archive
/
matrix-spec-proposals
mirror of https://github.com/matrix-org/matrix-spec-proposals
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

document new key agreement method and deprecate old method

Browse Source
pull/2687/head
Hubert Chathi 4 years ago
parent e207dfc0ea
commit 0f13ebe3ed
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File

2
event-schemas/schema/m.key.verification.start$m.sas.v1
Unescape Escape View File

@ -27,7 +27,7 @@ properties:
type: array type: array
description: |- description: |-
The key agreement protocols the sending device understands. Must The key agreement protocols the sending device understands. Must
include at least ``curve25519``. include at least ``curve25519-hkdf-sha256``.
items: items:
type: string type: string
hashes: hashes:

25
specification/modules/end_to_end_encryption.rst
Unescape Escape View File

@ -674,8 +674,27 @@ HKDF calculation
In all of the SAS methods, HKDF is as defined in `RFC 5869 <https://tools.ietf.org/html/rfc5869>`_ In all of the SAS methods, HKDF is as defined in `RFC 5869 <https://tools.ietf.org/html/rfc5869>`_
and uses the previously agreed-upon hash function for the hash function. The shared and uses the previously agreed-upon hash function for the hash function. The shared
secret is supplied as the input keying material. No salt is used, and the info secret is supplied as the input keying material. No salt is used. When the
parameter is the concatenation of: ``key_agreement_protocol`` is ``curve25519-hkdf-sha256``, the info parameter is
the concatenation of:
* The string ``MATRIX_KEY_VERIFICATION_SAS|``.
* The Matrix ID of the user who sent the ``m.key.verification.start`` message,
followed by ``|``.
* The Device ID of the device which sent the ``m.key.verification.start``
message, followed by ``|``.
* The public key from the ``m.key.verification.key`` message sent by the device
which sent the ``m.key.verification.start`` message, followed by ``|``.
* The Matrix ID of the user who sent the ``m.key.verification.accept`` message,
followed by ``|``.
* The Device ID of the device which sent the ``m.key.verification.accept``
message, followed by ``|``.
* The public key from the ``m.key.verification.key`` message sent by the device
which sent the ``m.key.verification.accept`` message, followed by ``|``.
* The ``transaction_id`` being used.
When the ``key_agreement_protocol`` is the deprecated method ``curve25519``,
the info parameter is the concatenation of:
* The string ``MATRIX_KEY_VERIFICATION_SAS``. * The string ``MATRIX_KEY_VERIFICATION_SAS``.
* The Matrix ID of the user who sent the ``m.key.verification.start`` message. * The Matrix ID of the user who sent the ``m.key.verification.start`` message.
@ -684,6 +703,8 @@ parameter is the concatenation of:
* The Device ID of the device which sent the ``m.key.verification.accept`` message. * The Device ID of the device which sent the ``m.key.verification.accept`` message.
* The ``transaction_id`` being used. * The ``transaction_id`` being used.
New implementations are discouraged from implementing the ``curve25519`` method.
.. admonition:: Rationale .. admonition:: Rationale
HKDF is used over the plain shared secret as it results in a harder attack HKDF is used over the plain shared secret as it results in a harder attack

Write Preview
Loading…
Cancel
Save