a string with the Web Cryptography API
The Web Cryptography API provides low-level crypto primitives in JavaScript, including hashing strings using SHA-256. 2017-10-30

More by Jim

What does the dot do in JavaScript?
foo.bar, foo.bar(), or foo.bar = baz - what do they mean? A deep dive into prototypical inheritance and getters/setters. 2020-11-01
Smear phishing: a new Android vulnerability
Trick Android to display an SMS as coming from any contact. Convincing phishing vuln, but still unpatched. 2020-08-06
A probabilistic pub quiz for nerds
A “true or false” quiz where you respond with your confidence level, and the optimal strategy is to report your true belief. 2020-04-26
Time is running out to catch COVID-19
Simulation shows it’s rational to deliberately infect yourself with COVID-19 early on to get treatment, but after healthcare capacity is exceeded, it’s better to avoid infection. Includes interactive parameters and visualizations. 2020-03-14
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the “scroll jail” that traps the user in a fake browser. 2019-04-27
The hacker hype cycle
I got started with simple web development, but because enamored with increasingly esoteric programming concepts, leading to a “trough of hipster technologies” before returning to more productive work. 2019-03-23
Project C-43: the lost origins of asymmetric crypto
Bob invents asymmetric cryptography by playing loud white noise to obscure Alice’s message, which he can cancel out but an eavesdropper cannot. This idea, published in 1944 by Walter Koenig Jr., is the forgotten origin of asymmetric crypto. 2019-02-16
How Hacker News stays interesting
Hacker News buried my post on conspiracy theories in my family due to overheated discussion, not censorship. Moderation keeps the site focused on interesting technical content. 2019-01-26
My parents are Flat-Earthers
For decades, my parents have been working up to Flat-Earther beliefs. From Egyptology to Jehovah’s Witnesses to theories that human built the Moon billions of years in the future. Surprisingly, it doesn’t affect their successful lives very much. For me, it’s a fun family pastime. 2019-01-20
The dots do matter: how to scam a Gmail user
Gmail’s “dots don’t matter” feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails. 2018-04-07
The sorry state of OpenSSL usability
OpenSSL’s inadequate documentation, confusing key formats, and deprecated interfaces make it difficult to use, despite its importance. 2017-12-02
I hate telephones
I hate telephones. Some rational reasons: lack of authentication, no spam filtering, forced synchronous communication. But also just a visceral fear. 2017-11-08
The Three Ts of Time, Thought and Typing: measuring cost on the web
Businesses often tout “free” services, but the real costs come in terms of time, thought, and typing required from users. Reducing these “Three Ts” is key to improving sign-up flows and increasing conversions. 2017-10-26
Granddad died today
Granddad died. The unspoken practice of death-by-dehydration in the NHS. The Liverpool Care Pathway. Assisted dying in the UK. The importance of planning in end-of-life care. 2017-05-19
How do I call a program in C, setting up standard pipes?
A C function to create a new process, set up its standard input/output/error pipes, and return a struct containing the process ID and pipe file descriptors. 2017-02-17
Your syntax highlighter is wrong
Syntax highlighters make value judgments about code. Most highlighters judge that comments are cruft, and try to hide them. Most diff viewers judge that code deletions are bad. 2014-05-11

This page copyright James Fisher 2017. Content is not associated with my employer. Found an error? Edit this page.

Jim Fisher
CV
Speaking
Blogroll
RSS
TigYog
Kickabout