1) Fix bugs that prevented decrypt() from being non-transactional
in some cases.
2) Introduce a new unified storage interface.
3) Transition simultaneous initiate from the "needs refresh"
strategy to one that uses session state resurrection and
promotion.
1) Since we're not CPU or space constrained (and are in fact
padding), and since keystream reuse would be more catastrophic
than IV reuse without chosen plaintext.
1) Change SessionBuilder to only establish sessions via
KeyExchangeMessage and PreKeyBundles.
2) Change SessionCipher to decrypt either WhisperMessage
or PreKeyWhisperMessage items, automatically building
a session for the latter.
3) Change SessionCipher to tear down new sessions built
with PreKeyWhisperMessages if the embedded WhsiperMessage
fails to decrypt.
1) Use the new /v2/keys API for storing/retrieving prekey bundles.
2) For sessions built with PreKeyBundle and PreKeyWhisperMessage,
use a v3 ratcheting session when available.
1) Add plain two-way key exchange support libaxolotl by moving
all the KeyExchangeMessage code there.
2) Move the bulk of KeyExchangeProcessor code to libaxolotl
for setting up sessions based on retrieved prekeys, received
prekeybundles, or exchanged key exchange messages.
1) Break the core cryptography functions out into libaxolotol.
2) The objective for this code is a Java library that isn't
dependent on any Android functions. However, while the
code has been separated from any Android functionality,
it is still an 'android library project' because of the
JNI.
1) Modify SessionRecord to store a list of "previous" sessions
in addition to the current active session. Previous sessions
can be used for receiving messages, but not for sending
messages.
2) When a possible "simultaneous initiate" is detected, push the
current session onto the "previous session" stack instead of
clearing it and starting over.
3) Additionally, mark the new session created on a received
possible "simultaneous initiate" as stale for sending. The
next outgoing message would trigger a full prekey refresh.
4) Work to do: outgoing messages on the SMS transport should
probably not use the existing session if it's marked stale
for sending. These messages need to fail and notify the user,
similar to how we'll handle SMS fallback to push users before
a prekey session is created.
1) On the push side, this message is a flag in PushMessageContent.
Any secure message with that flag will terminate the current
sessin.
2) On the SMS side, there is an "end session" wire type and
the convention that a message with this wire type must be
secure and contain the string "TERMINATE."
1) At registration time, a client generates a random ID and
transmits to the the server.
2) The server provides that registration ID to any client
that requests a prekey.
3) Clients include that registration ID in any
PreKeyWhisperMessage.
4) Clients include that registration ID in their sendMessage
API call to the server.
5) The server verifies that the registration ID included in
an API call is the same as the current registration ID
for the destination device. Otherwise, it notifies the
sender that their session is stale.
Moxie Marlinspike
Jake McGinty
Florian Walch
Benjamin Albrecht