Just in time for the upcoming tenth anniversary, Threema introduces “Ibex,” a new cryptographic communication protocol that further solidifies Threema’s time-tested security and future-proofs the overall system. On top of that, the overhauled protocol suite receives additional key components that lay the groundwork for forthcoming features.
A pioneer in mobile instant messaging, Threema made consistent end-to-end encryption available to the public for the first time in a straightforward and platform-independent manner back in 2012. Since the first app version was developed more than ten years ago, the technological framework has evolved significantly, and, as a result, the functional demands placed on instant messengers have increased considerably. In order to be future-proof and to strengthen Threema’s tight security further, we have started to overhaul existing components and add new ones to our protocol suite 18 months ago. In particular, we have teamed up with external cryptographers to design a new communication protocol – called “Ibex” – that constitutes the core of the protocol suite.
In addition to the new Ibex protocol, which introduces Perfect Forward Secrecy to the end-to-end layer, the extended protocol suite also includes specifications for end-to-end encrypted group calls and a protocol for the upcoming multi-device functionality (which we will cover in more detail at a later time).
End-to-End Encrypted Group Calls
On the protocol level, the architecture of group calls differs fundamentally from the architecture of one-to-one calls, even though both call types are based on the same technology (i.e., WebRTC). While one-to-one calls establish a peer-to-peer connection between the call participants whenever possible, group calls require a so-called “Selective Forwarding Unit” (SFU) to selectively forward audio/video data streams to the call participants. This SFU has no knowledge of the call participants’ identities / Threema IDs, and all data streams it transmits are end-to-end encrypted.
When a group call starts, all participants receive the call’s random Group Call Key, which allows them to authenticate the other participants. Furthermore, each participant pair exchanges ephemeral keys (by means of ECDH), which, in turn, are used to distribute short-term symmetric media keys to all participants.
As soon as a participant leaves the group call, new media keys will be distributed. And when a new participant enters the call, a “ratchet mechanism” is used to generate new keys and prevent that the new participant can use their key to decrypt media data that might have been intercepted before they entered the call. In other words, Perfect Forward Secrecy is ensured on the end-to-end layer in group calls.
Perfect Forward Secrecy
On the transport layer, Threema has always supported Perfect Forward Secrecy (PFS). And just as is the case with group calls (see above), PFS has always been enforced on the end-to-end layer in one-to-one calls. The new Ibex protocol now also supports the exchange of ephemeral keys for chat messages on the end-to-end layer (using ECDH).
For each message, a new key is used from which it’s not possible to derive previous keys (thanks to KDF ratcheting). This is to say that even if the Threema server were compromised and an attacker could store end-to-end encrypted messages, it would still not be possible for them to decrypt any past message even if they somehow gained access to the current key of a user.
With regard to a compromised server, the cryptographic properties of PFS also guarantee that an attacker (who is unable read messages in any case due to end-to-end encryption) cannot send messages to the recipient more than once, omit individual messages, or reorder messages without it being noticed.
Threema 5.0 for Android has not only introduced end-to-end encrypted group calls, it is also the first app version to support the new Ibex protocol. In Threema for iOS, Ibex support will follow in the coming days.