[messaging] Forward secrecy and multiple devices

Moxie Marlinspike moxie at thoughtcrime.org
Fri Oct 31 08:50:54 PDT 2014

On 10/31/2014 08:00 AM, Ximin Luo wrote:
> But if you want a scheme where any device that you might want to
> connect to your account (in the future) can decrypt old history, then
> I don't think you can get true forward secrecy, since this would
> likely involve storing the history somewhere with a key that doesn't
> get destroyed. There's no impossibility result that I know of, but no
> "breakthrough" yet either..

The way we handle multi-device for TextSecure is this:

1) You have an existing device 'A'.

2) You 'provision' an additional device 'B' using an authorization
process that involves scanning a QR code.  This securely communicates
the identity key to the new device using a PFS scheme.

3) The server now knows there are two physical devices registered for
the same logical user.  Each device has its own set of prekeys, but the
same identity key.

4) Device 'A' can use a regular axolotl session to transmit existing
message history to device 'B'.

5) The server enforces that new incoming messages are encrypted to both
devices.  Both devices essentially have their own axolotl session with
the sender.

6) Each device sends the other device a copy of outgoing messages using
a regular axolotl session.

This way all new incoming messages are naturally synchronized across
devices, since each device will get their own copy.  Outgoing messages
are visible across all devices.  And existing message history can be
synchronized across all devices during the provisioning process.

Everything sits on top of axolotl under the hood, so everything is
transmitted with the properties that axolotl gets you.

- moxie


More information about the Messaging mailing list