Official Press Release

Matrix.org Launches Cross-platform Beta of End-to-End Encryption Following Security Assessment by NCC Group

Security assessment allows Matrix to advance development of its end-to-end encryption implementation, as the project today adds iOS and Android to the list of E2E supported platforms.

Download All images

London – November 21 2016 – Matrix, the open standard protocol for real time communication, is announcing the launch of a formal beta for its “Olm” end-to-end encryption implementation across Web, iOS and Android. The organization is also disclosing the completion of a full review of Matrix’s Olm encryption library by NCC Group which was carried out in September. The review was generously funded in part by the Open Technology Fund.

Matthew Hodgson, Matrix.org’s Technical Co-founder, says: “With Matrix.org and Olm, we have created a universal end-to-end encrypted communication fabric – we really consider this a key step in the evolution of the Internet. Now that Olm is complete and audited, we want it to be available to everyone out there without restriction – we have released it as permissively licensed open source for the benefit of the whole community.  The internet now has all the tools it needs to securely defragment communication silos.”

End-to-end encryption gives users true privacy, preventing anyone else from eavesdropping on conversations – even the very communications services they’re using. This is incredibly important for a decentralised ecosystem like Matrix where data can span across many different servers, and users should not have to trust any of those servers.  End-to-end encryption is also a real differentiator from most other popular collaboration systems whose business models fundamentally rely on being able to read, analyse and profile your conversations.

Matrix’s implementation of end to end encryption through the Olm and Megolm cryptographic ratchets is unique in many ways. Critically, it’s built for interoperability and is not limited for use only with Matrix but also other communication protocols (such as XMPP). The implementation and formal specification is entirely open source, released under the permissive Apache License at https://matrix.org/git/olm. Matrix encrypts per-device rather than per-user – letting users select precisely which devices they trust to decrypt a message. This means users can stop a tablet left on someone’s sofa decrypting messages intended for their phone. Finally, with Megolm, users can adjust how much history can be decrypted by new devices, allowing different privacy guarantees per-room.

The NCC Group security assessment, conducted between September 19 and 30 2016, marks a significant milestone for Matrix’s encryption solution. The assessment found one high, one medium, and various low and informational issues during the time that the review was conducted. These issues have either been solved in libolm v2.0.0 or addressed in the associated Matrix client SDKs.
Alex Balducci, Principal Security Consultant from NCC Group, said: “It was great to work with a team like Matrix, who take security seriously and have a passion for this line of work. While challenging, the engagement was a great experience and I’m glad to have had the opportunity to play a role in it. The goal of open interoperable cryptography on the Internet is a worthy one, and we wish the project the best success. I also want to call out the Open Technology Fund for helping support this engagement and making the Internet a more secure place!”

End-to-end encryption is available today in clients built on Matrix’s matrix-js-sdk, matrix-ios-sdk or matrix-android-sdk, such as Riot (https://riot.im).

How does it work?

  • A “cryptographic ratchet” generates a sequence of keys that can be used to encrypt a series of messages.  It’s easy to step forwards in the sequence, but unfeasibly hard to step backwards – just like a mechanical ratchet, meaning that a stolen ratchet can’t decrypt older history.
  • Olm implements the ‘double ratchet’ algorithm popularised by Open Whisper Systems’ Signal, where sequences of messages from a sender are encrypted with keys from the same ratchet sequence. A new ratchet is created (by advancing another ratchet) every time the conversation changes direction.
  • Megolm is an entirely new algorithm, which implements a separate ratchet per sending device participating in a group conversation – each device sends a series of messages encrypted with keys from that ratchet. The room specifies how frequently senders should replace their ratchet (e.g. whenever a new user joins, leaves, every N messages, every N days etc).

Additional Information

The full security assessment is available here: https://www.nccgroup.trust/us/our-research/matrix-olm-cryptographic-review/ 

NCC Group: https://www.nccgroup.trust/us/

Open Technology Fund: https://www.opentech.fund/

Libolm website: https://matrix.org/git/olm/about

Libolm implementor’s guide: http://matrix.org/docs/guides/e2e_implementation.html

Formal specification for Olm: https://matrix.org/docs/spec/olm.html

Formal specification for Megolm: https://matrix.org/docs/spec/megolm.html

Formal specification for E2E in Matrix: http://matrix.org/docs/spec/client_server/latest.html#module-e2e (draft: http://matrix.org/speculator/spec/drafts%2Fe2e/client_server/unstable.html#end-to-end-encryption).

About

Matrix is an open standard for interoperable, decentralised, secure real-time communication over IP. It can be used to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things communication – or anywhere you need a standard HTTP API for publishing and subscribing to data, whilst tracking the conversation history with optional end-to-end encryption. Matrix defines the standard, and provides open source reference implementations of Matrix-compatible Servers, Clients, Client SDKs and Application Services to help you create new communication solutions, or extend the capabilities and reach of existing ones. Matrix.org is a non-profit project, existing to nurture and protect the emerging ecosystem for all participants without being compromised by specific commercial interests.

 

About NCC Group

NCC Group is a FTSE 250 listed global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face.

We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Headquartered in Manchester, UK, with over 35 offices across the world, NCC Group employs more than 2,000 people and is a trusted advisor to 15,000 clients worldwide.

https://www.nccgroup.trust 

Leadership

Matthew Hodgson - Technical Co-founder

Social Links

Media Contact

Danielle Blumenstyk Peterman

danielle@blonde20.com

+972-54-5546313