Opened 22 months ago

Last modified 7 months ago

#17457 new enhancement

Implement OMEMO

Reported by: arlolra Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Messenger Version:
Severity: Normal Keywords:
Cc: sukhbir, boklm, poly@…, platypus@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (10)

comment:1 Changed 22 months ago by sukhbir

Cc: sukhbir added

comment:2 Changed 22 months ago by boklm

Cc: boklm added

comment:3 Changed 22 months ago by poly

Cc: poly@… added

comment:4 Changed 18 months ago by vegansalad

Let's bring the Axolotl ratchet encryption protocal that is used in Signal to Tor Messenger! https://github.com/trevp/axolotl/wiki

The desktop Gajim XMPP client already has an experimental OMEMO plugin here: https://github.com/kalkin/gajim-omemo

Pidgin is working on it here: https://developer.pidgin.im/ticket/16537

Jitsi has a ticket for OMEMO here: https://github.com/jitsi/jitsi/issues/199

Chatsecure has a blog about implimenting OMEMO here: https://chatsecure.org/blog/chatsecure-conversations-zom/

Chris from ChatSecure had this to say here: https://www.bountysource.com/issues/26695270-implement-omemo-axolotl

"This work is semi-permanently on hold because of the license conflict. Moxie said that the public specification for Axolotl is incomplete, so it will be impossible for us to produce an alternative implementation that isn't a derivative work of one of the GPL libraries.

Open Whisper Systems owns the full copyright on AxolotlKit so they can relicense it for distribution on the App Store for their own apps. They are currently licensing libaxolotl-java to WhatsApp for the Android version, but for whatever reason haven't yet done the same for WhatsApp iOS and AxolotlKit. I've been told there are no near-term plans to license AxolotlKit to other apps.

However, there may be a light at the end of the tunnel: https://github.com/SilentCircle/libsalamander

It appears that the Silent Circle team has implemented their own version of Axolotl using only the public specification and (presumably) avoided any reverse engineering of the GPL code. It is licensed Apache 2.0 so it could be used without issue on the App Store. I'm not sure if the key exchange is compatible with libaxolotl-java, among other things, so there is a chance it may not be compatible with Conversations current implementation of OMEMO."

I don't know how best to represent this on TRAC, but this bug has also been filed upstream at InstantBird. You can find the issue here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237416 If anyone has an account at bugzilla, it might be worth it to somehow keep both tickets updated as the other one gets updated.

From what I understand, Tor Messenger would need to impliment these two ProtoXEPs to get OMEMO to work. Should I make a child ticket to add support for them? Are there other XEPs that need to be added? Do other people have other subtasks that they know would need to get done to make this transition?

https://conversations.im/xeps/omemo-filetransfer.html

XEP-xxxx: OMEMO Encrypted Jingle File Transfer
Abstract: This specification defines a Jingle application for transfering encrypted files from one entity to another. The protocol is based on the regular Jingle File Transfer specification and diverges from that only in the description of the file.

https://conversations.im/xeps/multi-end.html

XEP-xxxx: OMEMO Encryption
Abstract: This specification defines a protocol for end-to-end encryption in one-on-one chats that may have multiple clients per account.
Author: Andreas Straub

Last edited 18 months ago by vegansalad (previous) (diff)

comment:5 Changed 18 months ago by cypherpunks

Since Tor Messenger doesn't need to submit to Apple's licensing war against GPL, the only 2 bits of signal to extract from your lengthy quote are:

Last edited 18 months ago by cypherpunks (previous) (diff)

comment:6 Changed 16 months ago by vegansalad

The main devs for Chatsecure, Conversations, and Monal are discussing creating a modifying version of OMEMO based on the OLM protocol (which is pretty similar to what the axolotl protocol v2 looked like.). https://github.com/anurodhp/Monal/issues/9

They want to build a tweaked version of something like OMEMO that would be incompatible with existing OMEMO clients, but that would be able to communicate with XMPP clients in the iOS app store like ChatSecure.

If Tor Messenger is going to impliment an encryption protocol like OMEMO, it might be worth it to use the fork that these people are building instead of OMEMO itself so that Tor Messenger users can communicate with iOS users using a Signal based encryption standard. Also, OMEMO was created by the Conversations App person, so it he is transitioning to something else, it might be good to use that instead of OMEMO.

comment:7 Changed 16 months ago by vegansalad

Seems like they are looking to base it off of the Apache 2.0 licenced OLM ratchet implementation: ​https://matrix.org/git/olm/https://github.com/chrisballinger/OLMKit/tree/olmkit/xcode

comment:9 Changed 15 months ago by platypus

Cc: platypus@… added

comment:10 Changed 7 months ago by vegansalad

OMEMO is now based on the OLM Protocol instead of the Signal Protocol (formerly named the Axolotl Protocol).

It now has an official XEP: https://xmpp.org/extensions/xep-0384.html

Both OMEMO and OLM have been audited by third parties:
https://conversations.im/omemo/audit.pdf
https://www.nccgroup.trust/us/our-research/matrix-olm-cryptographic-review/

Some of this content is outdated, but a lot of documentation was written a few months ago about OMEMO here: https://we.riseup.net/riseup/xmpp

OMEMO is being ported to Profanity.im as well https://github.com/boothj5/profanity/issues/658

Usability for the only desktop client that supports OMEMO currently, Gajim, is not perfect. https://current.workingdirectory.net/posts/2017/encrypted-mucs/

It'd be great to see Tor Messenger work with InstantBird in order to support OMEMO.

What are some blockers that prevent this from happening?

Note: See TracTickets for help on using tickets.