archive
/
matrix-spec-proposals
mirror of https://github.com/matrix-org/matrix-spec-proposals
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial draft of simplified encrypted state events.

Browse Source
kaylendog/msc/simplified-encrypted-state
Skye Elliot 2 months ago
parent 130da801e3
commit 065ee565f2
No known key found for this signature in database
GPG Key ID: 24EE6FEC019F6853
1 changed files with 172 additions and 0 deletions
Show Stats Download Patch File Download Diff File

172
proposals/4362-simplified-encrypted-state.md
Unescape Escape View File

@ -0,0 +1,172 @@
# MSC4362: Simplified Encrypted State Events
<!--_Note: Text written in italics represents notes about the section or proposal process. This document
serves as an example of what a proposal could look like (in this case, a proposal to have a
template) and should be used where possible._
_In this first section, be sure to cover your problem and a broad overview of the solution. Covering
related details, such as the expected impact, can also be a good idea. The example in this document
says that we're missing a template and that things are confusing and goes on to say the solution is
a template. There's no major expected impact in this proposal, so it doesn't list one. If your
proposal was more invasive (such as proposing a change to how servers discover each other) then that
would be a good thing to list here._
_If you're having troubles coming up with a description, a good question to ask is "how does this
proposal improve Matrix?" - the answer could reveal a small impact, and that is okay._-->
This proposal builds upon the earlier MSC3414, aiming to provide a simplified approach to encrypted
state events in Matrix. Currently, all room state is unencrypted and accessible to everyone in the
room, and occasionally people outside the room (such as via the public room directory, invite state,
or peekable rooms). Most events in room state could be encrypted to provide confidentiality, which
is what this MSC seeks to achieve more straightforwardly. Some parts, however, cannot be encrypted
to maintain a functioning protocol.
## Proposal
<!--_Here is where you'll reinforce your position from the introduction in more detail, as well as cover
the technical points of your proposal. Including rationale for your proposed solution and detailing
why parts are important helps reviewers understand the problem at hand. Not including enough detail
can result in people guessing, leading to confusing arguments in the comments section. The example
here covers why templates are important again, giving a stronger argument as to why we should have a
template. Afterwards, it goes on to cover the specifics of what the template could look like._-->
Under this proposal, all room state events can be encrypted, except events critical to maintain the
protocol. Those critical events are:
- `m.room.create`
- `m.room.member`
- `m.room.join_rules`
- `m.room.power_levels`
- `m.room.third_party_invite`
- `m.room.history_visibility`
- `m.room.guest_access`
- `m.room.encryption`
An encrypted state event looks very similar to a regular encrypted room message: the `type` becomes
`m.room.encrypted` and the `content` is the same shape as a regular `m.room.encrypted` event. The
`state_key` for encrypted state events is constructed from the plaintext `type` and `state_key`
fields, formatted as `{type}:{state_key}`, preserving the uniqueness of the `type`-`state_key`
mapping required for the server to perform state resolution.
To track whether a room has state encryption enabled, and to preserve compatibility with older
clients that cannot work with encrypted state events, a new boolean field `encrypt_state_events` is
introduced to the content of `m.room.encryption`, which determines if clients should send state
encrypted events.
Clients are expected to decrypt all room state on reception and validate the packed state key
matches the decrypted type and state key. This ensures malicious clients cannot send state events
that masquerade as message events and vice versa.
This MSC relies on the room key sharing mechanism outlined in
[MSC4268](https://github.com/matrix-org/matrix-spec-proposals/pull/4268), which enables clients to
decrypt historical state events.
## Potential issues
<!--_Not all proposals are perfect. Sometimes there's a known disadvantage to implementing the proposal,
and they should be documented here. There should be some explanation for why the disadvantage is
acceptable, however - just like in this example._-->
At present, MSC4268
[does not require invitees to download the key bundle upon receiving an invite](https://github.com/matrix-org/matrix-spec-proposals/blob/rav/proposal/encrypted_history_sharing/proposals/4268-encrypted-history-sharing.md#actions-as-a-receiving-client);
instead, the key bundle is only fetched when the user joins the room, which could lead to problems
displaying the room name, topic, and avatar to invitees. One way to address this is to always
download the room key bundle on invite, but as MSC4268 notes, this introduces a potential
denial-of-service (DoS) attack vector.
If the client does not receive the keys needed to decrypt state events, the room may become
unusable, as information such as the room's name, topic, avatar, and other metadata will be
inaccessible. Additionally, if there are state events sent both before and after state encryption is
enabled, existing clients might display the unencrypted, outdated state.
