riyapenn edited this page Dec 23, 2016 · 6 revisions

How are my text messages encrypted?

Signal uses Curve25519, AES-256 and HMAC-SHA256 when handling messages. The security of these algorithms has been tested over many years of use in hundreds of different applications. Messages sent via Signal are end-to-end encrypted, which means that they can only be read by you and your intended recipients.

The Axolotl ratchet in Signal is the most advanced cryptographic ratchet available. Axolotl ensures that new AES keys are used for every single message, and it provides Signal with both forward secrecy and future secrecy properties. Signal's protocol suite also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.

We believe that the Axolotl and TextSecure protocols in Signal represent the current state of the art in secure messaging.

How are my voice calls encrypted?

Signal uses the RedPhone protocol, which is based on ZRTP and SRTP. The impenetrable strength of ZRTP and the RedPhone protocol were both specifically cited in internal NSA documents as being "catastrophic" to their surveillance efforts.

Can Open Whisper Systems see my text messages or listen to my phone calls?

Absolutely not, and no one else can either. Everything in Signal is always end-to-end encrypted. There are no exceptions.

Can I verify the safety number?

Yes. You can tap on a contact's name in the conversation view to see advanced identity verification options. Support for automatic verification using scanned QR codes is available in this section, and the full safety number is also displayed for manual verification purposes.

Additionally, Signal provides a shortcut to quickly copy your safety number so that it can be included in an email, message, or Tweet. Simply tap on the share icon in the top right corner and choose to copy or share directly through another app.

Who sees what?

Phone calls, messages, and attachments are only visible to you and the other people with whom you are communicating.

What about metadata?

  • Because your phone will be connecting to Signal's servers, your cellular carrier can determine whether or not you are using the service. However, your carrier cannot gather any information about the individuals or groups with whom you are communicating.
  • Apple's push notification service can theoretically gather metadata about when you are receiving phone calls and messages, but Apple does not have access to any information about their origin or contents.
  • Remember, anyone who has your number in their address book can see whether or not you have signed up for the service. You can register using any valid phone number. Please keep this in mind if using encrypted communications has the potential to get you in trouble. You can read more about the state of private contact discovery here.

Are group chats encrypted?

Yes. Group conversations are encrypted too. An in-depth explanation of this process is available on our blog.

Is the data on my device encrypted too?

While no messaging solution can keep you perfectly safe in the event of a full device compromise, Signal has been engineered to be highly resistant to direct physical attacks:

  • If you have a passcode on your iPhone (and you should!), all Signal files will be encrypted by the operating system.
  • Signal files are completely excluded from iCloud and iTunes backups.
  • A second layer of encryption is used for the message database (outside of attachments). The key for this database is stored in the iPhone's hardware keychain. This defense mechanism is useful against an attacker that has filesystem access but is unable to root the device.

Are there any plans to support iOS 7?

No, unfortunately that's not possible. Signal uses APIs that were first introduced in iOS 8 and that are not available in earlier releases. Furthermore, iOS 7 is no longer being supported by Apple at all, and it contains several serious security vulnerabilities. Users are encouraged to upgrade to the latest version of iOS, if they can.

I don't get an SMS verification code, what should I do?

We take verification issues seriously and we are doing our best to make sure Signal works well no matter where you live. Please let us know on the wiki so that we can investigate.