SlideShare a Scribd company logo

Scimp paper

Комсс Файквэе
Комсс Файквэе

Scimp paper

TechnologyEducation
1 of 26
Download to read offline
Silent Circle Instant Messaging Protocol Protocol Specification Authors: Vinnie Moscaritolo, Gary Belvin, Phil Zimmermann Date: December 5, 2012 Version: 1.0
Silent Circle Instant Messaging Protocol Table of Contents Introduction!........................................................................................................................3 High-level SCIMP features!................................................................................................4 Basic Protocol Overview!...................................................................................................5 Key Agreement!................................................................................................................12 Message Encryption!........................................................................................................17 Protocol Details!...............................................................................................................22 Appendix A: Document History !.......................................................................................25 References.!.....................................................................................................................26 Page 2 of 26
Silent Circle Instant Messaging Protocol Introduction Silent Circle Instant Messaging Protocol (SCIMP) enables you to have a private conversation over instant message transports such as XMPP (Jabber). You could argue that the world doesn't really need another instant message protocol, but the existing protocols didn't have all of the features we wanted, or had unnecessary complexity. SCIMP draws from a number of related protocols. In designing SCIMP, we have drawn many ideas from: • ZRTP: Media Path Key Agreement for Unicast Secure RTP [ZRTP] • OTR: Off The Record [OTR] • SSMS: Secure Short Message Service [BELV] • Cryptocat: The Cryptocat Project [NADM] SCIMP provides strong encryption, perfect forward secrecy and message authentication. Further, we have incorporated many NIST-approved methods and protocols into its design including: • Elliptic Curve Diffie–Hellman (ECDH), NIST 800-56A • Counter with CBC-MAC (CCM), NIST 800-38C • Key Derivation, NIST 800-108 • Secure Hash Standard, FIPS 180-4 • Advanced Encryption Standard (AES), FIPS 197 While it is not our immediate intent to FIPS-140 validate the SCIMP library, we have experience with that process and the overall design is not incompatible with that goal. We have also optionally added the Skein family of hash and message authentication function as a cipher suite. Page 3 of 26
Silent Circle Instant Messaging Protocol The protocol is placed completely into the public domain, and the implementation code is open source. It is designed and written by Silent Circle, LLC. High-level SCIMP features SCIMP has a number of features: Easily analyzed, easily implemented. This was important to us, it’s one thing to put our code for open source, but it is next to useless if the code is difficult to analyzed and build. Relatively few options. Options are both good and bad in a crypto protocol. If there are too few of them, then the protocol can't change with the times. If there are too many, the protocol is hard to build, test, and vet. NIST-vetted crypto primitives. While we don't always want to limit ourselves only to that suite, NIST selection and documentation of crypto primitives is a great place to start, so we did. Full 128-bit security. SCIMP is built to have a minimum of 128-bit security through-and-through. Simple, integrated authentication. All communications have the problem of how to authenticate to your partner the first time you talk, to reject man-in-the-middle and other eavesdroppers. SCIMP uses simple mechanisms that can integrate with voice communication and share that authentication. Designed for mobile devices Page 4 of 26
Silent Circle Instant Messaging Protocol After examining the popular text encrypting protocols we discovered that they had a number of shortcomings when employed over mobile devices. SCIMP has been designed for use with mobile devices from the beginning. Basic Protocol Overview A lot of the SCIMP design derives from ZRTP. The key agreement protocol employs an ephemeral Elliptic Curve Diffie-Hellman (EC-DH) key agreement to establish a shared secret without invoking a trusted third-party. Authenticity is provided by key continuity using hash commitments of a shared secret, similar to ZRTP and optionally a verbal form of user authentication. Together, key continuity and user authentication prevent man-in-the-middle attacks from going unnoticed. The data messages are protected with authenticated encryption using Counter with Cipher Block Chaining-Message Authentication Code (CCM), as defined in NIST Special Publication SP800-38C. Key Negotiation The Key Agreement Protocol for SCIMP establishes an ephemeral shared secret using a minimal set of messages. SCIMP uses the Elliptic Curve Diffie-Hellman (ECDH) primitive for shared secret computation, with key continuity and one-time verbal authentication for man-in-the-middle detection. Page 5 of 26
Silent Circle Instant Messaging Protocol SCIMP has the advantage of being completely peer-to-peer. There is no need for third parties and you don’t have to worry about preventing accidental exposure of long term secrets. SCIMP begins with the initiator sending a hash commitment to the responder on a freshly generated ECDH public key. The responder generates and sends back his public key, without knowing the initiator’s public key. Because the initiator also generated her public key without knowing the responder’s key, an adversary was prevented from controlling the result of the Diffie-Hellman computation. Hashes of a cached secret are also included in the first two messages. The cached secret is a bit of key material saved from previous executions of the protocol, if applicable (in the absence of a cached secret a random value is sent). The two parties can use this to determine if they have shared key material that matches. Because someone attempting a man-in-the-middle attack wouldn’t know or have access to this shared key material, it provides both parties a way to identify if someone is attempting to impersonate the other. The last step of SCIMP involves sending a message authentication code on a known value to the other party, proving that the protocol completed successfully and that the initiator has access to her private key. Once this has been confirmed, both parties refresh their cached secret with a new value derived from the freshly computed shared secret. This action breaks the advantage of an adversary who may have previously compromised cached secrets. As soon as an authentic key agreement takes place, a new cached secret is generated and secrecy is restored to the protocol. Page 6 of 26
Silent Circle Instant Messaging Protocol Once SCIMP has completed, a Short Authentication String (SAS) is displayed to the user to verify the absence of a man-in-the-middle attack. Due to key continuity, the user may verify the SAS with the other party at any time. Using a phone to contact the other party, for example, the user can gain confidence in the identity of the other party based on a number of clues using standard human interaction. An attacker would need to duplicate all these clues when the two parties were checking the SAS and remain undetected while leaving the rest of the conversation undistorted in order to be successful. Alice <Responder Bob <Initiator> Commit Version, Options, H(Pki), Hcs Pkr, Hcs DH1 Pki, MAC DH2 MAC Confirm Data Conclude (optional) SeqNum, CCM(Data, MsgIndex), Tag SeqNum, MAC(MsgIndex) Figure 1: SCIMP Protocol Diagram Page 7 of 26 Data Conclude (optional)
Silent Circle Instant Messaging Protocol Algorithms and Ciphers The SCIMP initiator specifies what suite of algorithms to use in the commit message. If the responder does not support the algorithms requested, the responder ignores that commit message. The responder can send his own commit message, specifying a different suite of algorithms to use, starting the process over. Table 1 describes the options and their meanings. Suite Hash KDF/MAC Cipher Public Key 1 SHA-256 HMAC/SHA-256 AES-128 ECC-384 2 SHA-512/256 HMAC/SHA-512 AES-256 ECC-384 3 SKEIN-512/256 SKEIN-MAC-512 AES-256 ECC-384 Table 1: SCIMP Cipher Suites Hash Commitment The hash commitment forces the adversary to select a public key without knowing the other party’s key. This restricts the adversary to one attempt at finding a collision in the short authentication string (SAS), thus allowing the SAS to be much shorter than it otherwise would need to be. Without the hash commitment, the adversary could acquire the public keys for his two victims before searching for his own pair of keys that would result in an SAS collision. Such a collision would allow the adversary to set up two agreements that generated the same SAS string on both victim devices for a successful and undetected man-in-the-middle attack. Page 8 of 26
Silent Circle Instant Messaging Protocol This attack is restricted in SCIMP by forcing the adversary to select a public key prior to knowing the public key of the other party. Without the other key, the adversary cannot predict what the SAS value will be, and is forced to make a single blind guess. The hash commitment Hc is checked when the initiator sends his public key in DH2 (see Figure 1). If the check fails, a man-in-the-middle attack is in progress. The user is warned, and the protocol stopped. The hash commitment is performed on the Pki as it is sent in the DH2 message, using network byte order with BER encoding. Hc = H(Pki) (512 bits) (1.1) Commit Contention Two end points may attempt to initiate a key negotiation at the same time. Each end point may send the other a commit message before receiving the commit message of the former. The protocol will flag an error and it is up to the application to decide what to do. One way this contest can broken is to compare the hash values of the hash commitment in big endian integer format, and discarding the message with the lower value. The side that sent the commit with the higher value becomes the initiator and the other side, the responder. Cached Secret Comparison Each device stores a long term cached secret for each party it has successfully executed the protocol with in the past. These cached secrets are tied into the key derivation function to achieve key continuity. Key continuity gives us confidence that the user with which are communicating today is the same person with which we communicated last week. Key continuity has been used in a number of protocols including SSH[Gut08]. To determine if two parties have cached secrets (cs), each party sends a non-invertible hash of their cached secret to the other. The initiator does this in the commit message, Page 9 of 26
