OMEMO end-to-end encryption for chat explained

If you care about your privacy, you need to use apps that provide end-to-end encryption for your communications. Providing this kind of security for group chats is a technical challenge. The OMEMO extension for XMPP, which Secure Chat also uses, solves this challenge with the Double Ratchet Algorithm. Here is how it works.

Like the ratchet screwdriver, from which the algorithm gets its name, OMEMO uses functions that can “spin” in just one direction. You have one initial set of keys, and then new ones are derived from it after every message. It is mathematically impossible to reverse the process. This creates chains of keys that can develop in only one direction easily on all involved users’ devices but cannot be reversed by an eavesdropper to read the conversation.

With the Double Ratchet Algorithm, OMEMO provides the following features:

• Symmetric end-to-end encryption. Messages are encrypted on the sender’s end and decrypted on all recipients’ ends with the same key. The algorithm facilitates the key exchange.
• Forward secrecy. Unique ephemeral keys are used for every message. If a set is compromised, all your other messages remain encrypted with different keys and are therefore safe.
• Independent key renewal. The algorithm does not need a peer or public key infrastructure to get new keys. It uses key derivation functions (KDF) for that.
• Plausible deniability. If a message gets intercepted, snoopers will not be able to determine who has sent it.
• No lost or out-of-order messages. Each message has a session number embedded in its header. This way, if a message gets lost or undelivered, it will not mess up the key derivation chain.

How does Double Ratchet work?

For the actual encryption of the messages, the algorithm uses the AES-256 cipher. It provides strong-enough, quantum-resistant scrambling of the content which is reversible only if you have the key. This is the easy part. The hard part is the sharing of this key over an unsecured channel (and with mobile communications, you can assume all channels are such) with multiple recipients.

In one-on-one communication, this is handled by the Diffie-Hellman (DH) key exchange. The Double Ratchet Algorithm is a way to perform multiple Diffie-Hellmans simultaneously. It does this by running two ratchet processes in parallel (you can see where the algorithm’s name comes from):

• Root chain. As the communicating parties exchange keys, they create Diffie-Hellman secrets with every message sent and received. Those secrets are used as input to create a chain of Diffie-Hellman keys, which is the backbone of the conversation. These keys, in turn, are used input for the KDFs on each participant’s end, which create the chains of AES keys for the actual encryption and decryption.
• Sender and receiver chains. As said above, the output from the root chain serves as input for the message encryption keys. The latter are used to create new public-private key pairs at every step of the communication. When the user responds to a message, their reply is sent out with the new public key embedded in it. It, in turn, serves as input for the next Diffie-Hellman value in the root chain.

Each message sent, means the above two chains move one step ahead. This way, each conversation is built around a chain of Diffie-Hellman keys which cannot be reversed. Also running, on each participant’s end, are identical chains of AES keys, which allow everyone involved to read each other’s messages. The process is designed to be irreversible – like a ratchet, it cannot screw backward. Because of that, if someone intercepts a conversation and somehow beaks an AES key, they will be unable to decipher neither past not future messages.