Well.. When Eve dies we won't need cryptography anyway.

@@AV1461 Let's not forget Mallory .

what's scary is the fact he still has that ancient paper that was used in a mainframe printer.

Uneducated people like this mention that WhatsApp is end to end. That has a huge impact on the community.

Maybe the real Alice and Bob were the friends we made along the way

*Another set of encryption processes* Alice to Bob: "Not much. Just ate."

In my paper I am not using Alice and Bob lol. I will use Anna, Ben and Eric or something lool

And secret conversations are locked to 1 device, I believe. Can't confirm; haven't used FB in awhile.

hybby yes, only one device

There ARE people who use Facebook?

send am image hosted on a private server to a friend, using Skype, Facebook Messenger, etc. You'll notice most of them access it under the guise of providing a preview in the client.

there is no secret when dealing with facebook, never was :D

Recommended after 2 years

Nugget's News brushing up on your cryptography?

“Safe and Secure” messaging is complicated....behind the scenes.

It's complicated if your messaging app actually follows through.

I thought you'd say "I pound [that link]", but I was disappointed.

Please, do tell!

@@tabaks Oh! Did you see a gu (black hoodie, very sad look) sitting on the edge of the pier, throwing himself into the sea, while talking to an imaginary friend?

what abou attention now 2021 after whatsapp TOS update.

I only found out about it after Elon Musk tweeted. Google Play would never show this app earlier. You had to manually search for it.

u r wrong there r 12 of them now!

@Fahim Saharaiar, what can I say?!... other than I spoke too soon...

Andrei Macaria u rong the r 18 of the now!!!¡

Andrei Macaria, one of them being Mark Zuckerberg

@@Not.Your.Business How about this there are "dislike-number number of dislikes!" Ha, can't prove me wrong now!

Well that Zuccs...not!

That's generally a sign you're doing it right

This aged well

@@saneyarkhazin7671 always has been

Yes, that is correct. Whatsapp and Signal use the open source libsignal library developed by Wisper Systems, at first glance it looks to me like the documentation on how to use libsignal suggests to create a 100 pre-keys.

I've yet to see a limit on the server side regarding messages in the queue. People on FB have on average 155 friends. It's highly unlikely one hundred Signal contacts would fetch a pre-key at the same time.

I'm pretty sure those one-time keys are only used for setting up the communication. You don't need a new key for every message sent. I could be wrong, but that is my understanding from this video.

As far as I know, in my own words, you include all the public keys of your friends in the encrypted message so that it can be opened by them. As i see it, the more people your message is directed to,the more vulnerable it is.

@@user-nd7cs5wz8o absolutely!

@@user-nd7cs5wz8o The effect of small number of plain-/ciphertext pairs with identical PT on modern encryption is negligible.

Guys Frankly Telling You I have been using Signal Private messenger for almost One years , its Really working Awesome , Finally I I found my personal data privacy and security with Signal private messenger Thanks to Signal team, they made privacy easy

@@jimsstek5567 man you got paid for this? Whatsapp also uses e2e encryption confirmed by OWS, so who cares about alternatives

Yep today's moving day 😄

@@kwadwoamponsah F1ck whatsapp

In Signal there are no group keys. You send group message by multi-casting the same message to each contact, encrypted with the same key you would use to encrypt a private message to that contact. Inside the encrypted message is a field that tells the receiving device the message needs to be displayed in the group's window instead of the contact window.

Because the fourth DH key exchange is using the fourth, ephemeral public key that mixes in new entropy at every round trip that is, DH ratchet step. It's not part of the "initial" key exchange.

and multi-device on Signal itself too! It's amazing how messages can securely sync between my phone and PC

Not really. Key transmission is handled by the server.

@@durnsidh6483 Just like PGP and keyservers. People don't exchange their public keys, just the fingerprints. Which are very similar to these codes.

@@Lysergesaure1 But people don't sign each others keys, so there is no way to build a web. It's technically possible to sign other people's keys using a somewhat contrived signing algorithm that's used to sign the SPK's, but in terms of the apps functionality, no.

Ah yes, I like you, simple and effective, no need for all this Diffie-Iffy nonsense

so make it more popular?

Pretty easy thing to say, hard thing to accomplish. It was somewhat of a battle to have the majority of my family to install Signal (they still only use it to communicate with me, otherwise they use WhatsApp) convincing friends was/is nearly impossible. After the last Facebook scandal some of them installed Signal, but still only fraction.

It does not prevent it but the safety number verification will fail if someone did an active man in the middle attack on your initial handshake. For usability reasons Signal and most other end to end encrypted messengers use the trust on first use (tofu) principle. They assume that there was no active man in the middle attack on the initial handshake and even in the case of new handshake which is usually triggered for benign reasons, e.g. a new phone, they just notify you in the conversation view. For highly sensitive conversations you should always verify the safety number out of band before you trust the communications channel.

By scanning the QR code you set up a secure connection between the browser/desktop app and the content of your message is then sent to the app on your phone, from where it is sent as a normal message.

@@philips9042, you can use Signal on Desktop without having your phone turned on.

Most of the time each bundle consists of long term identity key, ~monthly changing pre-key, and one-time pre-key.

Have you figured out how to learn it yet?

Jane Weber It proves the server hasn't lied about your two identity keys, because both phones have the same value of Alice's id key and Nob's id key. But this is still inferior to PGP where you can gather friend-of-a-friend identity proofs and don't need to pre-deposit a pool of single use keys on the server. The only advantage seems to be that Bob destroys his single use decryption key after use so the key cannot be extracted from his phone later, because he knows he won't need it for some future message from Charlie.

Via sms? Lol

@@0xkslkdedcs5 They keys are just text so you could send them over sms, no?

@@MarcelRobitaille seems some Encrypted SMS apps do exists, but not very popular.

That was actually mentioned in their End to End Encrytion video: something along the lines of "end to end encrytion is secure enough that attacking the endpoints is easier/it doesn't prevent someone from taking your phone and reading your messages".

Say I install Eve's app. It generates a keypair for me and uses that to encrypt my messages to Bob. Nothing's stopping Eve from just decrpyting my messages. That's the problem with this app-based world. People aren't supplying their own keys. If the app and the servers and the key generators are all owned by the same person, your privacy is fully at the whim of Eve.

I'm a bit confused by what you're suggesting here?

because (from what I gather) there is no RSA/DSA protocols being used here, just diffie hellman which only create symetric keys.

graymalkinmendel: That was one possible answer I was thinking, even with RSA you get problems (asymmetric key encryption tends to be more computationally expensive than symmetric) but it’s really ambiguously worded and I’m not sure what they mean by mitigating the risk of leaking private keys...

@Ellaine It does bridging. If you want to look witty at least look at their website.

@@no-defun-allowed Federation is a form of distribution. Do you mean peer-to-peer?

@@pm79080 Which means the E2EE guarantees are all off: the bridge leaks plaintext data to less secure networks like IRC.

Matt Whitlock - To his credit, he did make clear it wasn't literally a hash. The analogy was apt.

The fingerprint is literally a hash of a public key, though. What's unclear (deliberately) is that there are two, sorted for consistency.

@@0LoneTech Right. It's the concatenation of two (truncated) hashes, not the hash of a concatenation.

I believe it helps to make sure the server is not a man-in-the-middle.

Unless you send the courier with an encryption key that will unlock another encryption key that was sent via unsecure chat.

The two are unrelated. Open source just means that the code is freely available, but the code doesn't include these encryption keys, it only contains the functions which generate them. It's like the difference between publicly saying "we have a secret password" (making your "code" open source) and actually saying what the password is (giving up your "encryption key")

Because of exactly this, the encryption means the messages must go via your phone, hence the name 'end-to-end'. Your phone is one end, the other persons is the other end.

@@JoshUnwin, but you can use Signal on Desktop without having your phone turned on.

For establishing a new session.

For the generation of the first root key. After the first round trip, another DH public key gets mixed in and the root chain is updated.