Silent Circle Instant Messaging Protocol and the responder includes it in the DH1 message. If no cached secret is available, a random value is substituted for cs to avoid leaking information about the cache state. Hcsi is sent in the commit message and Hcsr is sent in DH1. To further avoid leaking information about the state of the cached secret, the MAC is computed on a salt available in the commit and DH1 messages. Hcsi = MAC(cs,H(Pki) ||“Initiator”) (First 64 bits) (1.2) Hcsr = MAC(cs,H(Pkr) ||“Responder”) (First 64 bits) (1.3) These values are computed locally and compared against the values received from the other party to determine the presence of a cached secret. If the hashes match, the cached secret exists and is shared between both parties. If they do not match, a null is used in place of cs in the key derivation function. If a device stores a cached secret for a particular party, the cached secret comparison is expected to succeed. If the comparison fails when a cached secret is available, then one of the parties may have lost their secrets due to a device reset, or there may be a man-in-the-middle (MiTM) attack in progress. In the case of a mismatch, the user must be warned that a MiTM attack may be underway, and advise the user to verify the short authentication string as soon as possible to verify that the MiTM is not present. If a mismatch occurs, the cache is not updated until after the user has verified the short authentication string (SAS) with the other party. The user should be warned of this condition on every key agreement until the condition has been resolved. When no attacker is suspected, the cached secret cache is updated with a new value after a successful key agreement has been confirmed by receipt of confirmation MACs cs = KDF(Z, “RetainedSecret”, Context, 256) (1.4) Because previous cached secret key material is mixed into the key derivation, a successful attack on key negotiation must involve both a compromise of the cached Page 10 of 26
Silent Circle Instant Messaging Protocol secrets on the device as well as a man-in-the-middle attack on the next key negotiation. If the adversary misses just one key negotiation, the cached secrets are replaced with fresh, secret values and the protocol self-heals. Short Authentication String (SAS) The Short Authentication String (SAS) is the first 20 bits of the SAS hash. The commit message includes a designation of what SAS rendering scheme to use: • 0x01 The SAS is displayed to the user as a 4 character Base32 string using the encoding described in section 5.1.6 of RFC 6189[ZJC11]. That encoding scheme is designed for ease of human use. The output alphabet is all lower case, excludes characters that are easily confused, and padding characters are left out. • 0x02 The 4 characters of the prior scheme are displayed to the user using the NATO phonetic alphabet as an aid to auditory clarity in verbal confirmation. If the end-point interface is not large enough for NATO words, however, this option downgrades to the first option. • 0x03 The SAS is displayed to the user as 6 hexadecimal letters Ksas =KDF(Kdk2,“SAS”,Context,20) (1.5) Silent Circle recommends that users make use of an alternative method to establish the identity of the receiving party and verify that the user has the same SAS value. A phone call would be sufficient for this purpose since confidence building cues such as voice timbre and manner of speech are present. These cues make it difficult for an adversary to convincingly impersonate the other party without being detected. If the two parties are physically co-located, they may even be able to compare their short authentication strings by placing their devices side-by-side. Page 11 of 26
Silent Circle Instant Messaging Protocol Because the verification of the SAS cannot be automated, the security of SCIMP is dependent on the initiative of the user. This opens a window of vulnerability for lackadaisical users as an adversary may successfully perform a man-in-the-middle attack without detection until the first comparison of the SAS. This vulnerability is offset by several considerations. The first is that the key continuity properties require the presence of the adversary during every key agreement. An absence during just one key negotiation would alert the user that key continuity has been broken, and subsequent key negotiations would be secure against undetected man-in-the-middle attacks. The second implication from key continuity is that a successful verification of the SAS means that all previous key agreements have succeeded without interference from the adversary. Partial Public Key Validation Before using the public keys in DH1 and DH2 for computation, the keys must be verified. Public keys must have the correct modulus and not be the point at infinity. Full validation would also check that the public key is in the same subgroup as our ECC domain parameter curve, but this is an expensive operation for resource constrained devices. The validation routing is performed as specified in 5.6.2.6 of NIST Special Publication 800- 56A[BJS07]. If any of the checks fail, the user should be alerted that a weak key attack is under way, and the protocol must be terminated. 1. Q must not be the point at infinity. 2. Q must be in the valid range of the elliptic curve group. Key Agreement The shared secret is computed using the process described in section 6.1.2.2 of NIST Special Publication 800-56A[BJS07]. Page 12 of 26
Silent Circle Instant Messaging Protocol Once the public key from the other party has been verified, the Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECC CDH) Primitive is used to compute the shared secret Z as specified in section 5.7.1.2 of NIST SP 800-56A. Given (q, F R, a, b, G, n, h)1 as domain parameters, dA, one’s own private key and QB, the other party’s public key, compute Z: P = hdAQB (3.8) Z = xp (where xp is the x coordinate of P) (3.9) The next task is to convert Z, which is a field element, into a random bit string suitable for keying material. A naive approach might be to apply a hash function to Z, but this is problematic for two reasons: Hash functions are not guaranteed to have PseudoRandom Function (PRF) properties, only collision and pre-image resistance. Secondly, hash functions need to be computed on random values in order to guarantee the randomness of their outputs. If the input is not random, the output of a static hash function can be easily reversed. Therefore, Krawczyk[Kra10] and a draft Special Publication 800-56C[Che10] from NIST separate randomness extraction and key expansion into two separate steps. Extract Z is transformed into a random key derivation key Kdk using a MAC keyed with a salt value. KAPS uses a hash of all the messages sent and received Htotal for the salt. Htotal = H(commit || DH1 || Pki ) - 256 bit hash (1.10) Kdk = MAC(Htotal,Z) - where Z is the DH of Pki and PKr (1.11) Enhance Before the key derivation key is ready to be expanded for application specific purposes, the cached secret must be mixed in. The mixing is performed using the same function as the expand step, with cached secrets being used in the context field. Kdk2 =MAC(Kdk,1 || “MasterSecret” ||0x00 || MasterContext || 256) Page 13 of 26 (1.12)
Silent Circle Instant Messaging Protocol MasterContext = AlgorithmID || InitInfo || RespInfo || SuppPubInfo || SuppPrivInfo (1.13) Where AlgorithmID describes the algorithm: “SCimp-ENHANCE” InitInfo is identifying information for the initiator: strlen(Initiator’s JID) || (Initiator’s JID) RespInfo is identifying information for the responder strlen(responder’s JID) || (responder’s JID) SuppPubInfo is a nonce for which Htotal will suffice. SuppPrivInfo is the cached secret (if it exists): len(cs) || cs. If no cached secret exists for this agreement, the length of cs is 0 followed by nothing: 0 Expand Finally, Kdk2 is expanded using the KDF for SCIMP to generate a separate master session key for each direction of the secure symmetric conversation. The context in this case is a simplified version of the master context. KItoR =KDF(Kdk2,“InitiatorMasterKey”,Context,256) (3.14) KRtoI =KDF(Kdk2,“ResponderMasterKey”,Context,256) (3.15) The SCIMP key derivation function is defined as the L left most bits of the MAC computed in the following way, where L must not exceed the size of the MAC function’s output: KDF(K, Label, Context, L) = MAC(K, Counter||Label||0x00||Context||L) K is a secret random bit string. Page 14 of 26 (3.16)
Silent Circle Instant Messaging Protocol L is the length in bits of the output key material encoded as a 4 octet integer. Label identifies the purpose of the output key material. Counter is required by NIST Special Publication 800-108[Che09] and is always 1 since we limit the output length of the KDF to be less than the output length of the MAC. The counter is encoded as a 4 octet integer. Context is a binary string that ties the output key material to the particular situation in which it is being used. Context = InitiatorJIDInfo | ResponderJIDInfo | SupPubInfo InitiatorJIDInfo is identifying information for the initiator: len(Initiator JID)| Initiator JID. ResponderJIDInfo is identifying information for the initiator: len(Responder JID)| Responder JID SuppPubInfo is a nonce for which Htotal will suffice. As soon as intermediate keys Kdk, Kdk2, and other intermediate key material is no longer needed, or if there is an error they must be erased from memory. Commit || DH1 || PKi Expand Ksnd Hash Salt (256) Expand Other Party's EC Pub Key Krcv EC-DH ANSI X9.63 Z (384) Expand Randomness Extraction KmacI (256) Our EC Priv Key Expand KmacR (256) Kdk (256) Kdk2 (256) Expand SAS (20) Cached Secret Enhance Expand CS1 Expand Ircv (64) Expand Isnd (64) Page 15 of 26
Silent Circle Instant Messaging Protocol Key Confirmation The last step in the protocol involves giving the other party assurance that the protocol completed successfully and that he is in possession of the correct symmetric key. This is accomplished by sending a MAC computed on a known value under a key derived from Kdk2. The initiator’s confirmation is sent in the DH2 message, and the responder’s confirmation is sent in the Confirm message. KmacI =KDF(Kdk2,“InitiatorMACKey”,Context, cipherLen) (3.18) KmacR =KDF(Kdk2,“ResponderMACKey”,Context, cipherLen) (3.19) maci = MAC(KmacI , Htotal ) (first 64 bits) (3.20) macr= MAC(KmacR, Htotal) (first 64 bits) (3.21) After the key confirmation has been successfully validated, parties update their cached shared secret cs. (Provided a man in the middle attack was not suspected as noted in section 3.7) The previous shared secret is erased and replaced with the new shared secret as calculated in equation Page 16 of 26
Silent Circle Instant Messaging Protocol Message Encryption SCIMP encrypts the actual message payload using AES in CCM block cipher mode. The CCM mode of operation defines an authenticated encryption scheme, the security of which rests on a single cryptographic primitive, the block cipher. CCM is also attractive due to its ability to authenticate cleartext header data in addition to cipher-text data. Each message is encrypted with a distinct key. The actual key material is split in half and the upper is used as the key while the lower bits are used for the Initialization Vector. A sequence number is also fed to the CCM algorithm to limit replay protection. Initial Message Index SCIMP uses the KDF to compute the initial sequence number for the CCM encryption process. Since this function is only called once for any master key, the static nonce is appropriate. sessionId = H( strlen(initiator JID) || (initiator JID) || strlen(responder’s JID) || (responder’s JID) ) iSnd = KDF(Kmaster , “InitiatorInitialIndex”, sessionId ||0, 64) iRcv = KDF(Kmaster , “InitiatorInitialIndex”, sessionId ||0, 64) Each addition index number is an increment of the previous. iSnd1 = iSnd + 1; Forward Secrecy SCIMP uses distinct keys to encrypt each message and in each direction. The initial Ksnd and Krcv keys are created from the expansion process as described above. SCIMP then derives further key material using a hash based key derivation function that is compliant with NIST Special Publication 800-108[Che09] section 5.1. Since each key is computed from the previous using the non-invertible key derivation function the result is a chain of keys that protects the security of prior messages when a Page 17 of 26
Silent Circle Instant Messaging Protocol single key is compromised. Keys are also erased from memory as soon as they are no longer needed to prevent unneeded leakage in the event that a device is forensically analyzed. Each key is derived by hashing the previous key with the session identifier as well as the message index. The initial message index is computed from the key expansion process K0 = KDF(Kmaster,“MessageKey”,session identifier||i0) Kn = KDF(Kn−1, “MessageKey”, session identifier||iN) Where i0 and iN correspond to the appropriate index for that direction (iSnd and iRcv). Kmaster KDF i0 KDF K0 i1 KDF K1 i2 KDF K2 SCIMP Message Key Derivation Page 18 of 26
Silent Circle Instant Messaging Protocol Padding and CCM The data passed to CCM is padded. Messages shorter than 32 bytes are padded to 32 bytes and messages longer than 32 are padded to the next multiple of 16. The actual byte used to pad is the number of bytes added to pad. For example a message of 9 bytes long will have an addition 21 bytes of 0x15 added. Page 19 of 26
Silent Circle Instant Messaging Protocol Example Message Processing 1. Bob generates a ECDH key pair and computes and send the hash Commit Packet. 2. Alice Receives the hash commitment from the initiator and generates her own ECDH key pair, sends the public key in a DH1 message 3. Bob receives DH1 message. Verifies that shared secrets match as expected. If not, warn user of a man-in-the-middle attack. Verifies that the responder’s public key is valid using the algorithm specified Computes master and session keys. Sends DH2 with confirmation MAC. 4. Alice Receives the initiator’s DH2 public key. Verifies the hash commitment received earlier. Verifies that the shared secrets match as expected. If not, warn the user of a man-in-the-middle attack. Verifies the initiator’s public key. Compute master and session keys. Verifies the confirmation code. Update shared secrets. Sends her confirmation code in a confirm packet 5. Bob receives and verifies the confirmation code. Updates shared secrets. and is read to send messages. Page 20 of 26
Silent Circle Instant Messaging Protocol ! ! Alice <Responder Bob <Initiator> Commit Version, Options, H(Pki), Hcs Pkr, Hcs DH1 Pki, MAC DH2 MAC Confirm Data SeqNum, CCM(Data, MsgIndex), Tag ! Page 21 of 26 Data
Silent Circle Instant Messaging Protocol Protocol Details SCIMP can be transported over a variety of wire formats. SCIMP support JSON, XML or a more compact binary format. The version of SCIMP the Silent Circle uses encodes the protocol as JSON packets wrapped in a Rad64. AS mentioned above SCIMP uses 4 kinds of packets to establish the secret keys: commit, dh1, dh2 and confirm. Commit is the start of the keying process, where the initiator creates a ECC key pair but only send a hash of the public key, along with some HMAC information that might indicate if they have had a shared secret in the past. { } "commit": { "version": 1, "cipherSuite": 1, "sasMethod": 1, "Hpki": "s18C+pKU2b81vysPfnRsviMieziZ5i0YrbQXpkdzgSo=", "Hcs": "bx/ScjJQU1s=" } When the recipient receives a Commit, it check packet for valid options and then creates it's own ECC key and responds by sending the public key back to the initiator with a DH1 packet. It also includes a HMAC of a previously shared secret. { "dh1": { "PKr": "MGwDAgcAAgEwAjEAsI23okNBcGV1qy0RsliSKBpQNf3095weuQXsfcur4s0r9+hpA3jlg75RIcTYiPByAjAto kuW22OFhAb63ZiDmdE3an06aGJaCT4Ywmy3ywYWDJrkIrkIVcHAdxfupjoN/A0=", "Hcs": "Sgd9nFcLvYs=" } } Page 22 of 26
Silent Circle Instant Messaging Protocol At this point the Initiator has enough information to complete the ECC - Diffie Hellman process, and derives both the sending and receive communication keys. The initiator then replies with a DH2 packet which contains a copy of the public key it previously send a hash of and a HMAC of the current shared secret. { "dh2": { "PKi": "MG0DAgcAAgEwAjEAmS2t3VvYXkSYLWuZ4vDQfJpL2VrCxOrkj2E4v/ 6EOxfk9USrdLnVUIhHbSmVpD5vAjEA93WVAfM9STK3zPV2M4NuJlcrGlvCD/ CVhClxtpua6lEBHi5E5bPOTrFszlmrF7qd", "maci": "KeO29YxeB80=" } } The recipient uses the DH2 information to complete it's ECC - Diffie Hellman process and derives a copy of the communications keys also. To ensure that both sides are on the same page, the recipient replies with a CONFIRM packet which contains an HMAC of the new shared secret. { } "confirm": { "macr": "/jo+3Bz8dPw=" } Once a the keys are established, SCIMP can then send the user message using a DATA packet. The actual message is encrypted using AES in the Counter with CBCMAC (CCM) mode. This provides us a message authentication code of both the message and the sequence number. { "data": { "seq": 51323, "mac": "ykRzxqvCR4lPj2/yL38C+Q==", "msg": "s8o4Ad8qn45uXauVAPAWFQ16Ns2jeV0D3ADYGreCNXW6STs6IW/ dx8Om6VAUgpuKVRg4WPBGUHvbqqv91AQ/Sw==" } } Page 23 of 26
Silent Circle Instant Messaging Protocol In order to ensure that the messages arrive intact over protocols such as XMPP the JSON packets are encoded in rad64 with a header or "?SCIMP:" and terminated with a period. For example when the last data packet goes over the XMPP, it actually looks like. Example SCIMP Message <message type="chat"from='velma@silentcircle.com' to='daphne@silentcircle.com' id="0FF6CF98-32FE-4EED-9DEF-D66A0E50EA8F"><body/><x xmlns="http:// silentcircle.com">? SCIMP:ewogICAgImRhdGEiOiB7CiAgICAgICAgInNlcSI6IDE1MDcyLAogICAgICAgICJtYWMiOiAiZlp YYURlQ1ljVTA9IiwKICAgICAgICAibXNnIjogIkloT051Sm9kK0Fjb09KQ1prZ0xHQXliSmJjbC9WNzhl cmMrSFY4K1FHcUJ2cEdlb2RaSWZwNTRKVWluU2g0N0lZTjFORkJOaXBjTVdubWlsMXVtbi9pcG5rVk8rd VJZdUJuQjdpZXZEK1pZQzBYV0hHQWQ3WWJtOWRsYkpSd0oyIgogICAgfQp9Cg==.</x></message> Page 24 of 26
Silent Circle Instant Messaging Protocol Appendix A: Document History Date Rev Author Change 6/1/12! 0.1 vin First complete draft. 6/5/12 0.2 vin Updated API names to start with SCimp 6/19/12 0.3 vin exchange CCM for GCM 6/20/12 0.4 vin SCIMP messages are Rad64 with SCIMP header 6/21/12 0.5 vin minor protocol text corrections 7/16/12 0.6 vin Added message ID to SCimpProcessPacket() 8/21/12 0.7 vin hTotal needed to be a 256 bit hash 8/31/12 0.8 vin minor corrections to hash lengths 10/19/12 0.9 vin cleanup and split API into separate doc 10/22/12 0.10 vin corrections, kudo JimB 12/5/12 vin Updated authors 1.0 Page 25 of 26
Silent Circle Instant Messaging Protocol References. [BELV] Gary Belvin. A Secure Text Messaging Protocol, John Hopkins University. (May 2001) [CER] CERT. MSC10-J. Limit the lifetime of sensitive data. http://bit.ly/mwdO26. [Che09] Lily Chen. NIST Special Publication 800-108 Recommendation for Key Derivation Using Pseudorandom Functions (revised). (October), 2009. [Che10] Lily Chen. DRAFT NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion. (September), 2010. [Gut08] Gutmann. Key Management Through Key Continuity(KCM). Internet Draft, 2008. [Jak] J. Jonsson, On the Security of CTR + CBC-MAC, in Proceedings of Selected Areas in Cryptography – SAC, 2002, K. Nyberg, H. Heys, Eds., Lecture Notes in Computer Science, Vol. 2595, pp. 76-93, Berlin: Springer, 2002. [800-38B] Draft NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Authentication Mode. U.S. DoC/NIST, October 2003. Available at http://csrc.nist.gov/CryptoToolkit/modes. [Krh09] Jan Krhovjak. Cryptographic random and pseudorandom data generators. PhD thesis, Masaryk University, 2009. [NADM] Nadim Kobeissi , CryptoCat, (http://project.crypto.cat). [OTR] Ian Goldberg,Nikita Borisov Off-the-Record Messaging Protocol version 2. (http:// www.cypherpunks.ca/otr/). [RAD64] Wikipedia, Base64 [ZRTP (RFC 6189)] P. Zimmermann, A. Johnston, and J. Callas. ZRTP: Media Path Key Agreement for Unicast Secure RTP. RFC 6189, April 2011. (http://tools.ietf.org/html/rfc6189) Page 26 of 26

Recommended

Deniable Encryption Key
Deniable Encryption KeyDeniable Encryption Key
Deniable Encryption KeyIOSR Journals
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismAmit Singh
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Key Distribution Problem in advanced operating system
Key Distribution Problem in advanced operating systemKey Distribution Problem in advanced operating system
Key Distribution Problem in advanced operating systemMerlin Florrence
 
fucking shit
fucking shitfucking shit
fucking shiteyalrav
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptographyanusachu .
 
Ch09
Ch09Ch09
Ch09Joe Christensen
 
Digital signature
Digital signatureDigital signature
Digital signatureNisha Menon K
 

Recommended

Deniable Encryption Key
Deniable Encryption KeyDeniable Encryption Key
Deniable Encryption KeyIOSR Journals
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismAmit Singh
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Key Distribution Problem in advanced operating system
Key Distribution Problem in advanced operating systemKey Distribution Problem in advanced operating system
Key Distribution Problem in advanced operating systemMerlin Florrence
 
fucking shit
fucking shitfucking shit
fucking shiteyalrav
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptographyanusachu .
 
Ch09
Ch09Ch09
Ch09Joe Christensen
 
Digital signature
Digital signatureDigital signature
Digital signatureNisha Menon K
 
Chaos Based Direct Public Verifiable Signcryption Scheme
Chaos Based Direct Public Verifiable Signcryption SchemeChaos Based Direct Public Verifiable Signcryption Scheme
Chaos Based Direct Public Verifiable Signcryption SchemeIOSR Journals
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10Infinity Tech Solutions
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication ProtocolsTrinity Dwarka
 
Cryptography
CryptographyCryptography
CryptographyLearn 2 Be
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
Java Crypto
Java CryptoJava Crypto
Java Cryptophanleson
 
De-anonymize tor hidden services
De-anonymize tor hidden servicesDe-anonymize tor hidden services
De-anonymize tor hidden servicesAndrea Bissoli
 
Ch07
Ch07Ch07
Ch07Joe Christensen
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Public key Cryptography & RSA
Public key Cryptography & RSAPublic key Cryptography & RSA
Public key Cryptography & RSAAmit Debnath
 
Kerberos IV inductive analisys
Kerberos IV inductive analisysKerberos IV inductive analisys
Kerberos IV inductive analisysGiacomo De Liberali
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Network security cs8
Network security cs8Network security cs8
Network security cs8Infinity Tech Solutions
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution MethodsGulcin Yildirim Jelinek
 
Ch13
Ch13Ch13
Ch13Joe Christensen
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key CryptosystemDevakumar Kp
 
Message authentication between the nodes
Message authentication between the nodesMessage authentication between the nodes
Message authentication between the nodesSelva Raj
 
Digital signature
Digital signatureDigital signature
Digital signatureSadhana28
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vandaVanda KANY
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 

More Related Content

What's hot

Chaos Based Direct Public Verifiable Signcryption Scheme
Chaos Based Direct Public Verifiable Signcryption SchemeChaos Based Direct Public Verifiable Signcryption Scheme
Chaos Based Direct Public Verifiable Signcryption SchemeIOSR Journals
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication ProtocolsTrinity Dwarka
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
De-anonymize tor hidden services
De-anonymize tor hidden servicesDe-anonymize tor hidden services
De-anonymize tor hidden servicesAndrea Bissoli
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Public key Cryptography & RSA
Public key Cryptography & RSAPublic key Cryptography & RSA
Public key Cryptography & RSAAmit Debnath
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key CryptosystemDevakumar Kp
 
Message authentication between the nodes
Message authentication between the nodesMessage authentication between the nodes
Message authentication between the nodesSelva Raj
 
Digital signature
Digital signatureDigital signature
Digital signatureSadhana28
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 

What's hot (20)

Chaos Based Direct Public Verifiable Signcryption Scheme
Chaos Based Direct Public Verifiable Signcryption SchemeChaos Based Direct Public Verifiable Signcryption Scheme
Chaos Based Direct Public Verifiable Signcryption Scheme
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKI
 
Java Crypto
Java CryptoJava Crypto
Java Crypto
 
De-anonymize tor hidden services
De-anonymize tor hidden servicesDe-anonymize tor hidden services
De-anonymize tor hidden services
 
Ch07
Ch07Ch07
Ch07
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Public key Cryptography & RSA
Public key Cryptography & RSAPublic key Cryptography & RSA
Public key Cryptography & RSA
 
Kerberos IV inductive analisys
Kerberos IV inductive analisysKerberos IV inductive analisys
Kerberos IV inductive analisys
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
 
Network security cs8
Network security cs8Network security cs8
Network security cs8
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution Methods
 
Ch13
Ch13Ch13
Ch13
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
 
Message authentication between the nodes
Message authentication between the nodesMessage authentication between the nodes
Message authentication between the nodes
 
Digital signature
Digital signatureDigital signature
Digital signature
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)
 

Similar to Scimp paper

Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vandaVanda KANY
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in CordaGuy Hochstetler
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
CNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdfCNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdfAdiseshaK
 
CNS Solutions-Adi.pdf
CNS Solutions-Adi.pdfCNS Solutions-Adi.pdf
CNS Solutions-Adi.pdfAdiseshaK
 
Iaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd Iaetsd
 
Cost effective authentic and anonymous
Cost effective authentic and anonymousCost effective authentic and anonymous
Cost effective authentic and anonymousnexgentech15
 
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Securitynexgentechnology
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYNexgen Technology
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam NotesVijayanand Yadla
 

Similar to Scimp paper (20)

Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vanda
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
Cryptography
CryptographyCryptography
Cryptography
 
Module 2.pdf
Module 2.pdfModule 2.pdf
Module 2.pdf
 
Module 2.Cryptography and Cryptanalysis
Module 2.Cryptography and CryptanalysisModule 2.Cryptography and Cryptanalysis
Module 2.Cryptography and Cryptanalysis
 
A Secure Proxy Signature Scheme with Fault Tolerance Based On Discrete Logari...
A Secure Proxy Signature Scheme with Fault Tolerance Based On Discrete Logari...A Secure Proxy Signature Scheme with Fault Tolerance Based On Discrete Logari...
A Secure Proxy Signature Scheme with Fault Tolerance Based On Discrete Logari...
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
CNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdfCNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdf
 
CNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdfCNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdf
 
CNS Solutions-Adi.pdf
CNS Solutions-Adi.pdfCNS Solutions-Adi.pdf
CNS Solutions-Adi.pdf
 
H42063743
H42063743H42063743
H42063743
 
Iaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security with
 
Encryption in Cryptography
Encryption in CryptographyEncryption in Cryptography
Encryption in Cryptography
 
Cost effective authentic and anonymous
Cost effective authentic and anonymousCost effective authentic and anonymous
Cost effective authentic and anonymous
 
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
 
Lec 3.pptx
Lec 3.pptxLec 3.pptx
Lec 3.pptx
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 

More from Комсс Файквэе

Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgКомсс Файквэе
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 

More from Комсс Файквэе (20)

Ksb 2013 ru
Ksb 2013 ruKsb 2013 ru
Ksb 2013 ru
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
 
Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xg
 
Apwg trends report_q2_2013
Apwg trends report_q2_2013Apwg trends report_q2_2013
Apwg trends report_q2_2013
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
Analitika web 2012_positive_technologies
Analitika web 2012_positive_technologiesAnalitika web 2012_positive_technologies
Analitika web 2012_positive_technologies
 
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-us
 
Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_report
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012
 
H02 syllabus
H02 syllabusH02 syllabus
H02 syllabus
 
Course reader-title
Course reader-titleCourse reader-title
Course reader-title
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

