Merge pull request #2687 from uhoreg/sas2_spec

document new key agreement method for SAS verification and deprecate old method
4 years ago · 53e2b999b9
parent 5a699f2650 33ed9fc2dd
commit 53e2b999b9
3 changed files with 26 additions and 4 deletions
--- a/changelogs/client_server/newsfragments/2687.breaking
+++ b/changelogs/client_server/newsfragments/2687.breaking
@ -0,0 +1 @@
+Document `curve25519-hkdf-sha256` key agreement method for SAS verification, and deprecate old method (MSC2630).
--- a/event-schemas/schema/m.key.verification.start$m.sas.v1
+++ b/event-schemas/schema/m.key.verification.start$m.sas.v1
@ -26,8 +26,8 @@ properties:
      key_agreement_protocols:
        type: array
        description: |-
-          The key agreement protocols the sending device understands. Must
-          include at least ``curve25519``.
+          The key agreement protocols the sending device understands. Should
+          include at least ``curve25519-hkdf-sha256``.
        items:
          type: string
      hashes:
--- a/specification/modules/end_to_end_encryption.rst
+++ b/specification/modules/end_to_end_encryption.rst
@ -674,8 +674,27 @@ HKDF calculation

 In all of the SAS methods, HKDF is as defined in `RFC 5869 <https://tools.ietf.org/html/rfc5869>`_
 and uses the previously agreed-upon hash function for the hash function. The shared
-secret is supplied as the input keying material. No salt is used, and the info
-parameter is the concatenation of:
+secret is supplied as the input keying material. No salt is used. When the
+``key_agreement_protocol`` is ``curve25519-hkdf-sha256``, the info parameter is
+the concatenation of:
+
+  * The string ``MATRIX_KEY_VERIFICATION_SAS|``.
+  * The Matrix ID of the user who sent the ``m.key.verification.start`` message,
+    followed by ``|``.
+  * The Device ID of the device which sent the ``m.key.verification.start``
+    message, followed by ``|``.
+  * The public key from the ``m.key.verification.key`` message sent by the device
+    which sent the ``m.key.verification.start`` message, followed by ``|``.
+  * The Matrix ID of the user who sent the ``m.key.verification.accept`` message,
+    followed by ``|``.
+  * The Device ID of the device which sent the ``m.key.verification.accept``
+    message, followed by ``|``.
+  * The public key from the ``m.key.verification.key`` message sent by the device
+    which sent the ``m.key.verification.accept`` message, followed by ``|``.
+  * The ``transaction_id`` being used.
+
+When the ``key_agreement_protocol`` is the deprecated method ``curve25519``,
+the info parameter is the concatenation of:

  * The string ``MATRIX_KEY_VERIFICATION_SAS``.
  * The Matrix ID of the user who sent the ``m.key.verification.start`` message.
@ -684,6 +703,8 @@ parameter is the concatenation of:
  * The Device ID of the device which sent the ``m.key.verification.accept`` message.
  * The ``transaction_id`` being used.

+New implementations are discouraged from implementing the ``curve25519`` method.
+
 .. admonition:: Rationale

  HKDF is used over the plain shared secret as it results in a harder attack
				`@ -0,0 +1 @@`
				Document `curve25519-hkdf-sha256` key agreement method for SAS verification, and deprecate old method (MSC2630).