Encrypting certain state events would prevent servers from displaying meaningful information about
rooms, as the room directory relies on being able to read these events. Rooms with encrypted
metadata could either appear as blank, generic, or broken entries in the public room list, or could
be omitted entirely, impeding room discovery. A similar issue arises with the space room list: if
room metadata is encrypted, clients and servers will be unable to display meaningful information
about child rooms within a space. It may be necessary to introduce an unencrypted state event,
`m.space.child_info`, that stores plaintext copies of a child room's avatar, name, and topic, which
can then be used over the encrypted metadata.
The `:` delimiter may not be suitable in all cases. Additionally, string packing introduces size
limitations, as the combined length of the packed string cannot exceed the 255-byte maximum for a
state key. This effectively reduces the available space for both event types and state keys.
## Alternatives
<!--
_This is where alternative solutions could be listed. There's almost always another way to do things
and this section gives you the opportunity to highlight why those ways are not as desirable. The
argument made in this example is that all of the text provided by the template could be integrated
into the proposals introduction, although with some risk of losing clarity._-->
A number of alternatives to string-packing the plaintext `type` and `state_key` are possible:
- Preserving the values of `type` and `state_key`;
- Introducing an adjacent `true_type` field;
- Hashing `type` and `state_key` with HMAC.
### Preserved Fields
Rather than string-packing the `type` and `state_key` together, we could preserve these values on
the encrypted event, but still encrypt the event content. This provides the same (lack of)
confidentiality as the approach laid out in this MSC while avoiding string packing. However, this
approach would introduce a difference between the encryption of message events and state events,
which may be undesirable.
### Adjacent Type Field
In a similar manner to preserved fields, we could introduce a new `true_type` field to the events
`content`, which holds the plaintext type of the state event. This would require modifying the
server to utilise this field over the value of the `type` field, which may be undesirable.
### HMAC-hashed `state_key`s
This is the _ideal solution_, as it hides the state key and type from the server entirely; however,
there are some considerable downsides. We have two choices:
- Use a static key generated on room creation to encrypt all state events for the duration of the
room's existence;
- Rotate the key periodically, perhaps deriving it from the current Megolm session key.
The former case lacks post-compromise confidentiality (PCS), which, although quite hard to pull off
as an attacker, makes this approach undesirable. This approach is also vulnerable to frequency
analysis through comparison between the distribution of state key hashes and a known distribution of
public `type`-`state_key` pairs.
The latter option has issues too: rotating the key breaks the server's ability to track room state,
since two events with identical state keys will produce encrypted events with different hashed state
keys when using different (HMAC) keys. The server will treat each as unique and send both to
clients. This would require clients to perform state resolution locally (to decide which of two
clashing events to accept), which in turn would require them to consume and understand the room DAG.
This approach may also be vulnerable to frequency analysis, but, based on some naive calculations,
the probability a malicious server is able to infer the hash to `type`-`state_key` mapping correctly
becomes increasingly unlikely as the number of state events encrypted by any given key decreases.
## Security considerations
This proposal relies on the security of the Olm/Megolm primitives, and an attack against them could
be a viable method to derive partial or complete knowledge of the encrypted content.
Confidential information **should not** be stored in the `type` and `state_key` fields, since both
are present in plaintext.
## Unstable prefix
<!-- _If a proposal is implemented before it is included in the spec, then implementers must ensure that
the implementation is compatible with the final version that lands in the spec. This generally means
that experimental implementations should use `/unstable` endpoints, and use vendor prefixes where
necessary. For more information, see [MSC2324](https://github.com/matrix-org/matrix-doc/pull/2324).
This section should be used to document things such as what endpoints and names are being used while
the feature is in development, the name of the unstable feature flag to use to detect support for
the feature, or what migration steps are needed to switch to newer versions of the proposal._-->
The current implementation uses an `io.element` vendor prefix for the `encrypt_state_events` flag
(i.e. `io.element.msc3414.encrypt_state_events`) for compatibility.
## Dependencies
This MSC builds on
[MSC3414](https://github.com/matrix-org/matrix-spec-propsals/tree/main/proposals/3414-encrypted-state-events.md)
and depends on [MSC4268](https://github.com/matrix-org/matrix-spec-proposals/pull/4268), neither of
which have been accepted into the spec at the time of writing.
Write Preview
Loading…
Cancel
Save