Scimp paper

  • 1. Silent Circle Instant Messaging Protocol Protocol Specification Authors: Vinnie Moscaritolo, Gary Belvin, Phil Zimmermann Date: December 5, 2012 Version: 1.0
  • 2. Silent Circle Instant Messaging Protocol Table of Contents Introduction!........................................................................................................................3 High-level SCIMP features!................................................................................................4 Basic Protocol Overview!...................................................................................................5 Key Agreement!................................................................................................................12 Message Encryption!........................................................................................................17 Protocol Details!...............................................................................................................22 Appendix A: Document History !.......................................................................................25 References.!.....................................................................................................................26 Page 2 of 26
  • 3. Silent Circle Instant Messaging Protocol Introduction Silent Circle Instant Messaging Protocol (SCIMP) enables you to have a private conversation over instant message transports such as XMPP (Jabber). You could argue that the world doesn't really need another instant message protocol, but the existing protocols didn't have all of the features we wanted, or had unnecessary complexity. SCIMP draws from a number of related protocols. In designing SCIMP, we have drawn many ideas from: • ZRTP: Media Path Key Agreement for Unicast Secure RTP [ZRTP] • OTR: Off The Record [OTR] • SSMS: Secure Short Message Service [BELV] • Cryptocat: The Cryptocat Project [NADM] SCIMP provides strong encryption, perfect forward secrecy and message authentication. Further, we have incorporated many NIST-approved methods and protocols into its design including: • Elliptic Curve Diffie–Hellman (ECDH), NIST 800-56A • Counter with CBC-MAC (CCM), NIST 800-38C • Key Derivation, NIST 800-108 • Secure Hash Standard, FIPS 180-4 • Advanced Encryption Standard (AES), FIPS 197 While it is not our immediate intent to FIPS-140 validate the SCIMP library, we have experience with that process and the overall design is not incompatible with that goal. We have also optionally added the Skein family of hash and message authentication function as a cipher suite. Page 3 of 26
  • 4. Silent Circle Instant Messaging Protocol The protocol is placed completely into the public domain, and the implementation code is open source. It is designed and written by Silent Circle, LLC. High-level SCIMP features SCIMP has a number of features: Easily analyzed, easily implemented. This was important to us, it’s one thing to put our code for open source, but it is next to useless if the code is difficult to analyzed and build. Relatively few options. Options are both good and bad in a crypto protocol. If there are too few of them, then the protocol can't change with the times. If there are too many, the protocol is hard to build, test, and vet. NIST-vetted crypto primitives. While we don't always want to limit ourselves only to that suite, NIST selection and documentation of crypto primitives is a great place to start, so we did. Full 128-bit security. SCIMP is built to have a minimum of 128-bit security through-and-through. Simple, integrated authentication. All communications have the problem of how to authenticate to your partner the first time you talk, to reject man-in-the-middle and other eavesdroppers. SCIMP uses simple mechanisms that can integrate with voice communication and share that authentication. Designed for mobile devices Page 4 of 26
  • 5. Silent Circle Instant Messaging Protocol After examining the popular text encrypting protocols we discovered that they had a number of shortcomings when employed over mobile devices. SCIMP has been designed for use with mobile devices from the beginning. Basic Protocol Overview A lot of the SCIMP design derives from ZRTP. The key agreement protocol employs an ephemeral Elliptic Curve Diffie-Hellman (EC-DH) key agreement to establish a shared secret without invoking a trusted third-party. Authenticity is provided by key continuity using hash commitments of a shared secret, similar to ZRTP and optionally a verbal form of user authentication. Together, key continuity and user authentication prevent man-in-the-middle attacks from going unnoticed. The data messages are protected with authenticated encryption using Counter with Cipher Block Chaining-Message Authentication Code (CCM), as defined in NIST Special Publication SP800-38C. Key Negotiation The Key Agreement Protocol for SCIMP establishes an ephemeral shared secret using a minimal set of messages. SCIMP uses the Elliptic Curve Diffie-Hellman (ECDH) primitive for shared secret computation, with key continuity and one-time verbal authentication for man-in-the-middle detection. Page 5 of 26
  • 6. Silent Circle Instant Messaging Protocol SCIMP has the advantage of being completely peer-to-peer. There is no need for third parties and you don’t have to worry about preventing accidental exposure of long term secrets. SCIMP begins with the initiator sending a hash commitment to the responder on a freshly generated ECDH public key. The responder generates and sends back his public key, without knowing the initiator’s public key. Because the initiator also generated her public key without knowing the responder’s key, an adversary was prevented from controlling the result of the Diffie-Hellman computation. Hashes of a cached secret are also included in the first two messages. The cached secret is a bit of key material saved from previous executions of the protocol, if applicable (in the absence of a cached secret a random value is sent). The two parties can use this to determine if they have shared key material that matches. Because someone attempting a man-in-the-middle attack wouldn’t know or have access to this shared key material, it provides both parties a way to identify if someone is attempting to impersonate the other. The last step of SCIMP involves sending a message authentication code on a known value to the other party, proving that the protocol completed successfully and that the initiator has access to her private key. Once this has been confirmed, both parties refresh their cached secret with a new value derived from the freshly computed shared secret. This action breaks the advantage of an adversary who may have previously compromised cached secrets. As soon as an authentic key agreement takes place, a new cached secret is generated and secrecy is restored to the protocol. Page 6 of 26
  • 7. Silent Circle Instant Messaging Protocol Once SCIMP has completed, a Short Authentication String (SAS) is displayed to the user to verify the absence of a man-in-the-middle attack. Due to key continuity, the user may verify the SAS with the other party at any time. Using a phone to contact the other party, for example, the user can gain confidence in the identity of the other party based on a number of clues using standard human interaction. An attacker would need to duplicate all these clues when the two parties were checking the SAS and remain undetected while leaving the rest of the conversation undistorted in order to be successful. Alice <Responder Bob <Initiator> Commit Version, Options, H(Pki), Hcs Pkr, Hcs DH1 Pki, MAC DH2 MAC Confirm Data Conclude (optional) SeqNum, CCM(Data, MsgIndex), Tag SeqNum, MAC(MsgIndex) Figure 1: SCIMP Protocol Diagram Page 7 of 26 Data Conclude (optional)
  • 8. Silent Circle Instant Messaging Protocol Algorithms and Ciphers The SCIMP initiator specifies what suite of algorithms to use in the commit message. If the responder does not support the algorithms requested, the responder ignores that commit message. The responder can send his own commit message, specifying a different suite of algorithms to use, starting the process over. Table 1 describes the options and their meanings. Suite Hash KDF/MAC Cipher Public Key 1 SHA-256 HMAC/SHA-256 AES-128 ECC-384 2 SHA-512/256 HMAC/SHA-512 AES-256 ECC-384 3 SKEIN-512/256 SKEIN-MAC-512 AES-256 ECC-384 Table 1: SCIMP Cipher Suites Hash Commitment The hash commitment forces the adversary to select a public key without knowing the other party’s key. This restricts the adversary to one attempt at finding a collision in the short authentication string (SAS), thus allowing the SAS to be much shorter than it otherwise would need to be. Without the hash commitment, the adversary could acquire the public keys for his two victims before searching for his own pair of keys that would result in an SAS collision. Such a collision would allow the adversary to set up two agreements that generated the same SAS string on both victim devices for a successful and undetected man-in-the-middle attack. Page 8 of 26
  • 9. Silent Circle Instant Messaging Protocol This attack is restricted in SCIMP by forcing the adversary to select a public key prior to knowing the public key of the other party. Without the other key, the adversary cannot predict what the SAS value will be, and is forced to make a single blind guess. The hash commitment Hc is checked when the initiator sends his public key in DH2 (see Figure 1). If the check fails, a man-in-the-middle attack is in progress. The user is warned, and the protocol stopped. The hash commitment is performed on the Pki as it is sent in the DH2 message, using network byte order with BER encoding. Hc = H(Pki) (512 bits) (1.1) Commit Contention Two end points may attempt to initiate a key negotiation at the same time. Each end point may send the other a commit message before receiving the commit message of the former. The protocol will flag an error and it is up to the application to decide what to do. One way this contest can broken is to compare the hash values of the hash commitment in big endian integer format, and discarding the message with the lower value. The side that sent the commit with the higher value becomes the initiator and the other side, the responder. Cached Secret Comparison Each device stores a long term cached secret for each party it has successfully executed the protocol with in the past. These cached secrets are tied into the key derivation function to achieve key continuity. Key continuity gives us confidence that the user with which are communicating today is the same person with which we communicated last week. Key continuity has been used in a number of protocols including SSH[Gut08]. To determine if two parties have cached secrets (cs), each party sends a non-invertible hash of their cached secret to the other. The initiator does this in the commit message, Page 9 of 26
