🗝️ Four Types of Keys
Understanding X3DH Key Types
In 15 minutes: Learn about identity, signed pre-key, one-time pre-key, and ephemeral keys
Prerequisite: What is X3DH
🎯 The Simple Story
X3DH uses four different types of keys, each with a different purpose:
- Identity Key (IK) - Never changes, identifies you
- Signed Pre-key (SPK) - Changes periodically (weekly)
- One-Time Pre-key (OPK) - Used once then deleted
- Ephemeral Key (EK) - Per-message, deleted after
Each key provides a different security property!
🧠 Mental Model
Hold this picture in your head:
Four Types of Keys in X3DH:
┌──────────────────────────────────────────┐
│ IDENTITY KEY (IK) │
│ 🔒 Never changes │
│ 🆔 Identifies you │
│ ⏳ Lifetime: Forever │
│ 🔑 Public: Uploaded always │
│ 🔒 Private: On device │
└──────────────────────────────────────────┘
┌──────────────────────────────────────────┐
│ SIGNED PRE-KEY (SPK) │
│ 🔄 Changes weekly │
│ ✍️ Signed by identity key │
│ ⏳ Lifetime: 1 week │
│ 🔑 Public: Uploaded always │
│ 🔒 Private: On device │
└──────────────────────────────────────────┘
┌──────────────────────────────────────────┐
│ ONE-TIME PRE-KEY (OPK) │
│ 📦 Used once then deleted │
│ 🔐 Deniability │
│ ⏳ Lifetime: 1 use │
│ 🔑 Public: Uploaded if available │
│ 🔒 Private: On device (deleted) │
└──────────────────────────────────────────┘
┌──────────────────────────────────────────┐
│ EPHEMERAL KEY (EK) │
│ ⚡ Temporary message key │
│ 🎯 Per message │
│ ⏳ Lifetime: 1 handshake only │
│ 🔑 Public: Sent in message │
│ 🔒 Private: Deleted after handshake │
└──────────────────────────────────────────┘
📊 See It Happen
Let's watch how Bob uploads his keys and Alice uses them:
🎭 The Story: Each Key's Purpose
Identity Key (IK)
Bob created his identity key when he first got Signal. He uses this key as his "true identity."
- Purpose: Verifies "this is really Bob"
- Lifetime: Forever (or very long term)
- Security: Loss of IK_B lets Eve impersonate Bob
Signed Pre-key (SPK)
Bob creates a new signed pre-key every week. He signs it with his identity key。
- Purpose: Adds forward secrecy if IK_B is compromised
- Lifetime: 1 week (then replace)
- Security: Compromise of SPK_B risks only messages from that week
One-Time Pre-key (OPK)
Bob keeps 100 one-time pre-keys on his server. When Alice messages him, she uses one:
- Purpose: Deniability + extra security for DH4
- Lifetime: 1 use (then deleted)
- Security: Even if Eve compromises SPK and IK, previous messages safe (OPK deleted)
Ephemeral Key (EK)
Alice creates ephemeral key just for this one X3DH handshake:
- Purpose: Forward secrecy (can't compute S without EK)
- Lifetime: 1 X3DH handshake only
- Security: Deleted after handshake, can't recompute S
🔑 Key Comparison Table
| Key Type | Purpose | Lifetime | Public? | When Rotated | Risk if Compromised |
|---|---|---|---|---|---|
| Identity Key (IK) | Your true identity | Forever | Yes (always on server) | Rare (years) | High - Eve can impersonate you |
| Signed Pre-key (SPK) | Forward secrecy + verification | 1 week | Yes (always on server) | Weekly | Medium - Messages from that week |
| One-Time Pre-key (OPK) | Deniability + extra security | 1 use | Yes (if available) | Per message | Low - Already used and deleted |
| Ephemeral Key (EK) | Handshake only | 1 handshake | Sent in message | Per handshake | Low - Deleted, can't recompute S |
Visual Lifetimes
Identity Key (IK_B): ████████████████████████████████ (Forever)
Signed Pre-key (SPK_B): ████ Week 1 ████ Week 2 ████ Week 3 ████ (Rotates weekly)
One-Time Pre-key (OPK_B): ▓ Use 1 ▓ Use 2 ▓ Use 3 ▓ (Used once then deleted)
Ephemeral Key (EK_A): ║ Use for handshake ║ (Per handshake, deleted)
🎭 The Story: Compromise Scenarios
Scenario 1: Eve steals Bob's identity key (IK_B)
What's at risk:
- Eve can impersonate Bob to future Alices
- But: Past messages already used one-time pre-keys that are deleted
- Result: Future messages at risk, past messages safe
Why: OPKs are deleted after use, even with IK_B and SPK_B, Eve can't compute DH4 for past messages.
Scenario 2: Eve steals Bob's signed pre-key (SPK_B)
What's at risk:
- Messages encrypted with SPK_B (from that week)
- But: No identity key - Eve can't claim to be Bob
- Result: That week's messages at risk, other weeks safe
Why: SPK_B rotates weekly. Only messages from that specific week use SPK_B.
Scenario 3: Eve steals Bob's one-time pre-key (OPK_B)
What's at risk:
- Pretty much nothing!
- OPK_B was already used and deleted
- Result: No risk (already deleted)
Why: OPK_B used once then deleted immediately. Can't recompute DH4 since OPK_B private key is gone.
Scenario 4: Eve steals Alice's ephemeral key (EK_A)
What's at risk:
- Nothing!
- Ephemeral key created after Bob uploaded keys
- Result: Can't compute S (Bob's OPK_B already deleted if Eve tries)
Why: Alice created EK_A when she wanted to message Bob, long after Bob uploaded OPK_B. Eve can't go back in time to precompute EK_A × OPK_B.
🎮 Try It Yourself
Question 1: Why keep 100 one-time pre-keys on the server?
Show Answer
Because multiple people might message Bob while he's offline, and each needs a unique OPK!
- Alice uses OPK_B[0] -> deleted
- Charlie uses OPK_B[1] -> deleted
- Dave uses OPK_B[2] -> deleted
- ...
If Bob only has 1 OPK:
- First person uses it
- Second person gets: "No OPK available!"
- Second person can't do X3DH! (only 3 DH ops)
100 OPKs = 100 people can message Bob while he's offline.
Answer: Allow multiple concurrent messages while Bob is offline
Question 2: Why rotate SPK weekly instead of keeping it forever like IK?
Show Answer
Forward security!
If SPK_B is compromised:
- Only messages encrypted with SPK_B from that week at risk
- Other weeks have different SPK_B values
If SPK_B never changed:
- Years of messages use same SPK_B
- Compromise = all messages at risk
Weekly rotation limits damage if SPK_B is leaked.
Answer: Limits damage if SPK is compromised (only that week affected)
Question 3: Why does Alice generate ephemeral key (EK_A) per message and not reuse it?
Show Answer
Forward secrecy!
If Alice reuses EK_A for multiple messages:
- Eve who sees one message gets EK_A
- Eve can compute: EK_A × Bob's keys for other messages
- Compromise = other messages at risk
If Alice generates new EK_A per X3DH:
- Message 1 uses EK_A[0]
- Message 2 uses EK_A[1]
- Eve getting EK_A[0] can't compute EK_A[0] × OPK_B[1] (wrong OPK_B already deleted)
Answer: Limits damage, provides per-message forward secrecy
💡 Why We Care
The Security Puzzle
X3DH's security comes from combining these four key types:
- IK: Long-term identity verification
- SPK: Periodic forward security
- OPK: Non-repudiation, limited damage
- EK: Per-handshake forward secrecy
If one key is compromised:
- IK: Future messages at risk, past safe
- SPK: That week's messages at risk, other weeks safe
- OPK: Already deleted, no risk
- EK: Already deleted, no risk
Combined: All 4 must be compromised to compute shared secret S. Very unlikely!
Real-World Impact
| Attack | Keys Compromised | Damage |
|---|---|---|
| Phone stolen (Bob) | IK, SPK, OPK, EK (all) | ALL messages at risk |
| Server hacked (Bob's public keys) | IK_pub, SPK_pub, OPK_pub | None (can't compute S without private) |
| Old messages stolen | OPK already deleted | None (can't recompute DH4) |
| New messages intercepted | EK deleted after use | None (can't recompute DH2/DH3/DH4) |
✅ Quick Check
Can you explain each key type?
Simple explanation:
Identity key: Your permanent ID (never changes)
Signed pre-key: Changes weekly, adds security
One-time key: Used once then deleted (like a disposable camera)
Ephemeral key: Per handshake, deleted after (like a special stamp for one letter)
Combined: Four layers of security!
Why four types?
Each provides different security:
IK: Who are you? SPK: Are you still the same person? OPK: Can you deny you sent this? EK: Is this a new handshake or old?
All four: Maximum forward secrecy!
📋 Key Takeaways
✅ Identity Key (IK) = Permanent identification key
✅ Signed Pre-key (SPK) = Rotates weekly, adds forward security
✅ One-Time Pre-key (OPK) = Used once then deleted, provides deniability
✅ Ephemeral Key (EK) = Per-handshake key, deleted after use
✅ Each provides: Different security property
✅ Combined: If one compromised, limited damage
✅ Risk hierarchy: IK (high damage) > SPK (medium) > OPK/EK (low)
✅ Purpose: Limit compromise impact, maximize forward secrecy
🎉 What You'll Learn Next
Now you understand the four key types! Next, we'll see the complete X3DH handshake flow.
🔗 Continue: Initial Secret Setup
We'll trace a complete X3DH handshake from Alice to Bob, with diagrams and step-by-step flow!
Four key types explained! Next: The complete X3DH handshake flow.