From 1963a24832eeb4539fbcdc7449cc0bded4bfff13 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Mon, 8 Jul 2019 13:27:38 +0100 Subject: [PATCH] fix attacks paragraph --- proposals/2134-identity-hash-lookup.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/proposals/2134-identity-hash-lookup.md b/proposals/2134-identity-hash-lookup.md index f1df605f..2ac074af 100644 --- a/proposals/2134-identity-hash-lookup.md +++ b/proposals/2134-identity-hash-lookup.md @@ -64,9 +64,12 @@ hashed). First the client must prepend the medium to the address: "denny@example.com" -> "email denny@example.com" ``` -Hashes must be peppered in order to reduce both the information a client gains -during the process, and attacks the identity server can perform (namely sending -a rainbow table of hashes back in the response to `/lookup`). +Hashes must be peppered in order to reduce both the information an identity +server gains during the process, and attacks the client can perform. Clients +will have to generate a full rainbow table specific to the set pepper to +obtain all registered MXIDs, while the server has to generate a full rainbow +table with the specific pepper to get the plaintext 3pids for non-matrix +users. In order for clients to know the pepper and hashing algorithm they should use, Identity servers must make the information available on the `/hash_details`