Signal protocol, how is Signed PreKey created?

Question

I am getting confused with what exactly is the nature of the Signed Prekey (SPK) used in signal protocol. I understand what it is used for, but I think the confusion stems from its name. Is it just the normal key-pair whose public part will get signed and sent to the server as a part of the "key bundle"?

Which means, THAT exact SPK that we send in the bundle as well is just a random public key, and is in no way signed or modified by the IdentityKey itself.

To conclude:

Based on my understanding, this SPK could also be named "Key that WILL get signed but IS NOT signed" Or is there a previous key, lets call it just "PreKey" that gets signed by IdentityKey and thats how we get Signed PreKey?

I sound like a crazy person to myself and it's really hard to even formulate this question. I've read technical paper on signal's website and also whitepapers of signal implementation in WhatsApp but still I'm getting confused how is this SPK obtained?

Hope this doesn't look like non-sense. Thanks

Answer 1

Signed Prekey is one of the long-term prekeys which is used in X3DH. The public component of Signed Prekey is signed by the Identity private key and sent to the Key Distribution Server as part of key bundle. To make sure that the server doesn't tamper with key bundle, Signed Prekey is signed by the Identity key and Identity key is verified using out of band authentication with the help of safety numbers at some time in future.

One-time prekeys are disposable and deleted from the server every time a contact requests public key bundle from the server. Unlike one-time prekeys, Signed Prekey is not disposable but it is not permanent either. Signed Prekey gets expired in 48 hours and needs to be updated by the client whereas Identity key is permanent until app reinstall or change in device.

X3DH can still be initialised without one-time prekey if all the one-time prekeys are used up which can rarely happen. State of one-time prekeys are checked every 12 hours and if approximately 2/3 of 100 one-time prekeys are used up, they are replenished again. Expiry time of Signed Prekey can be extended to reuse it in future X3DH. The purpose of Signed PreKey is to provide some protection if no one time pre key was given, if a device was taken after the interval the initial shared secret still couldn't be calculated.