OMEMO

OMEMO: Multi-End Message and Object Encryption.

Still Under Development?

OMEMO Multi-End Message and Object Encryption is the newest development for encryption of XMPP chat, introduced in 2015 by Conversations.

OMEMO claims to “give you better encryption features than OpenPGP and OTR and is also much easier to setup”. OMEMO was made to be built into chat clients. This certainly makes it easier for the user to set up than OpenPGP. Problems arise, however, when OMEMO is used by people with different chat clients. This is becuase it is up to the developers of each chat client to adheir to the OMEMO standards and to test their softwares with other XMPP clients. In this respect, OMEMO is currently not reliable. To make matters worse, when a message is received by a client that cannot decrypt it, in many cases no feedback of failure is shown to the recipient. It is as though the message never arrived even though it did.

If you plan on communicating with people that are all using the same chat client, in particular the Conversations client for Android, you will likely be able to use OMEMO successfully. If not, you should test OMEMO thoroughly before relying on it as your encryption of choice.

OMEMO uses Personal Eventing Protocol (PEP), a protocal built into XMPP that allows people to update their contacts of their current status. This means that to use OMEMO, each user must be on the other’s roster and authorized to receive the other’s presence.

Enabling OMEMO

Some XMPP clients, such as Gajim and Psi-Plus, require that you enable OMEMO as a plugin.

In the Gajim XMPP client, find the Plugins entry in the menu.

In the plugins dialog, make sure that OMEMO is enabled. Optionally, click the gear icon to review its configuration. Nothing should be changed to make OMEMO work.

Chatting with OMEMO Encryption

Mark asks Mary to enable OMEMO Encryption. She enables OMEMO in her Psi-Plus XMPP client.

Mary trusts the public keys knowing that they are from Mark. Once keys are trusted, they are kept as part of the contact's definition. This step will not need to be repeated unless Mark uses a different chat client in the future.

Mark Enables OMEMO in his Gajim XMPP client.

Mark trusts the public keys sent by Mary.

Now, Mark and Mary can chat. The lock icons tell Mark that the messages are encrypted.

This is what a message that says “How are you?", but is encrypted with OMEMO, looks like on the server:

<message xmlns="jabber:client" 
            to="omemo-mark@e2e.ee" 
          type="chat" 
            id="ab0ba" 
          from="omemo-mary@e2e.ee/DESKTOP-GIFB8N1">
<active xmlns="http://jabber.org/protocol/chatstates" />
<request xmlns="urn:xmpp:receipts" />
<encrypted xmlns="eu.siacs.conversations.axolotl">
<header sid="977920690">
<iv>hX0oTO0O9Riivrrt</iv>
<key id="1089340316" prekey="true">MwhNEiEFqYU23BGKYHTF4ExQ/Ind1gxickDJ
                                   pNoFfZLNx9n5R08aIQUdbhPUuYqidd0FOwot
                                   wOT17Abk/S9Ummlhq7YFWZQWACJiMwohBfKl
                                   4/U0bfZxVTR59LqafpQj8A7OOgEaxL2oynht
                                   dSpgEAEYACIwbUxsTEeipzfsuCED2mYyq83K
                                   m6OMose6sE/2jl+/Q876sqszd/U4FbFSuXkd
                                   PyRG9DMc/+lHXVwossWn0gMw2pHfUg==</key>
<key rid="1921332172">MwohBdQhAiQ7WK0pXpb0FUHfIuDG41pz8GVQW
                      ozdSuLfY8wVEAAYACIw/GDzv/sY820yST7w+1
                      2PQcpiuvVMde6NdIj6J4VJzrLrp/uB1nXiFUm
                      21Drmy63qSRpdaiybUIA=</key>
</header>
<payload>8Bzqa/psbDz1Zss3I6oH4/4/VhE1XxprXA==</payload>
</encrypted>
<store xmlns="urn:xmpp:hints" />
<encryption namespace="eu.siacs.conversations.axolotl" xmlns="urn:xmpp:eme:0" />
<stanza-id xmlns="urn:xmpp:sid:0" 
              id="2e9c88a6-1cd4-4b2e-acf0-ecd79f174711" 
              by="omemo-mark@e2e.ee" />
</message>

Topics covered on this page:

Last modified August 9, 2020