Obligatory Disclaimer: I'm not a cryptographer by any means, so I'm not as clued-up on cryptography as I could/should be. My understanding could be mistaken and my explanations erroneous. Please DYOR if anything seems unclear or incorrect.
TL;DR: Signal seems to use TLS/E instead of E2EE, but the implimentation is rather complex, making it unclear as to exactly what mode of encryption is being used. It's unclear to me if the answer is "neither" or "both".
Following a post on How Telegram works (and the arrest of its creator, Pavel Durov) by @CryptoFab (see link in "Resources"), I set out to see if Signal actually uses end-to-end encryption (E2EE) or if, like WhatsApp, it actually uses transport-layer security/encryption (TLS/E) and merely claims that it's the former. At this point, having done some reading (only a fraction of all I can read about it), I'm still not certain.
Hold the phone there, though: Before diving in, let me give you the definitions of each so you can see the difference:
- End-to-End Encryption: In this model, both parties that wish to communicate generate their own public and private keys, keeping the private keys, well, private and exchanging public keys (preferably through a medium other than the one through which they intend to send encrypted communications, such as email). PGP/GPG is an example of this asymmetric key pair (public and private) approach. The main point/feature here is that only the two people communicating "know" their respective private keys; anyone can know their public keys (hence why it's called a public key) and only the recipient can decrypt it with their private key.
- Transport Layer Security/Encryption: Messages are encrypted while in transit to the server, on the server (at rest) and to the recipient. Neither the sender nor the recipient generates/holds the keys used to encrypt the messages; the application/service handles them. (The server might decrypt and/or store the message before sending it to the recipient. The users of the service have to trust the service to not do this, but there's no guarantee without reading and understanding the source code.) HTTPS is an example of this protocol in use.
"However, TLS is implemented between a user and a server, not between two users. This keeps data secure in transit to and from a server, but the data on the server itself is in decrypted form. This is often necessary — for example, if a user is using a web application, the server needs access to their data in order for the application to function. However, from a privacy standpoint, this is not appropriate in all situations. For instance, if users want to message each other, they may not want the service provider to be able to see their messages."
— Cloudflare; What's the difference between E2EE and TLS?"E2EE ensures that no one can see messages except for the two people who are communicating with each other (provided that the devices they are using are not compromised or stolen). When implemented properly, it does not require users to trust that a service will handle their data properly. Thus, E2EE gives people total control over who can read their messages, enabling them to keep their messages private."
— Ibid; How does end-to-end encryption support privacy?"End-to-end encryption is another method of secure communication that is designed to prevent third parties from being able to access data while it is being transferred from one device or end system to another. It can also be used to secure data files not only in transfer, but when they are at rest or being stored on servers or in the cloud.
"In end-to-end encryption, the data is first encrypted on a sender’s device or system, and only its intended recipient is given the ability to decrypt it. During transit to its desired destination, the data cannot be tampered with or read by an application service provider, internet service provider, threat operator, incorrect recipient or any other service or individual."
— Galaxkey; What is End-to-End Encryption?
As far as I can tell at this point, Signal uses TLS/E, not E2EE. (I can't find a setting/option to generate or import key pairs in the Signal app. I do recall seeing some way of sharing a synchronicity code, which Signal terms a "safety number", with a contact for verification. However, that seems to be generated by the app.) To be sure, I'd have to read the source code of both the client-side (mobile) app and the server-side code. However, Justino Mora's explanation on Medium suggests to me that the Signal app does generate private and public keys and exchange them when one first installs/joins Signal. It's been a while since I started using Signal, so I can't recall if it ever showed any sign of doing this or if it was all done in the background, unbeknownst to me.
"The first step in establishing an end-to-end encrypted connection between two users using Open Whisper System’s Signal Protocol is generating a set of long-term identity key pair, medium-term signed prekey pair, and several ephemeral prekey pairs. These keys are generated on the client side and stored locally somewhere secure. The second step involves packaging all of the public keys and registration ID into an object (known as the “key bundle”) and registering it with a Key Distribution Center. In order for Alice to send messages to Bob, Alice must know and have access to Bob’s registration ID and public keys to start a session. Thus, Alice must first generate her own keys and register herself with the key distribution center and request Bob’s key bundle."
— Justino Mora; Demystifying the Signal Protocol for End-to-End Encryption (E2EE); "Key Generation and Registration with Signal Protocol""Once Alice receives Bob’s key bundle from the Key Distribution, she then uses her own identity and medium-term private keys and Bob’s set of private keys to compute a master shared secret. This master secret is then used to start a session with Bob. Once Alice computes the master shared secret she then sends it to Bob so that he can decipher it and validate it. Upon validation of the master shared secret on Bob’s machine, any of the two users can start sending each other messages."
— Ibid; "Starting a Session"
Well, that's not exactly a simple protocol around which to wrap one's brain, is it? (Just reading Mora's explanation boggles my brain, so perhaps it is better left to better/sharper minds than mine.)
Given that it's late at night at the time I typed this, further investigation (of both the key exchange protocol and the source code) is an activity for another day. (I've left links in "Resources" for further reading.) Until I'm better informed of exactly what's going on under the hood, I'm going to risk trusting that Open Whisper Systems' app and server do what it says on the tin, based on Ed Snowden's recommendation. As far as I'm concerned, if it's good enough for Snowden's approval, it's good enough for me. (Of course, there's only one way to be sure, which is to read the source code and documentation.) Hopefully, I don't have reason to regret that.