How Encryption Works in Status

Goal: Understand the encryption protocol and make it into future waku chat protocol.

SECURE-TRANSPORT spec**:** https://specs.status.im/spec/5

Double Ratchet repo: https://github.com/status-im/doubleratchet/?tab=readme-ov-file

Terms

Installation: support for multiple devices, the Installation struct includes the information for such device.

type Installation struct {
	// Identity is the string identity of the owner
	Identity string `json:"identity"`
	// The installation-id of the device
	ID string `json:"id"`
	// The last known protocol version of the device
	Version uint32 `json:"version"`
	// Enabled is whether the installation is enabled
	Enabled bool `json:"enabled"`
	// Timestamp is the last time we saw this device
	Timestamp int64 `json:"timestamp"`
	// InstallationMetadata
	InstallationMetadata *InstallationMetadata `json:"metadata"`
}

func (s *Multidevice) GetActiveInstallations(identity *ecdsa.PublicKey) ([]*Installation, error) {
	identityC := crypto.CompressPubkey(identity)
	return s.persistence.GetActiveInstallations(s.config.MaxInstallations, identityC)
}

Bundle: X3DH prekey bundle

type Bundle struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	// Identity key
	Identity []byte `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Installation id
	SignedPreKeys map[string]*SignedPreKey `protobuf:"bytes,2,rep,name=signed_pre_keys,json=signedPreKeys,proto3" json:"signed_pre_keys,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	// Prekey signature
	Signature []byte `protobuf:"bytes,4,opt,name=signature,proto3" json:"signature,omitempty"`
	// When the bundle was created locally
	Timestamp int64 `protobuf:"varint,5,opt,name=timestamp,proto3" json:"timestamp,omitempty"`
}

The bundle is broadcast to contact code topic.

func ContactCodeTopic(publicKey *ecdsa.PublicKey) string {
	return "0x" + PublicKeyToStr(publicKey) + "-contact-code"
}

The following code shows the logic:

publishContactCode is for message type ApplicationMetadataMessage_CONTACT_CODE_ADVERTISEMENT
sendPublic calls BuildPublicMessage to addBundle.

Main Logic

1 to 1 Message

Status 1:1 message is sent through MVDS using function sendDataSync , it calls BuildEncryptedMessage to encrypt the payload.