MSC3783: Fixed base64 for SAS verification (#3783)
* proposal for using fixed base64 encoding * use MSC number * add missing word * add links to spec and clarificationstravis/msc/extev/emotes
Hubert Chathi
1 year ago
committed by
GitHub
parent
b5bf09ea1c
commit
9b3f01b019
@ -0,0 +1,64 @@
|
||||
# MSC3783: Fixed base64 for SAS verification
|
||||
|
||||
libolm's original implementation for calculating the
|
||||
[MAC](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationmac) for
|
||||
SAS-based device verification [encoded the base64 output
|
||||
incorrectly](https://gitlab.matrix.org/matrix-org/olm/-/merge_requests/16).
|
||||
Thus other implementations that use a correct base64 encoding are not
|
||||
compatible, and must instead [re-implement libolm's incorrect
|
||||
encoding](https://matrix-org.github.io/vodozemac/vodozemac/sas/struct.EstablishedSas.html#method.calculate_mac_invalid_base64).
|
||||
libolm now has a function that returns the correct base64 encoding, but it is
|
||||
currently not used to ensure compatibility with older clients.
|
||||
|
||||
This proposal introduces a new message authentication code identifier for use
|
||||
with SAS verification that uses the correct base64 encoding. The current
|
||||
method will be deprecated.
|
||||
|
||||
## Proposal
|
||||
|
||||
A new message authentication code identifier `hkdf-hmac-sha256.v2` is
|
||||
introduced. This identifier is used in the `message_authentication_codes`
|
||||
property of the
|
||||
[`m.key.verification.start`](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationstartmsasv1)
|
||||
event, and the `message_authentication_code` property of the
|
||||
[`m.key.verification.accept`](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationaccept)
|
||||
event. Clients that implement SAS verification are required to implement this
|
||||
method. The `message_authentication_codes` parameter for the
|
||||
[`m.key.verification.start`](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationstartmsasv1)
|
||||
event will require clients to include `hkdf-hmac-sha256.v2`. Clients are no
|
||||
longer required to include `hkdf-hmac-sha256`, but should still do so for
|
||||
compatibility with older clients.
|
||||
|
||||
When the two clients that are verifying each other agree to use
|
||||
this method, the MAC is calculated in the same way as `hkdf-hmac-sha256`, but
|
||||
is encoded to base64 correctly.
|
||||
|
||||
The old `hkdf-hmac-sha256` method is redefined to use the base64 encoding
|
||||
implemented in the original libolm implementation, and is deprecated: if both
|
||||
clients involved in the verification support `hkdf-hmac-sha256.v2` as the
|
||||
message authentication code, then `hkdf-hmac-sha256` must not be used, even if
|
||||
both clients support it.
|
||||
|
||||
`hkdf-hmac-sha256` will be removed by a future MSC.
|
||||
|
||||
## Potential issues
|
||||
|
||||
None
|
||||
|
||||
## Alternatives
|
||||
|
||||
None
|
||||
|
||||
## Security considerations
|
||||
|
||||
This change does not introduce any security issues.
|
||||
|
||||
## Unstable prefix
|
||||
|
||||
Until this MSC is accepted, the key agreement protocol identifier
|
||||
`org.matrix.msc3783.hkdf-hmac-sha256` should be used instead of
|
||||
`hkdf-hmac-sha256.v2`.
|
||||
|
||||
## Dependencies
|
||||
|
||||
None
|
||||
Loading…
Reference in New Issue