Robert A. Uhl

Multi-device end-to-end encryption & identity

I had an idea late last night about how to handle multi-device end-to-end encryption and identity.

An issue with end-to-end encryption is how to support multiple devices: I may want to read messages on my laptop, my phone, my desktop and my tablet, but I don’t want a central server to be able to read those messages. This can be handled with encryption: when someone sends me a message, he encrypts it for all of my devices. But how does he know which are my devices?

Well, one solution is for a central server to vouch for me. It doesn’t know the private keys for each device, but it does know the public keys for each device. So someone who asks it can get the bundle of all my device’s public keys, and thus send messages only my devices can read.

But what if I lose a device? How can I say, ‘don’t use the key for my phone; it’s no longer my phone’?

Well, we could say that the central server can always public a new bundle of keys if I ask it to, out-of-band (much like an email provider can reset one’s password).

But what if the central server lies? What if it says, ‘here are Bob’s keys,’ and it includes a public key it controls? Or even worse, what if it says, ‘here is Bob’s key,’ but only sends its own, preventing me from reading messages sent to me?

Well, we could say that my friends’ message clients will always tell them when my key bundle changes. That way, they have the opportunity to tell that something changed, and to reach out to me and ask what happened. This is what Signal does.

But what if those messages get annoying and ignored? Every time a friend gets a new computer or device, all of us would get a new-key message.

Well, we could say that if a new key is signed by an old key, then message clients won’t alert their users: the old key says it’s good, so it’s good.

We could even use this to revoke a key: if I lose my phone, then my tablet, my desktop and my laptop can all agree that it was lost, and tell all my friends not to use it. And if my house burns down with all of my computers in it, at least I can contact the central server once I have a new computer and register my new computer’s new key. All my friends will get a message that I have a new key, but surely they’ll know that I had a fire, so they’ll understand & expect that.

What if I only have two devices, e.g. a computer and a phone: which can revoke the other? More generally, what happens when one half of the devices try to revoke another device? I think the only workable solution is to require a majority of devices to revoke (or to add …). One can always contact the central server and request a reset, knowing that one’s friends will see a warning.

It’s just an idea, but I think it’s an advancement over Signal’s current approach. And I think that with the right UI even unsophisticated end-users would understand it (don’t look to me to design that part, though!).

11 September 2018: corrected publication date


Share