  • 10. Silent Circle Instant Messaging Protocol and the responder includes it in the DH1 message. If no cached secret is available, a random value is substituted for cs to avoid leaking information about the cache state. Hcsi is sent in the commit message and Hcsr is sent in DH1. To further avoid leaking information about the state of the cached secret, the MAC is computed on a salt available in the commit and DH1 messages. Hcsi = MAC(cs,H(Pki) ||“Initiator”) (First 64 bits) (1.2) Hcsr = MAC(cs,H(Pkr) ||“Responder”) (First 64 bits) (1.3) These values are computed locally and compared against the values received from the other party to determine the presence of a cached secret. If the hashes match, the cached secret exists and is shared between both parties. If they do not match, a null is used in place of cs in the key derivation function. If a device stores a cached secret for a particular party, the cached secret comparison is expected to succeed. If the comparison fails when a cached secret is available, then one of the parties may have lost their secrets due to a device reset, or there may be a man-in-the-middle (MiTM) attack in progress. In the case of a mismatch, the user must be warned that a MiTM attack may be underway, and advise the user to verify the short authentication string as soon as possible to verify that the MiTM is not present. If a mismatch occurs, the cache is not updated until after the user has verified the short authentication string (SAS) with the other party. The user should be warned of this condition on every key agreement until the condition has been resolved. When no attacker is suspected, the cached secret cache is updated with a new value after a successful key agreement has been confirmed by receipt of confirmation MACs cs = KDF(Z, “RetainedSecret”, Context, 256) (1.4) Because previous cached secret key material is mixed into the key derivation, a successful attack on key negotiation must involve both a compromise of the cached Page 10 of 26
  • 11. Silent Circle Instant Messaging Protocol secrets on the device as well as a man-in-the-middle attack on the next key negotiation. If the adversary misses just one key negotiation, the cached secrets are replaced with fresh, secret values and the protocol self-heals. Short Authentication String (SAS) The Short Authentication String (SAS) is the first 20 bits of the SAS hash. The commit message includes a designation of what SAS rendering scheme to use: • 0x01 The SAS is displayed to the user as a 4 character Base32 string using the encoding described in section 5.1.6 of RFC 6189[ZJC11]. That encoding scheme is designed for ease of human use. The output alphabet is all lower case, excludes characters that are easily confused, and padding characters are left out. • 0x02 The 4 characters of the prior scheme are displayed to the user using the NATO phonetic alphabet as an aid to auditory clarity in verbal confirmation. If the end-point interface is not large enough for NATO words, however, this option downgrades to the first option. • 0x03 The SAS is displayed to the user as 6 hexadecimal letters Ksas =KDF(Kdk2,“SAS”,Context,20) (1.5) Silent Circle recommends that users make use of an alternative method to establish the identity of the receiving party and verify that the user has the same SAS value. A phone call would be sufficient for this purpose since confidence building cues such as voice timbre and manner of speech are present. These cues make it difficult for an adversary to convincingly impersonate the other party without being detected. If the two parties are physically co-located, they may even be able to compare their short authentication strings by placing their devices side-by-side. Page 11 of 26
  • 12. Silent Circle Instant Messaging Protocol Because the verification of the SAS cannot be automated, the security of SCIMP is dependent on the initiative of the user. This opens a window of vulnerability for lackadaisical users as an adversary may successfully perform a man-in-the-middle attack without detection until the first comparison of the SAS. This vulnerability is offset by several considerations. The first is that the key continuity properties require the presence of the adversary during every key agreement. An absence during just one key negotiation would alert the user that key continuity has been broken, and subsequent key negotiations would be secure against undetected man-in-the-middle attacks. The second implication from key continuity is that a successful verification of the SAS means that all previous key agreements have succeeded without interference from the adversary. Partial Public Key Validation Before using the public keys in DH1 and DH2 for computation, the keys must be verified. Public keys must have the correct modulus and not be the point at infinity. Full validation would also check that the public key is in the same subgroup as our ECC domain parameter curve, but this is an expensive operation for resource constrained devices. The validation routing is performed as specified in 5.6.2.6 of NIST Special Publication 800- 56A[BJS07]. If any of the checks fail, the user should be alerted that a weak key attack is under way, and the protocol must be terminated. 1. Q must not be the point at infinity. 2. Q must be in the valid range of the elliptic curve group. Key Agreement The shared secret is computed using the process described in section 6.1.2.2 of NIST Special Publication 800-56A[BJS07]. Page 12 of 26
  • 13. Silent Circle Instant Messaging Protocol Once the public key from the other party has been verified, the Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECC CDH) Primitive is used to compute the shared secret Z as specified in section 5.7.1.2 of NIST SP 800-56A. Given (q, F R, a, b, G, n, h)1 as domain parameters, dA, one’s own private key and QB, the other party’s public key, compute Z: P = hdAQB (3.8) Z = xp (where xp is the x coordinate of P) (3.9) The next task is to convert Z, which is a field element, into a random bit string suitable for keying material. A naive approach might be to apply a hash function to Z, but this is problematic for two reasons: Hash functions are not guaranteed to have PseudoRandom Function (PRF) properties, only collision and pre-image resistance. Secondly, hash functions need to be computed on random values in order to guarantee the randomness of their outputs. If the input is not random, the output of a static hash function can be easily reversed. Therefore, Krawczyk[Kra10] and a draft Special Publication 800-56C[Che10] from NIST separate randomness extraction and key expansion into two separate steps. Extract Z is transformed into a random key derivation key Kdk using a MAC keyed with a salt value. KAPS uses a hash of all the messages sent and received Htotal for the salt. Htotal = H(commit || DH1 || Pki ) - 256 bit hash (1.10) Kdk = MAC(Htotal,Z) - where Z is the DH of Pki and PKr (1.11) Enhance Before the key derivation key is ready to be expanded for application specific purposes, the cached secret must be mixed in. The mixing is performed using the same function as the expand step, with cached secrets being used in the context field. Kdk2 =MAC(Kdk,1 || “MasterSecret” ||0x00 || MasterContext || 256) Page 13 of 26 (1.12)
  • 14. Silent Circle Instant Messaging Protocol MasterContext = AlgorithmID || InitInfo || RespInfo || SuppPubInfo || SuppPrivInfo (1.13) Where AlgorithmID describes the algorithm: “SCimp-ENHANCE” InitInfo is identifying information for the initiator: strlen(Initiator’s JID) || (Initiator’s JID) RespInfo is identifying information for the responder strlen(responder’s JID) || (responder’s JID) SuppPubInfo is a nonce for which Htotal will suffice. SuppPrivInfo is the cached secret (if it exists): len(cs) || cs. If no cached secret exists for this agreement, the length of cs is 0 followed by nothing: 0 Expand Finally, Kdk2 is expanded using the KDF for SCIMP to generate a separate master session key for each direction of the secure symmetric conversation. The context in this case is a simplified version of the master context. KItoR =KDF(Kdk2,“InitiatorMasterKey”,Context,256) (3.14) KRtoI =KDF(Kdk2,“ResponderMasterKey”,Context,256) (3.15) The SCIMP key derivation function is defined as the L left most bits of the MAC computed in the following way, where L must not exceed the size of the MAC function’s output: KDF(K, Label, Context, L) = MAC(K, Counter||Label||0x00||Context||L) K is a secret random bit string. Page 14 of 26 (3.16)
  • 15. Silent Circle Instant Messaging Protocol L is the length in bits of the output key material encoded as a 4 octet integer. Label identifies the purpose of the output key material. Counter is required by NIST Special Publication 800-108[Che09] and is always 1 since we limit the output length of the KDF to be less than the output length of the MAC. The counter is encoded as a 4 octet integer. Context is a binary string that ties the output key material to the particular situation in which it is being used. Context = InitiatorJIDInfo | ResponderJIDInfo | SupPubInfo InitiatorJIDInfo is identifying information for the initiator: len(Initiator JID)| Initiator JID. ResponderJIDInfo is identifying information for the initiator: len(Responder JID)| Responder JID SuppPubInfo is a nonce for which Htotal will suffice. As soon as intermediate keys Kdk, Kdk2, and other intermediate key material is no longer needed, or if there is an error they must be erased from memory. Commit || DH1 || PKi Expand Ksnd Hash Salt (256) Expand Other Party's EC Pub Key Krcv EC-DH ANSI X9.63 Z (384) Expand Randomness Extraction KmacI (256) Our EC Priv Key Expand KmacR (256) Kdk (256) Kdk2 (256) Expand SAS (20) Cached Secret Enhance Expand CS1 Expand Ircv (64) Expand Isnd (64) Page 15 of 26
