Data flow: Detailed
BBM Enterprise
key exchange process

Each device generates a long-lived encryption key pair and a signing key pair.

The initiator’s device generates:

(Ksign_A, K'sign_A) = EC-GEN ()
(Kenc_A, K'enc_A) = EC-GEN ()

The recipient’s device generates:

(Ksign_B, K'sign_B) = EC-GEN ()
(Kenc_B, K'enc_B) = EC-GEN ()

The initiator chooses or autogenerates a secret password. This shared password is sent automatically in-band or is sent manually out-of-band to the recipient using an SMS text message, email, phone call, or in person. For details, see Key exchange process.

The initiator sends the first

BBM

message, which is an invitation that contains the initiator's contact information and the highest version of

BBM Enterprise

that they support.

Version = 0
p = KDF ("EC-SPEKE Password", F || S), forget S, where sizeof(p) = 256 bits
(S_A, S'_A) = EC-SPEKE-GEN (p), forget p
invite_id = 64-bit nonce

The initiator’s invitation message (Message #1) is: (Version_A, invite_id, PIN_A, S_A)

The recipient responds to the invitation and provides the highest version of

BBM Enterprise

that the recipient supports, proof that they know the secret password, and the recipient's long-lived public encryption and signing keys.

Version = 0
p = KDF ("EC-SPEKE Password", F || S), forget S, where sizeof(p) = 256 bits
(S_B, S'_B) = EC-SPEKE-GEN (p), forget p
Version = MIN (Version_A, Version_B)
SS_AB = EC-DH (S'_B, S_A)
(K_enc, K_mac, nonce) = KDF ("BBM Enterprise Key Exchange", F || SS_AB)
Message #2 payload = P2 = (invite_id, Ksign_B, Kenc_B)
Message #2 payload signature = S2 = EC-SIGN {K'sign_B} (F || version_B || P2 || S_A || S_B)
Message #2 encrypted payload = E2 = ENCMAC {K_enc, K_mac, nonce} (P2 || S2)

The recipient’s response message (Message #2) is: (Version_B, S_B, E2)

The initiator responds to the acceptance and provides proof that they know the secret password, the initiator's long-lived public encryption and signing keys, and proof that the initiator's private keys correspond to the public keys that the initiator claims to own.

Version = MIN (VersionA, VersionB)
Increment password_attempts.
If (password_attempts > 5) then abort.
SS_AB = EC-DH (S'_A, S_B)
(K_enc, K_mac, nonce) = KDF ("BBM Enterprise Key Exchange", F || SS_AB)
(P2, S2) = DECMAC {K_enc, K_mac, nonce} (E2)
(Ksign_B,Kenc_B) = P2
Verify signature S2.
Kenc_AB = EC-DH (K'enc_A, Kenc_B)
K_proof = KDF ("K_proof", F || Kenc_AB), where sizeof(K_proof) = 256 bits
Message #3 Auth Tag = T3 = MAC {K_proof} (F || Ksign_B|| Kenc_B)
Message #3 payload = P3 = (Ksign_A, Kenc_A, T3)
Message #3 payload signature = S3 = EC-SIGN {K'sign_A} (F || P3 || S_B || S_A || Ksign_B || Kenc_B)
Message #3 encrypted payload = E3 = ENCMAC {K_enc, K_mac, nonce}(P3 || S3)

The initiator’s response message (Message #3) is: E3

The recipient responds with proof that they own the recipient's private keys.

(P3, S3) = DECMAC {K_enc, K_mac, nonce} (E3)
(Ksign_A, Kenc_A, T3') = P3
Verify signature S3.
Kenc_AB = EC-DH (K'enc_B, Kenc_A)
Kproof' = KDF ("K_proof", F || Kenc_AB), where sizeof (K_proof) = 256 bits
T3 = MAC {K_proof'} (F || Ksign_B || Kenc_B)
Check T3 == T3'
Message #4 Auth Tag = T4 = MAC {K_proof'}(F || Ksign_A || Kenc_A)
E4 = ENCMAC {K_enc, K_mac, nonce} (T4)

The initiator’s response message (Message #4) is: E4

After the initiator verifies the final message from the recipient, each party knows the other’s public keys and that they belong to someone who knows both the associated private keys and the secret password.

T4' = DECMAC {K_enc, K_mac, nonce} (Message #4)
Check T4' against MAC {K_proof} (F || Ksign_A || Kenc_A)

After the key exchange is completed, the security of messages no longer depends on the secrecy of the passphrase or the ephemeral key pairs. The public keys for encryption and signing are stored for each contact and the contact is confirmed as the owner of the private keys.

Section:

Parameters that the BBM Enterprise key exchange uses

Data flow: Detailed BBM Enterprise key exchange process

Data flow: Detailed
BBM Enterprise
key exchange process