wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #2687 from uhoreg/sas2_spec

Browse source 
document new key agreement method for SAS verification and deprecate old method
This commit is contained in:
Hubert Chathi 2020-07-23 10:24:57 -04:00 committed by GitHub
commit 53e2b999b9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/2687.breaking Normal file
View file

@ -0,0 +1 @@
Document `curve25519-hkdf-sha256` key agreement method for SAS verification, and deprecate old method (MSC2630).

4
event-schemas/schema/m.key.verification.start$m.sas.v1
View file

@ -26,8 +26,8 @@ properties:
key_agreement_protocols: key_agreement_protocols:
type: array type: array
description: |- description: |-
The key agreement protocols the sending device understands. Must The key agreement protocols the sending device understands. Should
include at least ``curve25519``. include at least ``curve25519-hkdf-sha256``.
items: items:
type: string type: string
hashes: hashes:

25
specification/modules/end_to_end_encryption.rst
View file

@ -674,8 +674,27 @@ HKDF calculation
In all of the SAS methods, HKDF is as defined in `RFC 5869 <https://tools.ietf.org/html/rfc5869>`_ In all of the SAS methods, HKDF is as defined in `RFC 5869 <https://tools.ietf.org/html/rfc5869>`_
and uses the previously agreed-upon hash function for the hash function. The shared and uses the previously agreed-upon hash function for the hash function. The shared
secret is supplied as the input keying material. No salt is used, and the info secret is supplied as the input keying material. No salt is used. When the
parameter is the concatenation of: ``key_agreement_protocol`` is ``curve25519-hkdf-sha256``, the info parameter is
the concatenation of:
* The string ``MATRIX_KEY_VERIFICATION_SAS|``.
* The Matrix ID of the user who sent the ``m.key.verification.start`` message,
followed by ``|``.
* The Device ID of the device which sent the ``m.key.verification.start``
message, followed by ``|``.
* The public key from the ``m.key.verification.key`` message sent by the device
which sent the ``m.key.verification.start`` message, followed by ``|``.
* The Matrix ID of the user who sent the ``m.key.verification.accept`` message,
followed by ``|``.
* The Device ID of the device which sent the ``m.key.verification.accept``
message, followed by ``|``.
* The public key from the ``m.key.verification.key`` message sent by the device
which sent the ``m.key.verification.accept`` message, followed by ``|``.
* The ``transaction_id`` being used.
When the ``key_agreement_protocol`` is the deprecated method ``curve25519``,
the info parameter is the concatenation of:
* The string ``MATRIX_KEY_VERIFICATION_SAS``. * The string ``MATRIX_KEY_VERIFICATION_SAS``.
* The Matrix ID of the user who sent the ``m.key.verification.start`` message. * The Matrix ID of the user who sent the ``m.key.verification.start`` message.
@ -684,6 +703,8 @@ parameter is the concatenation of:
* The Device ID of the device which sent the ``m.key.verification.accept`` message. * The Device ID of the device which sent the ``m.key.verification.accept`` message.
* The ``transaction_id`` being used. * The ``transaction_id`` being used.
New implementations are discouraged from implementing the ``curve25519`` method.
.. admonition:: Rationale .. admonition:: Rationale
HKDF is used over the plain shared secret as it results in a harder attack HKDF is used over the plain shared secret as it results in a harder attack