  • 16. Silent Circle Instant Messaging Protocol Key Confirmation The last step in the protocol involves giving the other party assurance that the protocol completed successfully and that he is in possession of the correct symmetric key. This is accomplished by sending a MAC computed on a known value under a key derived from Kdk2. The initiator’s confirmation is sent in the DH2 message, and the responder’s confirmation is sent in the Confirm message. KmacI =KDF(Kdk2,“InitiatorMACKey”,Context, cipherLen) (3.18) KmacR =KDF(Kdk2,“ResponderMACKey”,Context, cipherLen) (3.19) maci = MAC(KmacI , Htotal ) (first 64 bits) (3.20) macr= MAC(KmacR, Htotal) (first 64 bits) (3.21) After the key confirmation has been successfully validated, parties update their cached shared secret cs. (Provided a man in the middle attack was not suspected as noted in section 3.7) The previous shared secret is erased and replaced with the new shared secret as calculated in equation Page 16 of 26
  • 17. Silent Circle Instant Messaging Protocol Message Encryption SCIMP encrypts the actual message payload using AES in CCM block cipher mode. The CCM mode of operation defines an authenticated encryption scheme, the security of which rests on a single cryptographic primitive, the block cipher. CCM is also attractive due to its ability to authenticate cleartext header data in addition to cipher-text data. Each message is encrypted with a distinct key. The actual key material is split in half and the upper is used as the key while the lower bits are used for the Initialization Vector. A sequence number is also fed to the CCM algorithm to limit replay protection. Initial Message Index SCIMP uses the KDF to compute the initial sequence number for the CCM encryption process. Since this function is only called once for any master key, the static nonce is appropriate. sessionId = H( strlen(initiator JID) || (initiator JID) || strlen(responder’s JID) || (responder’s JID) ) iSnd = KDF(Kmaster , “InitiatorInitialIndex”, sessionId ||0, 64) iRcv = KDF(Kmaster , “InitiatorInitialIndex”, sessionId ||0, 64) Each addition index number is an increment of the previous. iSnd1 = iSnd + 1; Forward Secrecy SCIMP uses distinct keys to encrypt each message and in each direction. The initial Ksnd and Krcv keys are created from the expansion process as described above. SCIMP then derives further key material using a hash based key derivation function that is compliant with NIST Special Publication 800-108[Che09] section 5.1. Since each key is computed from the previous using the non-invertible key derivation function the result is a chain of keys that protects the security of prior messages when a Page 17 of 26
  • 18. Silent Circle Instant Messaging Protocol single key is compromised. Keys are also erased from memory as soon as they are no longer needed to prevent unneeded leakage in the event that a device is forensically analyzed. Each key is derived by hashing the previous key with the session identifier as well as the message index. The initial message index is computed from the key expansion process K0 = KDF(Kmaster,“MessageKey”,session identifier||i0) Kn = KDF(Kn−1, “MessageKey”, session identifier||iN) Where i0 and iN correspond to the appropriate index for that direction (iSnd and iRcv). Kmaster KDF i0 KDF K0 i1 KDF K1 i2 KDF K2 SCIMP Message Key Derivation Page 18 of 26
  • 19. Silent Circle Instant Messaging Protocol Padding and CCM The data passed to CCM is padded. Messages shorter than 32 bytes are padded to 32 bytes and messages longer than 32 are padded to the next multiple of 16. The actual byte used to pad is the number of bytes added to pad. For example a message of 9 bytes long will have an addition 21 bytes of 0x15 added. Page 19 of 26
  • 20. Silent Circle Instant Messaging Protocol Example Message Processing 1. Bob generates a ECDH key pair and computes and send the hash Commit Packet. 2. Alice Receives the hash commitment from the initiator and generates her own ECDH key pair, sends the public key in a DH1 message 3. Bob receives DH1 message. Verifies that shared secrets match as expected. If not, warn user of a man-in-the-middle attack. Verifies that the responder’s public key is valid using the algorithm specified Computes master and session keys. Sends DH2 with confirmation MAC. 4. Alice Receives the initiator’s DH2 public key. Verifies the hash commitment received earlier. Verifies that the shared secrets match as expected. If not, warn the user of a man-in-the-middle attack. Verifies the initiator’s public key. Compute master and session keys. Verifies the confirmation code. Update shared secrets. Sends her confirmation code in a confirm packet 5. Bob receives and verifies the confirmation code. Updates shared secrets. and is read to send messages. Page 20 of 26
  • 21. Silent Circle Instant Messaging Protocol ! ! Alice <Responder Bob <Initiator> Commit Version, Options, H(Pki), Hcs Pkr, Hcs DH1 Pki, MAC DH2 MAC Confirm Data SeqNum, CCM(Data, MsgIndex), Tag ! Page 21 of 26 Data
  • 22. Silent Circle Instant Messaging Protocol Protocol Details SCIMP can be transported over a variety of wire formats. SCIMP support JSON, XML or a more compact binary format. The version of SCIMP the Silent Circle uses encodes the protocol as JSON packets wrapped in a Rad64. AS mentioned above SCIMP uses 4 kinds of packets to establish the secret keys: commit, dh1, dh2 and confirm. Commit is the start of the keying process, where the initiator creates a ECC key pair but only send a hash of the public key, along with some HMAC information that might indicate if they have had a shared secret in the past. { } "commit": { "version": 1, "cipherSuite": 1, "sasMethod": 1, "Hpki": "s18C+pKU2b81vysPfnRsviMieziZ5i0YrbQXpkdzgSo=", "Hcs": "bx/ScjJQU1s=" } When the recipient receives a Commit, it check packet for valid options and then creates it's own ECC key and responds by sending the public key back to the initiator with a DH1 packet. It also includes a HMAC of a previously shared secret. { "dh1": { "PKr": "MGwDAgcAAgEwAjEAsI23okNBcGV1qy0RsliSKBpQNf3095weuQXsfcur4s0r9+hpA3jlg75RIcTYiPByAjAto kuW22OFhAb63ZiDmdE3an06aGJaCT4Ywmy3ywYWDJrkIrkIVcHAdxfupjoN/A0=", "Hcs": "Sgd9nFcLvYs=" } } Page 22 of 26
  • 23. Silent Circle Instant Messaging Protocol At this point the Initiator has enough information to complete the ECC - Diffie Hellman process, and derives both the sending and receive communication keys. The initiator then replies with a DH2 packet which contains a copy of the public key it previously send a hash of and a HMAC of the current shared secret. { "dh2": { "PKi": "MG0DAgcAAgEwAjEAmS2t3VvYXkSYLWuZ4vDQfJpL2VrCxOrkj2E4v/ 6EOxfk9USrdLnVUIhHbSmVpD5vAjEA93WVAfM9STK3zPV2M4NuJlcrGlvCD/ CVhClxtpua6lEBHi5E5bPOTrFszlmrF7qd", "maci": "KeO29YxeB80=" } } The recipient uses the DH2 information to complete it's ECC - Diffie Hellman process and derives a copy of the communications keys also. To ensure that both sides are on the same page, the recipient replies with a CONFIRM packet which contains an HMAC of the new shared secret. { } "confirm": { "macr": "/jo+3Bz8dPw=" } Once a the keys are established, SCIMP can then send the user message using a DATA packet. The actual message is encrypted using AES in the Counter with CBCMAC (CCM) mode. This provides us a message authentication code of both the message and the sequence number. { "data": { "seq": 51323, "mac": "ykRzxqvCR4lPj2/yL38C+Q==", "msg": "s8o4Ad8qn45uXauVAPAWFQ16Ns2jeV0D3ADYGreCNXW6STs6IW/ dx8Om6VAUgpuKVRg4WPBGUHvbqqv91AQ/Sw==" } } Page 23 of 26
  • 24. Silent Circle Instant Messaging Protocol In order to ensure that the messages arrive intact over protocols such as XMPP the JSON packets are encoded in rad64 with a header or "?SCIMP:" and terminated with a period. For example when the last data packet goes over the XMPP, it actually looks like. Example SCIMP Message <message type="chat"from='velma@silentcircle.com' to='daphne@silentcircle.com' id="0FF6CF98-32FE-4EED-9DEF-D66A0E50EA8F"><body/><x xmlns="http:// silentcircle.com">? SCIMP:ewogICAgImRhdGEiOiB7CiAgICAgICAgInNlcSI6IDE1MDcyLAogICAgICAgICJtYWMiOiAiZlp YYURlQ1ljVTA9IiwKICAgICAgICAibXNnIjogIkloT051Sm9kK0Fjb09KQ1prZ0xHQXliSmJjbC9WNzhl cmMrSFY4K1FHcUJ2cEdlb2RaSWZwNTRKVWluU2g0N0lZTjFORkJOaXBjTVdubWlsMXVtbi9pcG5rVk8rd VJZdUJuQjdpZXZEK1pZQzBYV0hHQWQ3WWJtOWRsYkpSd0oyIgogICAgfQp9Cg==.</x></message> Page 24 of 26
  • 25. Silent Circle Instant Messaging Protocol Appendix A: Document History Date Rev Author Change 6/1/12! 0.1 vin First complete draft. 6/5/12 0.2 vin Updated API names to start with SCimp 6/19/12 0.3 vin exchange CCM for GCM 6/20/12 0.4 vin SCIMP messages are Rad64 with SCIMP header 6/21/12 0.5 vin minor protocol text corrections 7/16/12 0.6 vin Added message ID to SCimpProcessPacket() 8/21/12 0.7 vin hTotal needed to be a 256 bit hash 8/31/12 0.8 vin minor corrections to hash lengths 10/19/12 0.9 vin cleanup and split API into separate doc 10/22/12 0.10 vin corrections, kudo JimB 12/5/12 vin Updated authors 1.0 Page 25 of 26
  • 26. Silent Circle Instant Messaging Protocol References. [BELV] Gary Belvin. A Secure Text Messaging Protocol, John Hopkins University. (May 2001) [CER] CERT. MSC10-J. Limit the lifetime of sensitive data. http://bit.ly/mwdO26. [Che09] Lily Chen. NIST Special Publication 800-108 Recommendation for Key Derivation Using Pseudorandom Functions (revised). (October), 2009. [Che10] Lily Chen. DRAFT NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion. (September), 2010. [Gut08] Gutmann. Key Management Through Key Continuity(KCM). Internet Draft, 2008. [Jak] J. Jonsson, On the Security of CTR + CBC-MAC, in Proceedings of Selected Areas in Cryptography – SAC, 2002, K. Nyberg, H. Heys, Eds., Lecture Notes in Computer Science, Vol. 2595, pp. 76-93, Berlin: Springer, 2002. [800-38B] Draft NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Authentication Mode. U.S. DoC/NIST, October 2003. Available at http://csrc.nist.gov/CryptoToolkit/modes. [Krh09] Jan Krhovjak. Cryptographic random and pseudorandom data generators. PhD thesis, Masaryk University, 2009. [NADM] Nadim Kobeissi , CryptoCat, (http://project.crypto.cat). [OTR] Ian Goldberg,Nikita Borisov Off-the-Record Messaging Protocol version 2. (http:// www.cypherpunks.ca/otr/). [RAD64] Wikipedia, Base64 [ZRTP (RFC 6189)] P. Zimmermann, A. Johnston, and J. Callas. ZRTP: Media Path Key Agreement for Unicast Secure RTP. RFC 6189, April 2011. (http://tools.ietf.org/html/rfc6189) Page 26 of 26