🛡️ Security Properties
Signal Protocol Security Analysis
In 15 minutes: Understand what security properties Signal Protocol provides
Prerequisites: X3DH + Double Ratchet
🎯 The Simple Story
The Signal Protocol provides these security guarantees:
- Confidentiality: Eve can't read messages
- Authentication: Sender is who they claim
- Forward secrecy: Past messages safe after compromise
- Post-compromise security: Future messages recover after compromise
- Deniability: Can prove Bob sent message (but Bob can deny!)
🧠 Mental Model
Hold this picture in your head:
Security Properties:
CONFIDENTIALITY:
Eve sees ciphertext → Can't decrypt
Reason: Don't have message keys K1-K∞
AUTHENTICATION:
Eve can't impersonate Bob
Reason: Bob's keys signed, signature verification fails
FORWARD SECRECY:
Eve steals device → Past messages safe
Reason: K_i deleted after use
POST-COMPROMISE SECURITY:
Eve steals device → Future messages recover
Reason: New DH updates RK, compromise healed
DENIABILITY:
Bob signed message → Bob can deny
Reason: One-time pre-keys signed, not identity keys
📊 Property-by-Property
1. Confidentiality
Property: Eve can't decrypt messages without keys.
How:
- Eve sees ciphertext: "Kj7$mP9q..."
- Needs K_i: Not stored, deleted after use
- Can't derive K_i from RK (KDF one-way)
Proof:
- K_i deleted → Eve has no key
- Even if Eve sees K_(i+1), can't recover K_i (KDF one-way)
2. Authentication
Property: Eve can't impersonate Bob.
How:
- Bob signs SPK with IK → SIG_B
- Alice verifies SIG_B → Can detect Eve's fake keys
- If EVE tries: Signature fails (Eve signed with Eve's IK)
3. Forward Secrecy
Property: Compromise of RK doesn't reveal past messages.
How:
- Compromise at message i: Has K_i only
- Messages 1..i-1: K1-K(i-1) deleted → Can't decrypt
- Messages i+1: Need new DH (Eve doesn't have)
4. Post-Compromise Security
Property: Compromise of RK recovers over time.
How:
- Eve steals RK at message 10
- Message 11: Needs DH → Eve doesn't have DH keys
- Next DH ratchet: Both sides generate fresh DH
- RK_new = KDF(DH_new): Eve doesn't know DH_new
- Alice and Bob use RK_new, Eve can't derive it
5. Deniability
Property: Bob can deny sending message.
How:
- OPK signed, but OPK is one-time and deleted
- No signature on message itself
- MAC tag doesn't prove signing (same key derived from KDF)
✅ Quick Check
How is authentication achieved?
Signature verification:
Alice downloads Bob's keys. Bob signs SPK → SIG_B Alice verifies SIG_B with Bob's IK.
If SIG_B invalid → Eve replaced keys → Reject X3DH.
How is forward secrecy proven?
Key deletion:
Compromise at message i: Eve has K_i. Messages 1..i-1: K1-K(i-1) deleted.
Can Eve recover? No, KDF is one-way.
📋 Summary
✅ Confidentiality: Eve can't read messages
✅ Authentication: Eve can't impersonate
✅ Forward secrecy: Past messages safe
✅ Post-compromise: Future recover
✅ Deniability: Bob can deny sending