3 December 2020

Hacker Lexicon: What Is the Signal Encryption Protocol?


LAST WEEK, WITH little fanfare, Google announced a change that could soon make its 2 billion Android users worldwide far harder to surveil: The tech giant says it's rolling out a beta version of its Android messaging app that will now use end-to-end encryption by default. That level of encryption, while limited to one-on-one conversations, is designed to prevent anyone else from eavesdropping—not phone carriers, not intelligence agencies, not a hacker who has taken over the local Wi-Fi router, not even Google itself will have the keys to decrypt and read those billions of messages.

The news isn't just a win for global privacy. It's also a win for one particular encryption system: the Signal protocol, which is well on its way to accounting for a majority of the world's real-time text conversations. As this protocol becomes the de facto standard for encrypted messaging in most major services, it's worth understanding what sets it apart from other forms of end-to-end encrypted messaging.

You might already know Signal thanks to the popular end-to-end encrypted text messaging app by the same name, created by cypherpunk Moxie Marlinspike and in recent years hosted by the nonprofit Signal Foundation. Signal, the app, has an unparalleled reputation for security and privacy, with high-profile endorsements from NSA whistleblower Edward Snowden and WhatsApp founder Brian Acton, who left WhatsApp in 2018 to serve as the Signal Foundation's executive director.

But the underlying crypto system that Marlinspike designed and on which Signal is built, known as the Signal protocol, has spread far beyond its eponymous app. WhatsApp first adopted the Signal protocol in 2014 to end-to-end encrypt all messages between Android phones, in what Marlinspike told WIRED was "the largest deployment of end-to-end encryption ever." WhatsApp switched it on by default for all billion-plus users two years later. Shortly thereafter, Google rolled out end-to-end encryption via the Signal protocol as an opt-in feature for its now-defunct Allo messenger and in its Duo video chat service. Facebook followed by adding it as an opt-in "Secret Conversations" feature in Facebook Messenger a few months later. Google's decision to integrate the Signal protocol into Android's messaging app by default represents the biggest new collection of phones to adopt the standard in years, with hundreds of millions more devices.

So why have the tech giants of the world all chosen Signal as their go-to crypto protocol? Its standout feature, says Johns Hopkins computer science professor and cryptographer Matthew Green, is how it implements what's known as "perfect forward secrecy." With most encryption systems, when an app is installed on a phone, it creates a permanent key pair that is used to encrypt and decrypt messages: one "public" key that is sent to the messaging server and will be used to identify the user, and one "private" key that never leaves the user's phone. If that private key is somehow compromised, however, like if someone hacks or seizes your phone, that potentially leaves all your messages vulnerable to decryption. Even if you've deleted messages from your phone, the key can decrypt any encrypted messages that eavesdroppers have managed to record when they originally traveled across the network.

The Signal protocol, however, uses a so-called "ratchet" system that changes the key after every message. It does this by generating a collection of temporary key pairs for each user, in addition to the permanent keys. When someone sends a message to a contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that's used to encrypt and decrypt that message. Since generating this secret key requires access to the users' private keys, it exists only on their two devices. And the Signal protocol's system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.

"Every time you send a message, your key is updated," Green says. "That means if your phone gets stolen at time X, any message you send before time X should still be safe." That assurance is lacking, Green notes, in Apple's iMessage, another popular messaging app that uses end-to-end encryption but doesn't offer perfect forward secrecy.

Perfect forward secrecy is useless, it's important to note, if users don't delete their messages periodically. If someone's phone is seized or stolen with all their messages still intact, they'll be just as visible to whoever has the phone in hand as they were to the original owner. The Signal app offers disappearing messages that are automatically deleted after a certain time limit. WhatsApp is rolling out an auto-delete feature, too, after going years without one. Android messaging users, crucially, will have to manually delete any messages they want to protect to get the full benefits of the protocol's perfect forward secrecy.

Signal's popularity stems not just from its perfect forward secrecy feature, but simply from its reputation as a well-designed, open-source protocol. When WIRED asked Google about its choice of Signal, the company's messaging product lead, Drew Rowny, described it as an "open-sourced, transparent, and audited protocol." It’s been around for long enough—and its adoption in WhatsApp, Facebook Messenger, and the Signal app itself is so heavily scrutinized—that any serious bugs would have been spotted and fixed years ago. "You might as well use the thing that's become the standard," says Green. He compares choosing Signal to the old IT adage "No one ever got fired for buying IBM."

For users, too, it can't hurt to switch over from any unencrypted messaging service you may be using to one that implements the Signal protocol. Pretty soon, it may be hard to avoid it even if you tried.

No comments: