Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
2key-ratchet
Advanced tools
2key-ratchet is an implementation of a Double Ratchet protocol and X3DH in TypeScript utilizing WebCrypto.
2key-ratchet
is an implementation of a Double Ratchet protocol and X3DH in TypeScript utilizing WebCrypto.
The Double Ratchet protocol and X3DH were designed with goals of providing both forward secrecy and cryptographic deniability. Importantly there have been several independent security reviews that concluded they deliver on those goals.
The term “Double Ratchet” comes from how the protocol makes sure each message gets a new key: their Diffie-Hellman keys are “ratcheted” by each new message exchange; and so are the send/receive chains (the “symmetric-key ratchet”).
There are a few differences between the original specifications and 2key-ratchet
, the most significant being, as it’s name suggests, it uses two keys, one for authentication and another for key exchange. The other big one is that secp256r1 is used instead of curve25519 because browsers do not yet support this curve natively.
See the ARCHITECTURE document to better understand the library structure.
For ideas on where you might use 2key-ratchet
see the SCENARIOS document.
For licensing information, see the LICENSE file.
Each peer in the protocol has an IdentityKey
, these are secp256r1 keys. These keys are used to authenticate both PreKeys
and ExchangeKeys
. IdentityKeys
are used similarly to the public key in an X.509 certificate.
ExchangeKeys are introduced by 2key-ratchet
, they are used to derive PreKeys
. The ExchangeKey
is signed by a peers IdentityKey
.
In 2key-ratchet
a PreKey is a secp256r1 public key with an associated unique id. These PreKeys
are signed by the IdentityKey
.
On first use, clients generate a single signed PreKey, as well as a large list of unsigned PreKeys, and transmit all of them to a server.
The server in the protocol is an untrusted entity, it simply stores preKeys for retrieval when the peer may be offline and unreachable.
The Double Ratchet protocol is session-oriented. Peers establish a session
with each other, this is then used for all subsequent exchanges. These sessions can remain open and be re-used since each message is encrypted with a new and unique cryptographic key.
Name | Size | Description |
---|---|---|
2key-ratchet.js | 66 Kb | UMD module without external modules |
NOTE: You will also have to import tslib and protobufjs for use in the browser.
npm install 2key-ratchet
Include 2key-ratchet
and its dependencies in your application.
NODEJS:
let DKeyRatchet = require("2key-ratchet");
BROWSER:
<script src="2key-ratchet.js"></script>
The DKeyRatchet
namespace will always be available globally and also supports AMD loaders.
The first step is to create an IdentityKey.
let AliceID;
DKeyRatchet.Identity.create(16453);
.then((id) => {
AliceID = id;
});
You will also need to create your signed PreKeys:
DKeyRatchet.PreKey.create(1)
.then((preKey) => {
AliceID.signedPreKeys.save(preKey.id.toString(), preKey);
});
Then create your PreKey message bundle:
let bundle = new DKeyRatchet.PreKeyBundleProtocol();
bundle.identity.fill(AliceID)
.then(() => {
bundle.registrationId = AliceID.id;
const preKey = AliceID.signedPreKeys.load("1");
bundle.preKeySigned.id = 1;
bundle.preKeySigned.key = preKey.key.publicKey;
return bundle.preKeySigned.sign(AliceID.signingKey.privateKey);
})
.then(() => {
return bundle.exportProtocol();
})
.then((ab) => {
console.log(ab); // ArrayBuffer {byteLength: 348}
});
And then import the generated PreKey message bundle:
DKeyRatchet.PreKeyBundleProtocol.importProtocol(ab)
.then((bundle) => {
// check signed prekey
return bundle.preKeySigned.verify(AliceID.signingKey.public);
})
.then((trusted) => {
if (!trusted)
throw new Error("Error: The PreKey is not trusted");
})
With the previous steps complete you can now create a session:
DKeyRatchet.AsymmetricRatchet.create(BobID, bundle)
.then((cipher) => {
return cipher.encrypt(DKeyRatchet.Convert.FromUtf8String("Hello world!"));
})
.then((preKeyMessage) => {
return preKeyMessage.exportProtocol();
})
.then((ab) => {
console.log(ab); // ArrayBuffer {byteLength: 408}
});
On the other side you would do the same:
DKeyRatchet.AsymmetricRatchet.create(AliceID, preKeyMessage)
.then((cipher) => {
return cipher.decrypt(preKeyMessage.signedMessage);
})
.then((message) => {
console.log(DKeyRatchet.Convert.ToUtf8String(message)); // Hello world!
})
We have a complete example you can look at here.
If you've found an problem with 2key-ratchet, please open a new issue. Feature requests are welcome, too.
Pull requests – patches, improvements, new features – are a fantastic help. Please ask first before embarking on any significant pull request (e.g., implementing new features).
Bruce Schneier famously said "If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography". The point being, using 2key-ratchet, or any other "cryptography related" library, will not necessarily make your product secure.
In short, there is a lot more to making a secure product than adding cryptography, this is a great book to get you familiar with thinking defensively.
Though this library is based on the Double Ratchet Algorithm and the X3DH Key Agreement Protocol several changes have been made that could change the security properties they offer. At this time you should consider this implementation appropriate for experimentation until further security reviews are completed.
Both Double Ratchet and X3DH were designed by Trevor Perrin and Moxie Marlinspike, we thank them for their work.
FAQs
2key-ratchet is an implementation of a Double Ratchet protocol and X3DH in TypeScript utilizing WebCrypto.
The npm package 2key-ratchet receives a total of 394 weekly downloads. As such, 2key-ratchet popularity was classified as not popular.
We found that 2key-ratchet demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.