More actions
Secure Value Recovery is a component of Signal that handles storage of a master key needed for features like Storage Service and Registration Lock on Signal servers in such a way that it's not accessible to Signal or anyone else without knowing your Signal PIN.
The Master Key[edit | edit source]
What is described below doesn't entirely match the SVR blog post. You might've also seen unofficial blog posts or explanations which describe a completely different logic. However, the information below has been largely figured out from actual code, so it should be the most accurate.
Definitions[edit | edit source]
Value | Definition |
---|---|
PIN | Your Signal PIN. |
Normalized PIN | See code. |
Argon2(PIN) | 64-byte (512-bit) Argon2[1] hash of normalized PIN. See code for parameters used. |
Master key | A 32-byte (256-bit) value randomly generated by the client. |
Encryption key | First 32 bytes (256 bits) of Argon2(PIN). |
Access key | Second 32 bytes (256 bits) of Argon2(PIN). |
Encrypted master key | The master key encrypted with the encryption key. |
Explanation[edit | edit source]
Access key and encrypted master key are backed up to SVR. As described in the SVR blog post, using SGX[2] and Raft[3], it ensures the number of guesses one can make is very limited. When attempting to restore the encrypted master key, clients only send the access key (not the PIN), which means that the SGX enclave itself can't decrypt the master key.
When interacting with the SVR's SGX enclave(s), clients:
- Authenticate for remote attestation. The credentials for this are received during onboarding (registration) (importantly, after verifying the user's phone number) or before doing remote attestation from the service.
- Must use some kind of a token, which is obtained from the enclave. It seems to be at least somewhat related to limiting guessing attempts. Additionally, the
backupId
found in it is used as a salt for Argon2(PIN).
TL;DR: All this allows Signal clients to generate, backup, and restore (only by knowing the user's PIN) the master key without the Signal service knowing it.
The master key itself is not used for encrypting anything. Rather, multiple keys are derived from it to facilitate various features.
The "derive chain" looks like this:
- Master key
- "Base" Storage Service key
- Storage Service Manifest key (new key for each version)
- Storage Service Record key (different for each record)
- Registration Lock
- "Base" Storage Service key
What happens when I change the PIN?[edit | edit source]
The existing master key (note getOrCreateMasterKey
in onPinChangedOrCreated
) is re-encrypted and re-uploaded to SVR. This means that all Storage Service entries etc. do not need to be re-encrypted.
What happens if I disable the PIN ("opt out")?[edit | edit source]
Since Signal Android 4.66.3
and Signal iOS 3.13.0.13
, it's possible to disable the PIN. See the support article for steps to do that.
The master key is still created (if you had one before, a new one will be generated, unlike when changing the PIN) and used for Storage Service, but it will not be backed up using SVR[4]. This means that it can't be restored if you re-install Signal. Additionally, Registration Lock can't be enabled when the PIN is disabled.
- ↑ A key derivation function. Signal has a wrapper around the reference implementation.
- ↑ Intel® Software Guard Extensions. A technology that's used extensively in SVR. It's also used in Contact Discovery.
- ↑ A consensus algorithm.
- ↑ forum:t/15579/61