Device Trust With OMEMO you no longer trust user identities but device identities. If you are communicating with a contact for the first time or if that contact recently got a new device, you will be presented with a fingerprint for that device. You can then either verify that fingerprint out of band (for example via a quick phone call) or, if you are reasonably sure that your transport is secure (for instance if you are chatting on the same, trusted server), you can choose to trust a device on first use. If you have trusted devices of your contact in the past you can also use those devices as a secure channel to verify the fingerprint of a new device by having your contact verify the fingerprint via chat.

Background OMEMO uses a Double Ratchet to establish secure sessions between every combination of devices for you and your contact. Those sessions are then being used to communicate secure keys to all devices. OMEMO will generate a new key for every message. That key is used to encrypt your message with AES-GCM. The long-lived Double Ratchet sessions in the background deal with the challenges of message reordering, message loss and accidental duplication. Being built upon PEP (Personal Eventing Protocol) to announce the pre-keys used by the Double Ratchet to establish new sessions, OMEMO requires little to no change to the existing XMPP server infrastructure. Find more information in XEP-0384: OMEMO Encryption.