Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Secure Value Recovery

From the unofficial Signal Wiki
Revision as of 12:38, 27 January 2023 by ImpliedMemory (talk | contribs) (Add Components category)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Secure Value Recovery is a component of Signal that handles storage of a master key needed for features like Storage Service and Registration Lock on Signal servers in such a way that it's not accessible to Signal or anyone else without knowing your Signal PIN.

The Master Key[edit | edit source]

What is described below doesn't entirely match the SVR blog post. You might've also seen unofficial blog posts or explanations which describe a completely different logic. However, the information below has been largely figured out from actual code, so it should be the most accurate.

Definitions[edit | edit source]

Value Definition
PIN Your Signal PIN.
Normalized PIN See code.
Argon2(PIN) 64-byte (512-bit) Argon2[1] hash of normalized PIN. See code for parameters used.
Master key A 32-byte (256-bit) value randomly generated by the client.
Encryption key First 32 bytes (256 bits) of Argon2(PIN).
Access key Second 32 bytes (256 bits) of Argon2(PIN).
Encrypted master key The master key encrypted with the encryption key.

Explanation[edit | edit source]

Access key and encrypted master key are backed up to SVR. As described in the SVR blog post, using SGX[2] and Raft[3], it ensures the number of guesses one can make is very limited. When attempting to restore the encrypted master key, clients only send the access key (not the PIN), which means that the SGX enclave itself can't decrypt the master key.

When interacting with the SVR's SGX enclave(s), clients:

TL;DR: All this allows Signal clients to generate, backup, and restore (only by knowing the user's PIN) the master key without the Signal service knowing it.

The master key itself is not used for encrypting anything. Rather, multiple keys are derived from it to facilitate various features.

The "derive chain" looks like this:

What happens when I change the PIN?[edit | edit source]

The existing master key (note getOrCreateMasterKey in onPinChangedOrCreated) is re-encrypted and re-uploaded to SVR. This means that all Storage Service entries etc. do not need to be re-encrypted.

What happens if I disable the PIN ("opt out")?[edit | edit source]

Since Signal Android 4.66.3 and Signal iOS 3.13.0.13, it's possible to disable the PIN. See the support article for steps to do that.

The master key is still created (if you had one before, a new one will be generated, unlike when changing the PIN) and used for Storage Service, but it will not be backed up using SVR[4]. This means that it can't be restored if you re-install Signal. Additionally, Registration Lock can't be enabled when the PIN is disabled.

  1. A key derivation function. Signal has a wrapper around the reference implementation.
  2. Intel® Software Guard Extensions. A technology that's used extensively in SVR. It's also used in Contact Discovery.
  3. A consensus algorithm.
  4. forum:t/15579/61
Cookies help us deliver our services. By using our services, you agree to our use of cookies.