1# Olm: A Cryptographic Ratchet 2 3An implementation of the double cryptographic ratchet described by 4https://whispersystems.org/docs/specifications/doubleratchet/. 5 6## Notation 7 8This document uses $`\parallel`$ to represent string concatenation. When 9$`\parallel`$ appears on the right hand side of an $`=`$ it means that 10the inputs are concatenated. When $`\parallel`$ appears on the left hand 11side of an $`=`$ it means that the output is split. 12 13When this document uses $`\operatorname{ECDH}\left(K_A,K_B\right)`$ it means 14that each party computes a Diffie-Hellman agreement using their private key 15and the remote party's public key. 16So party $`A`$ computes $`\operatorname{ECDH}\left(K_B^{public},K_A^{private}\right)`$ 17and party $`B`$ computes $`\operatorname{ECDH}\left(K_A^{public},K_B^{private}\right)`$. 18 19Where this document uses $`\operatorname{HKDF}\left(salt,IKM,info,L\right)`$ it 20refers to the [HMAC-based key derivation function][] with a salt value of 21$`salt`$, input key material of $`IKM`$, context string $`info`$, 22and output keying material length of $`L`$ bytes. 23 24## The Olm Algorithm 25 26### Initial setup 27 28The setup takes four [Curve25519][] inputs: Identity keys for Alice and Bob, 29$`I_A`$ and $`I_B`$, and one-time keys for Alice and Bob, 30$`E_A`$ and $`E_B`$. A shared secret, $`S`$, is generated using 31[Triple Diffie-Hellman][]. The initial 256 bit root key, $`R_0`$, and 256 32bit chain key, $`C_{0,0}`$, are derived from the shared secret using an 33HMAC-based Key Derivation Function using [SHA-256][] as the hash function 34([HKDF-SHA-256][]) with default salt and ``"OLM_ROOT"`` as the info. 35 36```math 37\begin{aligned} 38 S&=\operatorname{ECDH}\left(I_A,E_B\right)\;\parallel\; 39 \operatorname{ECDH}\left(E_A,I_B\right)\;\parallel\; 40 \operatorname{ECDH}\left(E_A,E_B\right)\\ 41 42 R_0\;\parallel\;C_{0,0}&= 43 \operatorname{HKDF}\left(0,S,\text{``OLM\_ROOT"},64\right) 44\end{aligned} 45``` 46 47### Advancing the root key 48 49Advancing a root key takes the previous root key, $`R_{i-1}`$, and two 50Curve25519 inputs: the previous ratchet key, $`T_{i-1}`$, and the current 51ratchet key $`T_i`$. The even ratchet keys are generated by Alice. 52The odd ratchet keys are generated by Bob. A shared secret is generated 53using Diffie-Hellman on the ratchet keys. The next root key, $`R_i`$, and 54chain key, $`C_{i,0}`$, are derived from the shared secret using 55[HKDF-SHA-256][] using $`R_{i-1}`$ as the salt and ``"OLM_RATCHET"`` as the 56info. 57 58```math 59\begin{aligned} 60 R_i\;\parallel\;C_{i,0}&= 61 \operatorname{HKDF}\left( 62 R_{i-1}, 63 \operatorname{ECDH}\left(T_{i-1},T_i\right), 64 \text{``OLM\_RATCHET"}, 65 64 66 \right) 67\end{aligned} 68``` 69 70### Advancing the chain key 71 72Advancing a chain key takes the previous chain key, $`C_{i,j-1}`$. The next 73chain key, $`C_{i,j}`$, is the [HMAC-SHA-256][] of ``"\x02"`` using the 74previous chain key as the key. 75 76```math 77\begin{aligned} 78 C_{i,j}&=\operatorname{HMAC}\left(C_{i,j-1},\text{``\char`\\x02"}\right) 79\end{aligned} 80``` 81 82### Creating a message key 83 84Creating a message key takes the current chain key, $`C_{i,j}`$. The 85message key, $`M_{i,j}`$, is the [HMAC-SHA-256][] of ``"\x01"`` using the 86current chain key as the key. The message keys where $`i`$ is even are used 87by Alice to encrypt messages. The message keys where $`i`$ is odd are used 88by Bob to encrypt messages. 89 90```math 91\begin{aligned} 92 M_{i,j}&=\operatorname{HMAC}\left(C_{i,j},\text{``\char`\\x01"}\right) 93\end{aligned} 94``` 95 96## The Olm Protocol 97 98### Creating an outbound session 99 100Bob publishes the public parts of his identity key, $`I_B`$, and some 101single-use one-time keys $`E_B`$. 102 103Alice downloads Bob's identity key, $`I_B`$, and a one-time key, 104$`E_B`$. She generates a new single-use key, $`E_A`$, and computes a 105root key, $`R_0`$, and a chain key $`C_{0,0}`$. She also generates a 106new ratchet key $`T_0`$. 107 108### Sending the first pre-key messages 109 110Alice computes a message key, $`M_{0,j}`$, and a new chain key, 111$`C_{0,j+1}`$, using the current chain key. She replaces the current chain 112key with the new one. 113 114Alice encrypts her plain-text with the message key, $`M_{0,j}`$, using an 115authenticated encryption scheme (see below) to get a cipher-text, 116$`X_{0,j}`$. 117 118She then sends the following to Bob: 119 * The public part of her identity key, $`I_A`$ 120 * The public part of her single-use key, $`E_A`$ 121 * The public part of Bob's single-use key, $`E_B`$ 122 * The current chain index, $`j`$ 123 * The public part of her ratchet key, $`T_0`$ 124 * The cipher-text, $`X_{0,j}`$ 125 126Alice will continue to send pre-key messages until she receives a message from 127Bob. 128 129### Creating an inbound session from a pre-key message 130 131Bob receives a pre-key message as above. 