Rename "recovery key" to "backup decryption key" (#1819)
Also, some other editorial improvements, including factoring out our two definitions of the same key encoding algorithm. Co-authored-by: Travis Ralston <travisr@matrix.org>
This commit is contained in:
Richard van der Hoff
GitHub
parent
b0df8e7fb5
commit
dac867dd6a
5 changed files with 50 additions and 44 deletions
1
changelogs/appendices/newsfragments/1819.clarification
Normal file
1
changelogs/appendices/newsfragments/1819.clarification
Normal file
|
|
@ -0,0 +1 @@
|
|||
Define common cryptographic key representation.
|
||||
|
|
@ -0,0 +1 @@
|
|||
Rename "recovery key" to "backup decryption key".
|
||||
|
|
@ -940,6 +940,31 @@ The acceptable character set matches the unreserved character set in [RFC
|
|||
3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3).
|
||||
{{% /boxes/note %}}
|
||||
|
||||
## Cryptographic key representation
|
||||
|
||||
Sometimes it is necessary to present a private cryptographic key in the user
|
||||
interface.
|
||||
|
||||
When this happens, the key SHOULD be presented as a string formatted as
|
||||
follows:
|
||||
|
||||
1. A byte array is created, consisting of two bytes `0x8B` and `0x01`,
|
||||
followed by the raw key.
|
||||
2. All the bytes in the array above, including the two header bytes,
|
||||
are XORed together to form a parity byte. This parity byte is
|
||||
appended to the byte array.
|
||||
3. The byte array is encoded using base58, using the the alphabet
|
||||
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`.
|
||||
4. A space is added after every 4th character.
|
||||
|
||||
When reading in a key, clients should disregard whitespace, and
|
||||
perform the reverse of steps 1 through 4.
|
||||
|
||||
{{% boxes/note %}}
|
||||
The base58 alphabet is the same as that used for [Bitcoin
|
||||
addresses](https://en.bitcoin.it/wiki/Base58Check_encoding#Base58_symbol_chart).
|
||||
{{% /boxes/note %}}
|
||||
|
||||
## 3PID Types
|
||||
|
||||
Third-party Identifiers (3PIDs) represent identifiers on other
|
||||
|
|
|
|||
|
|
@ -1271,10 +1271,10 @@ tries to read a message that it does not have keys for, it may request
|
|||
the key from the server and decrypt it. Backups are per-user, and users
|
||||
may replace backups with new backups.
|
||||
|
||||
In contrast with [Key requests](#key-requests), Server-side key backups
|
||||
do not require another device to be online from which to request keys.
|
||||
However, as the session keys are stored on the server encrypted, it
|
||||
requires users to enter a decryption key to decrypt the session keys.
|
||||
In contrast with [key requests](#key-requests), server-side key backups do not
|
||||
require another device to be online from which to request keys. However, as
|
||||
the session keys are stored on the server encrypted, the client requires a
|
||||
[decryption key](#decryption-key) to decrypt the session keys.
|
||||
|
||||
To create a backup, a client will call [POST
|
||||
/\_matrix/client/v3/room\_keys/version](#post_matrixclientv3room_keysversion) and define how the keys are to
|
||||
|
|
@ -1295,7 +1295,7 @@ Clients must only store keys in backups after they have ensured that the
|
|||
|
||||
- checking that it is signed by the user's [master cross-signing
|
||||
key](#cross-signing) or by a verified device belonging to the same user, or
|
||||
- by deriving the public key from a private key that it obtained from a trusted
|
||||
- deriving the public key from a private key that it obtained from a trusted
|
||||
source. Trusted sources for the private key include the user entering the
|
||||
key, retrieving the key stored in [secret storage](#secret-storage), or
|
||||
obtaining the key via [secret sharing](#sharing) from a verified device
|
||||
|
|
@ -1312,31 +1312,24 @@ replace it with the new key based on the key metadata as follows:
|
|||
- and finally, if `is_verified` and `first_message_index` are equal,
|
||||
then it will keep the key with a lower `forwarded_count`.
|
||||
|
||||
###### Recovery key
|
||||
###### Decryption key
|
||||
|
||||
If the recovery key (the private half of the backup encryption key) is
|
||||
presented to the user to save, it is presented as a string constructed
|
||||
as follows:
|
||||
Normally, the decryption key (i.e. the secret part of the encryption key) is
|
||||
stored on the server or shared with other devices using the [Secrets](#secrets)
|
||||
module. When doing so, it is identified using the name `m.megolm_backup.v1`,
|
||||
and the key is base64-encoded before being encrypted.
|
||||
|
||||
1. The 256-bit curve25519 private key is prepended by the bytes `0x8B`
|
||||
and `0x01`
|
||||
2. All the bytes in the string above, including the two header bytes,
|
||||
are XORed together to form a parity byte. This parity byte is
|
||||
appended to the byte string.
|
||||
3. The byte string is encoded using base58, using the same [mapping as
|
||||
is used for Bitcoin
|
||||
addresses](https://en.bitcoin.it/wiki/Base58Check_encoding#Base58_symbol_chart),
|
||||
that is, using the alphabet
|
||||
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`.
|
||||
4. A space should be added after every 4th character.
|
||||
If the backup decryption key is given directly to the user, the key should be
|
||||
presented as a string using the common [cryptographic key
|
||||
representation](/appendices/#cryptographic-key-representation).
|
||||
|
||||
When reading in a recovery key, clients must disregard whitespace, and
|
||||
perform the reverse of steps 1 through 3.
|
||||
|
||||
The recovery key can also be stored on the server or shared with other devices
|
||||
using the [Secrets](#secrets) module. When doing so, it is identified using the
|
||||
name `m.megolm_backup.v1`, and the key is base64-encoded before being
|
||||
encrypted.
|
||||
{{% boxes/note %}}
|
||||
The backup decryption key was previously referred to as a "recovery
|
||||
key". However, this conflicted with common practice in client user
|
||||
interfaces, which often use the term "recovery key" to refer to the [secret
|
||||
storage](#storage) key. The term "recovery key" is no longer used in this
|
||||
specification.
|
||||
{{% /boxes/note %}}
|
||||
|
||||
###### Backup algorithm: `m.megolm_backup.v1.curve25519-aes-sha2`
|
||||
|
||||
|
|
|
|||
|
|
@ -262,22 +262,8 @@ For example, data encrypted using this algorithm could look like this:
|
|||
##### Key representation
|
||||
|
||||
When a user is given a raw key for `m.secret_storage.v1.aes-hmac-sha2`,
|
||||
it will be presented as a string constructed as follows:
|
||||
|
||||
1. The key is prepended by the two bytes `0x8b` and `0x01`
|
||||
2. All the bytes in the string above, including the two header bytes,
|
||||
are XORed together to form a parity byte. This parity byte is
|
||||
appended to the byte string.
|
||||
3. The byte string is encoded using base58, using the same [mapping as
|
||||
is used for Bitcoin
|
||||
addresses](https://en.bitcoin.it/wiki/Base58Check_encoding#Base58_symbol_chart),
|
||||
that is, using the alphabet
|
||||
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`.
|
||||
4. The string is formatted into groups of four characters separated by
|
||||
spaces.
|
||||
|
||||
When decoding a raw key, the process should be reversed, with the
|
||||
exception that whitespace is insignificant in the user's input.
|
||||
the key should be presented as a string using the common [cryptographic key
|
||||
representation](/appendices/#cryptographic-key-representation).
|
||||
|
||||
##### Deriving keys from passphrases
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue