pyaxo - an implementation of the Axolotl cryptographic ratchet protocol in python

I've written an implementation of the Axolotl cryptographic ratcheting protocol in python.


The Axolotl ratchet is a protocol (similar to OTR) that provides for perfect forward secrecy in (a)synchronous communications. It uses triple Diffie-Hellman for authentication and ECDHE for perfect forward secrecy. The protocol is lighter and more robust than the OTR protocol - providing better forward and future secrecy, as well as deniability.

The protocol was developed by Trevor Perrin and Moxie Marlinspike. Its chief use currently is in the Whisper Systems TextSecure SMS package.

A nice writeup of the protocol is on the Whisper Systems Blog. You can find the most recent specification of the protocol here.

Installation instructions

Install with sudo python install

If you have setuptools installed, the required python-gnupg package will be downloaded and installed automatically.

pyaxo also requires the curve25519-donna package for doing the ECDHE calculations. This package won't be installed automatically. It can be installed by:

 git clone
 cd curve25519-donna
 sudo python install

You may need some additional python modules as well. Check the imports list.

There are several examples showing usage. There are also encrypt_pipe() and decrypt_pipe() methods for use in certain applications. I haven't put together an example using them yet, but it should be straightforward. Note: the weechat-axolotl plugin linked below uses these pipe methods.

Bugs, etc. should be reported to the pyaxo github issues page.

Ideas for the future

It seems to me that Axolotl is essentially a drop-in replacement for OTR. Toward that end, I've also written a weechat script for secure private messaging using Axolotl. A utility for generating the required databases is also included. I also plan to convert encoDHer to use Axolotl as well.

axochat - a standalone ncurses instant messaging script using AES256 encryption with Axolotl ratchet for key management.

Axochat is a python ncurses-based standalone instant messaging chat application that uses AES256 encryption (GPG) with the Axolotl ratchet for key management. The Axolotl ratchet provides for excellent forward and future secrecy, as well as authentication and deniability.

The Axolotl ratchet was developed by Trevor Perrin and Moxie Marlinspike.

The script runs using a client-server model. One user starts the server, giving it his/her Axolotl credentials and the second user starts a client, giving it his/her Axolotl credentials. The two connect on a user-chosen tcp port and encrypted instant messages can then be exchanged. By virtue of the Axolotl ratchet, each message is encrypted with a different ephemeral key. That key is deleted upon decryption of the message so it can never be decrypted again.

The script is curses-based, and so should run in any modern terminal emulator. Prior to exchanging encrypted messages, each user needs to generate their own Axolotl credentials and enter the other user's credentials as well. Authentication is provided by the out-of-band exchange of key fingerprints between the users. The script also provides the capability to generate the required credentials.

If you prefer to run axochat in client-only mode, here is a simple echo server for use with axochat. The script will accept connections from axochat clients, and echo any messages to all other connected clients. Of course, only the addressee will be able to decrypt the messages.

#!/usr/bin/env python

A simple echo server for axochat

import socket
import threading
import sys

HOST = ''
PORT = 50000
SIZE = 1024

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
client_list = []
address_list = []

def receiveData(client, address):
    global client_list
    global address_list
    while True:
        data = client.recv(SIZE)
        if not data:
            print str(address) + ' disconnected'
            for item in client_list:
                if item != client:

while True:
    client, address = s.accept()
    client_list = client_list + [client]
    address_list = address_list + [address]
    print 'added new client', address

If you want to connect the client to a server via tor (either axochat or echo server), you can use socat. The following socat command:

 socat TCP-LISTEN:12345,fork SOCKS4A:localhost:<server.ip.addr>:50000,socksport=9050 &

nd connect your axochat client to localhost port 12345. This will proxy the connection through tor to port 50000 on the server node.

All code, text and images are Copyright © 2013-2017 by David R. Andersen. All rights reserved unless otherwise specified.
This site is produced using the Haggis static site generator.