132 133Bob looks up the private part of his single-use key, $`E_B`$. He can now 134compute the root key, $`R_0`$, and the chain key, $`C_{0,0}`$, from 135$`I_A`$, $`E_A`$, $`I_B`$, and $`E_B`$. 136 137Bob then advances the chain key $`j`$ times, to compute the chain key used 138by the message, $`C_{0,j}`$. He now creates the 139message key, $`M_{0,j}`$, and attempts to decrypt the cipher-text, 140$`X_{0,j}`$. If the cipher-text's authentication is correct then Bob can 141discard the private part of his single-use one-time key, $`E_B`$. 142 143Bob stores Alice's initial ratchet key, $`T_0`$, until he wants to 144send a message. 145 146### Sending normal messages 147 148Once a message has been received from the other side, a session is considered 149established, and a more compact form is used. 150 151To send a message, the user checks if they have a sender chain key, 152$`C_{i,j}`$. Alice uses chain keys where $`i`$ is even. Bob uses chain 153keys where $`i`$ is odd. If the chain key doesn't exist then a new ratchet 154key $`T_i`$ is generated and a new root key $`R_i`$ and chain key 155$`C_{i,0}`$ are computed using $`R_{i-1}`$, $`T_{i-1}`$ and 156$`T_i`$. 157 158A message key, 159$`M_{i,j}`$ is computed from the current chain key, $`C_{i,j}`$, and 160the chain key is replaced with the next chain key, $`C_{i,j+1}`$. The 161plain-text is encrypted with $`M_{i,j}`$, using an authenticated encryption 162scheme (see below) to get a cipher-text, $`X_{i,j}`$. 163 164The user then sends the following to the recipient: 165 * The current chain index, $`j`$ 166 * The public part of the current ratchet key, $`T_i`$ 167 * The cipher-text, $`X_{i,j}`$ 168 169### Receiving messages 170 171The user receives a message as above with the sender's current chain index, $`j`$, 172the sender's ratchet key, $`T_i`$, and the cipher-text, $`X_{i,j}`$. 173 174The user checks if they have a receiver chain with the correct 175$`i`$ by comparing the ratchet key, $`T_i`$. If the chain doesn't exist 176then they compute a new root key, $`R_i`$, and a new receiver chain, with 177chain key $`C_{i,0}`$, using $`R_{i-1}`$, $`T_{i-1}`$ and 178$`T_i`$. 179 180If the $`j`$ of the message is less than 181the current chain index on the receiver then the message may only be decrypted 182if the receiver has stored a copy of the message key $`M_{i,j}`$. Otherwise 183the receiver computes the chain key, $`C_{i,j}`$. The receiver computes the 184message key, $`M_{i,j}`$, from the chain key and attempts to decrypt the 185cipher-text, $`X_{i,j}`$. 186 187If the decryption succeeds the receiver updates the chain key for $`T_i`$ 188with $`C_{i,j+1}`$ and stores the message keys that were skipped in the 189process so that they can decode out of order messages. If the receiver created 190a new receiver chain then they discard their current sender chain so that 191they will create a new chain when they next send a message. 192 193## The Olm Message Format 194 195Olm uses two types of messages. The underlying transport protocol must provide 196a means for recipients to distinguish between them. 197 198### Normal Messages 199 200Olm messages start with a one byte version followed by a variable length 201payload followed by a fixed length message authentication code. 202 203``` 204 +--------------+------------------------------------+-----------+ 205 | Version Byte | Payload Bytes | MAC Bytes | 206 +--------------+------------------------------------+-----------+ 207``` 208 209The version byte is ``"\x03"``. 210 211The payload consists of key-value pairs where the keys are integers and the 212values are integers and strings. The keys are encoded as a variable length 213integer tag where the 3 lowest bits indicates the type of the value: 2140 for integers, 2 for strings. If the value is an integer then the tag is 215followed by the value encoded as a variable length integer. If the value is 216a string then the tag is followed by the length of the string encoded as 217a variable length integer followed by the string itself. 218 219Olm uses a variable length encoding for integers. Each integer is encoded as a 220sequence of bytes with the high bit set followed by a byte with the high bit 221clear. The seven low bits of each byte store the bits of the integer. The least 222significant bits are stored in the first byte. 223 224**Name**|**Tag**|**Type**|**Meaning** 225:-----:|:-----:|:-----:|:-----: 226Ratchet-Key|0x0A|String|The public part of the ratchet key, Ti, of the message 227Chain-Index|0x10|Integer|The chain index, j, of the message 228Cipher-Text|0x22|String|The cipher-text, Xi, j, of the message 229 230The length of the MAC is determined by the authenticated encryption algorithm 231being used. (Olm version 1 uses [HMAC-SHA-256][], truncated to 8 bytes). The 232MAC protects all of the bytes preceding the MAC. 233 234### Pre-Key Messages 235 236Olm pre-key messages start with a one byte version followed by a variable 237length payload. 238 239``` 240 +--------------+------------------------------------+ 241 | Version Byte | Payload Bytes | 242 +--------------+------------------------------------+ 243``` 244 245The version byte is ``"\x03"``. 246 247The payload uses the same key-value format as for normal messages. 248 249**Name**|**Tag**|**Type**|**Meaning** 250:-----:|:-----:|:-----:|:-----: 251One-Time-Key|0x0A|String|The public part of Bob's single-use key, Eb. 252Base-Key|0x12|String|The public part of Alice's single-use key, Ea. 253Identity-Key|0x1A|String|The public part of Alice's identity key, Ia. 254Message|0x22|String|An embedded Olm message with its own version and MAC. 255 256## Olm Authenticated Encryption 257 258### Version 1 259 260Version 1 of Olm uses [AES-256][] in [CBC][] mode with [PKCS#7][] padding for 261encryption and [HMAC-SHA-256][] (truncated to 64 bits) for authentication. The 262256 bit AES key, 256 bit HMAC key, and 128 bit AES IV are derived from the 263message key using [HKDF-SHA-256][] using the default salt and an info of 264``"OLM_KEYS"``. 265 266```math 267\begin{aligned} 268 AES\_KEY_{i,j}\;\parallel\;HMAC\_KEY_{i,j}\;\parallel\;AES\_IV_{i,j} 269 &= \operatorname{HKDF}\left(0,M_{i,j},\text{``OLM\_KEYS"},80\right) 270\end{aligned} 271``` 272 273The plain-text is encrypted with AES-256, using the key $`AES\_KEY_{i,j}`$ 274and the IV $`AES\_IV_{i,j}`$ to give the cipher-text, $`X_{i,j}`$. 275 276Then the entire message (including the Version Byte and all Payload Bytes) are 277passed through [HMAC-SHA-256][]. The first 8 bytes of the MAC are appended to the message. 278 279## Message authentication concerns 280 281To avoid unknown key-share attacks, the application must include identifying 282data for the sending and receiving user in the plain-text of (at least) the 283pre-key messages. Such data could be a user ID, a telephone number; 284alternatively it could be the public part of a keypair which the relevant user 285has proven ownership of. 286 287### Example attacks 288 2891. Alice publishes her public [Curve25519][] identity key, $`I_A`$. Eve 290 publishes the same identity key, claiming it as her own. Bob downloads 291 Eve's keys, and associates $`I_A`$ with Eve. Alice sends a message to 292 Bob; Eve intercepts it before forwarding it to Bob. Bob believes the 293 message came from Eve rather than Alice. 294 295 This is prevented if Alice includes her user ID in the plain-text of the 296 pre-key message, so that Bob can see that the message was sent by Alice 297 originally. 298 2992. Bob publishes his public [Curve25519][] identity key, $`I_B`$. Eve 300 publishes the same identity key, claiming it as her own. Alice downloads 301 Eve's keys, and associates $`I_B`$ with Eve. Alice sends a message to 302 Eve; Eve cannot decrypt it, but forwards it to Bob. Bob believes the 303 Alice sent the message to him, wheras Alice intended it to go to Eve. 304 305 This is prevented by Alice including the user ID of the intended recpient 306 (Eve) in the plain-text of the pre-key message. Bob can now tell that the 307 message was meant for Eve rather than him. 308 309## IPR 310 311The Olm specification (this document) is hereby placed in the public domain. 312 313## Feedback 314 315Can be sent to olm at matrix.org. 316 317## Acknowledgements 318 319The ratchet that Olm implements was designed by Trevor Perrin and Moxie 320Marlinspike - details at https://whispersystems.org/docs/specifications/doubleratchet/. Olm is 321an entirely new implementation written by the Matrix.org team. 322 323[Curve25519]: http://cr.yp.to/ecdh.html 324[Triple Diffie-Hellman]: https://whispersystems.org/blog/simplifying-otr-deniability/ 325[HMAC-based key derivation function]: https://tools.ietf.org/html/rfc5869 326[HKDF-SHA-256]: https://tools.ietf.org/html/rfc5869 327[HMAC-SHA-256]: https://tools.ietf.org/html/rfc2104 328[SHA-256]: https://tools.ietf.org/html/rfc6234 329[AES-256]: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 330[CBC]: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 331[PKCS#7]: https://tools.ietf.org/html/rfc2315 332