End-To-End Encryption with the Signal Protocol

Signal is a new Protocol and Mobile Communications App that is Fully Private and Encrypted unlike its counterparts such as WhatsApp and Facebook. This is a big deal in Information Security and Data Privacy especially at this moment in time in 2021 and many tech titans such as Elon Musk and Jack Dorsey are advocating for Signal and for people to use more private protocols like these. This is not only because they are for freedom of speech and against cancel culture and deplatforming but also because these types of apps represent a threat to the current Big Tech Companies and their business models that fuel surveillance capitalism.

Google announced a change that could soon make its 2 billion Android users worldwide far harder to surveil: The tech giant says it’s rolling out a beta version of its Android messaging app that will now use end-to-end encryption by default. That level of encryption, while limited to one-on-one conversations, is designed to prevent anyone else from eavesdropping—not phone carriers, not intelligence agencies, not a hacker who has taken over the local Wi-Fi router, not even Google itself will have the keys to decrypt and read those billions of messages.

The news isn’t just a win for global privacy. It’s also a win for one particular encryption system: the Signal protocol, which is well on its way to accounting for a majority of the world’s real-time text conversations. As this protocol becomes the de facto standard for encrypted messaging in most major services, it’s worth understanding what sets it apart from other forms of end-to-end encrypted messaging.

You might already know Signal thanks to the popular end-to-end encrypted text messaging app by the same name, created by cypherpunk Moxie Marlinspike and in recent years hosted by the nonprofit Signal Foundation. Signal, the app, has an unparalleled reputation for security and privacy, with high-profile endorsements from NSA whistleblower Edward Snowden and WhatsApp founder Brian Acton, who left WhatsApp in 2018 to serve as the Signal Foundation’s executive director.

But the underlying crypto system that Marlinspike designed and on which Signal is built, known as the Signal protocol, has spread far beyond its eponymous app. WhatsApp first adopted the Signal protocol in 2014 to end-to-end encrypt all messages between Android phones.

followed by adding it as an opt-in “Secret Conversations” feature in Facebook Messenger a few months later. Google’s decision to integrate the Signal protocol into Android’s messaging app by default represents the biggest new collection of phones to adopt the standard in years, with hundreds of millions more devices.

So why have the tech giants of the world all chosen Signal as their go-to crypto protocol? Its standout feature, says Johns Hopkins computer science professor and cryptographer Matthew Green, is how it implements what’s known as “perfect forward secrecy.” With most encryption systems, when an app is installed on a phone, it creates a permanent key pair that is used to encrypt and decrypt messages: one “public” key that is sent to the messaging server and will be used to identify the user, and one “private” key that never leaves the user’s phone. If that private key is somehow compromised, however, like if someone hacks or seizes your phone, that potentially leaves all your messages vulnerable to decryption. Even if you’ve deleted messages from your phone, the key can decrypt any encrypted messages that eavesdroppers have managed to record when they originally traveled across the network.

The Signal protocol, however, uses a so-called “ratchet” system that changes the key after every message. It does this by generating a collection of temporary key pairs for each user, in addition to the permanent keys. When someone sends a message to a contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that’s used to encrypt and decrypt that message. Since generating this secret key requires access to the users’ private keys, it exists only on their two devices. And the Signal protocol’s system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.

Wrapping it up

So that’s it! There are plenty of details left out here but this should hopefully offers a decent high-level overview of the kind of flow and processes you can expect to see in a typical Signal Protocol offering. To get started with Signal you can play with their APIs available here – they have support for C, JavaScript and Java currently.

For further interest regarding implementation of the protocol, I’ve created a simple browser-based demonstration using the JavaScript Signal APIs which you can find on GitHub. The demo creates two “users” and runs through the steps outlined in this post to exchange some messages between them. Enjoy!

Secure your communication with Signal.                                                                                                      

Download Signal private messenger Now!