Subtitles section Play video Print subtitles A lot of people are communicating over the internet on their phone now not just SMS, you know Messages like signal whatsapp Facebook Messenger, they all have some kind of end-to-end encryption these days so this is not the same as when you go online to let's say an online shop and You immediately have a conversation and set up an encrypted connection. This is much slower than that and much more asynchronous So there's a lot of difficulties when using instant messaging or you know Application based messaging because we don't know really what's going on between between the two parties So I send you a message theoretically some trustworthy server takes that message or forwards its on onto your your phone, right? Theoretically right how much do we trust the server? I suppose it depends on the app but But in any case maybe we want to try and use a protocol that means even if we don't trust a server There's not a lot the server can do right and that's what the signal protocol uses and by association What's app, facebook instant messenger and things like this? I'll put my phone down and we'll talk about Allison Bob again because we always talk about Allison Bob, right? So they want to have a conversation via a server Between themselves, right? Now the problem is that maybe Bob installed the application? so he installed signal or whatsapp or something like this six months ago and He's just waiting patiently for some friend to turn up and install the app as well, right? I get lots of invites to install various different chat apps Most of them I turned down because I don't want that many icons on my phone So what will happen is Bob will start by installing the app and completely aside from whoever he wants to talk to later He's going to send a few things to the server. He's going to send a public key. That's his identity So that's his identity public key for Bob This is going to be a public key on an elliptic curve Like lots of the ones we've talked about and it'll have a private component or a private key associated with it That will be kept to himself He's also going to sign a public key to Verify that he's in control of his private key That's kind of standard in cryptography and then he's going to produce a list of one-time pre keys remember that what he wants to do is have key exchange conversations between Alice or Charlie or anyone else that comes along and he wants to do that not knowing when they're going to come along So he's gonna send his parts of her messages ahead of time to the server So he's going to have you know, one use public key here and another one another one And he's gonna numbered Eve or something like this. So this is one two, three and number four So these are all public keys of which he has the private keys stashed on his phone ,right? On his application Now the server is going to do this for anyone that installs the application, right? This will happen between your your Your signal app and their service or your whatsapp and their servers and so on What will happen next is some time down the line Hopefully Bob's made some friends and they've agreed to talk to him on their phones So Alice comes along and she wants to set up a communication with Bob now the exact same problems that Bob faced she faces Right. The first one is the Bob might have his phone switched off so she can't start up a conversation Right, and she also doesn't know where Bob is So the server does have a server based on Bob mobile phone number or IP address or something? We'll know how to get in contact with him So she goes to the server and says I'd like to talk to Bob, but can I have a pre key bundle? And this is a set of parameters from Bob or she can use to form a communication So the server is going to send to Alice Bob's identity key Bob's signed pre-key and one Either at random or sequentially of these let's say number three of these one use keys is is going to be sent three different public keys from Bob, right? Alice is going to generate an identity key of her own for Alice and she's going to generate an ephemeral key, which is like a one use session key Which is very common in diffie hellman for herself there. All right, what do all B's going to do? Well, let's let's get rid of this paper or just move for sort of flopping around So we've got a I seem to change pens, but it's not worry about that I've got Bob's identity key that should identify him Like if we know that Bob has the private key and we know that's Bob the fact that this key has been used means it Must be Bob on the other end of a line All right. That's a really good thing to know his sign pre key for Bob This stops the server messing about of his pre keys because he signed it and a server can't do that and a one use Public key for Bob and what that's going to do is make sure that no one can replay attack Bob by sending this whole conversation again later Bob is gonna delete this when he's seen it for the first time So when you fetch a pre-key bundle and you use it to talk to someone on one of these apps They will delete that pre-key so that they can never use it again, and we've got Alice We've got the identity key from Alice and her a femoral key now. I'm going to use a different pen We've got five different public keys here right, and we're going to perform four Diffie-Hellman, right, which is again a little bit hairy, but you know Bear with me to remind you we did a video on Diffie-Hellman which you might like to watch but What difficult as you both send public key to each other you exchange them you use your secrets to calculate a shared secret So any of these two? Public keys can be combined to create a shared secret, right? But if you only use two of them, you're not getting the whole picture and you're not, you know, for example If you only use Bob's identity key and Alice is a ephemeral key You aren't guaranteeing the identity of Alice by verifying this particular identity key here. Every public version has a private one So there's going to be a little little private identity key for Alice Little private ephemeral key for Alice and there you get used within the mathematic and the same on the other side So there's a little one for Bob. So this is identity key for Bob I've gone out too many and this one is that it's let's say number. This was number three, wasn't it? So so let's put in number three here. Bob's got a whole list of these right? So he's got a whole list of these one two, three And this is the one he's going to use. Alice is gonna perform Diffie-Hellman exchange four times, right? So he's gonna do this one here. She's going to do this one here. She's going to do this one here That's number three and she's going to do this one here number four, right? So she's bringing all the keys into play then she's going to produce one master key Shall we say with all of these pre master secrets? So she's going to take one and she's going to append it to two She's gonna append it to three append it to four. She's gonna put that through something called a key derivation function Which for the sake of simplicity we'll just say the very similar to a hash function and that's going to produce her master secret She can then use that to encrypt things and theoretically when she sends a message to Bob, Bob would be able to do the same thing and no one else will Right, so she'll send a message including something encrypted Her identity key and her ephemeral key Bob will do the exact same procedure And then he will be able to send her a message back the way that the signal protocol works with With Alice and Bob and the server in between is called triple. Diffie-hellman Why are we doing all these Diffie-Hellman, right? In previous video, we just had a public key for Alice and a public key for Bob We seem to be wasting a lot of time Well, each of these different Diffie-Hellman exchanges gives us something different But the really important ones I want to talk about are the ones involving these identity keys here the identity keys prove who you are But of course if I'm Alice and you're Bob and I send you an identity key for myself It doesn't prove who I am at all. I've just it's just a number. It doesn't say anything, right? So, how do I actually how do you actually know that the message came from me? Right and the answer is actually what you need to do is look at this number off line Out-of-band you need to go outside of the normal line of communication over the Internet and face-to-face Look at this number and if you see that, it's right, then, you know, they must have been me having this conversation Okay, so I can send you a message using signal right? You've installed signal your Bob. I'm Alice in this case, right? So you've already sent your pre keys to the server. Just waiting to go I My met my phone will send a message a server and say can I get a pre key bundle and then we'll perform an exchange Right something like that. So I'm gonna send you a message. It's not going to be interesting. Hello All right, so I send you a message Hopefully it pops up on your phone. It does. There we go. I mean this is good evidence, but it was me I literally sent a message and it appeared on your phone, but that didn't always happen in instant messaging so sometimes I'm not around or you're not around at a time So how did you know when it pops up my name on here? but it is me and the answer is you don't write someone could have the server or someone else could have Intercepted these messages and performed a man-in-the-middle attack, right the only way we can verify it Is to check out each other's public keys by our identity keys so the way that signal does this is it takes the identity public key of alice and the identity public key of Bob and it combines them using a hash function into a safety number right that safety number is essentially a summary of our two Public identity keys, right if we have the same safety number, that means we're having a conversation with the text Same two identity keys, which means it must be a conversation just between us - that's the idea. So, let's have a look I'm gonna go into my safety number and they're the same and In in signal actually, you can press this a verified button, which says we've looked at these out-of-band This is called an out-of-band communication because we're not using the normal encryption to verify our keys So now actually when we send messages it will show as verified. So in whatsapp. It's not called a safety number It's just called a security code, but you can see it's absolutely the same now, of course what most people don't do It's right. Most people say messages in assume There isn't a man in the middle and in all likelihood there probably isn't but if you want to be really sure Maybe have a look at your safety number We've only covered half the story we talked about this pre key bundles and this this initial triple. Diffie-hellman I mean, we all have phones we talk about batteries all the time. So If you hypothetically picked four words that were in the top 500
B1 alice identity public key server public signal Instant Messaging and the Signal Protocol - Computerphile 9 0 林宜悉 posted on 2020/03/27 More Share Save Report Video vocabulary