From c196cbcf42ccdab92de5f72b641a65ddf4462c8e Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Thu, 14 May 2020 13:01:24 -0400 Subject: [PATCH] add introduction and discourage new implementations from using old method --- proposals/xxxx-sas-v2.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/proposals/xxxx-sas-v2.md b/proposals/xxxx-sas-v2.md index 0e689c30..e4e4e320 100644 --- a/proposals/xxxx-sas-v2.md +++ b/proposals/xxxx-sas-v2.md @@ -1,9 +1,21 @@ -# SAS verification, v2 +# checking public keys in SAS verification + +The current SAS protocol does not ensure that the two users correctly received +each other's public keys. An attacker could send Alice and Bob public keys +that he has created and, if the attacker is lucky, could obtain the same shared +secret with both Alice and Bob, so that when they verify the SAS string, will +believe that the exchange was secure. + +To mitigate against this, Alice and Bob can use the two public keys in the +generation of the SAS string by including it in the info parameter of the HKDF. +Thus if an attacker sends them different public keys, the info parameters will +be different, and so the key generated by the HKDF will be different. ## Proposal -A new `key_agreement_protocol`, `curve25519-hkdf-sha256` is introduced. It is -the same as `curve25519` except that the info parameter for the HKDF is the +A new `key_agreement_protocol`, `curve25519-hkdf-sha256` is introduced, and +will be mandatory for clients to support when performing SAS verification. It +is the same as `curve25519` except that the info parameter for the HKDF is the concatenation of: * The string `MATRIX_KEY_VERIFICATION_SAS|`. @@ -25,12 +37,5 @@ The differences from `curve25519` are the addition of the public keys, and the addition of `|` as delimiter between the fields. The `key_agreement_protocol` `curve25519` is deprecated and may be removed in -the future. - -## Potential issues - -## Alternatives - -## Security considerations - -## Unstable prefix +the future. It will no longer be mandatory for clients to support, and new +implementations are discouraged from implementing it.