archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add example for none algo

Browse Source
pull/977/head
Andrew Morgan 5 years ago
parent 9fd6bd3184
commit 3031df79cc
1 changed files with 110 additions and 53 deletions
Show Stats Download Patch File Download Diff File

163
proposals/2134-identity-hash-lookup.md
Unescape Escape View File

@ -2,45 +2,46 @@
[Issue #2130](https://github.com/matrix-org/matrix-doc/issues/2130) has been [Issue #2130](https://github.com/matrix-org/matrix-doc/issues/2130) has been
created in response to a security issue brought up by an independent party. created in response to a security issue brought up by an independent party.
To summarise the issue, lookups (of Matrix user IDs) are performed using To summarise the issue, when a user wants to ask an identity server which of
plain-text 3PIDs (third-party IDs) which means that the identity server can its contacts have registered a Matrix account, it performs a lookup against
identify and record every 3PID that the user has in their contacts, whether an identity server. The client currently sends all of its contact details in
that email address or phone number is already known by the identity server or the form of plain-text addresses, meaning that the identity server can
not. In the latter case, an identity server is able to collect email identify and record every third-party ID (3PID) of the user's contacts. This
addresses and phone numbers that have a high probability of being connected allows the identity server is able to collect email addresses and phone
to a real person. It could then use this data for marketing or other numbers that have a high probability of being connected to a real person.
purposes. This data could then be used for marketing, political campaigns, etc.
However, if the email addresses and phone numbers are hashed before they are However, if these email addresses and phone numbers are hashed before they are
sent to the identity server, the server would have a more difficult time of sent to the identity server, the server would have a more difficult time of
being able to recover the original addresses. This prevents contact being able to recover the original addresses. This prevents contact
information of non-Matrix users being exposed by the lookup service. information of non-Matrix users being exposed to the lookup service.
However, hashing is not perfect. While reversing a hash is not possible, it Yet, hashing is not perfect. While reversing a hash is not possible, it is
is possible to build a [rainbow possible to build a [rainbow
table](https://en.wikipedia.org/wiki/Rainbow_table), which could map many table](https://en.wikipedia.org/wiki/Rainbow_table), which maps known email
known email addresses and phone numbers to their hash equivalents. When the addresses and phone numbers to their hash equivalents. When the identity
identity server receives a hash, it would then be able to look it up in this server receives a hash, it is then be able to look it up in its rainbow table
table, and find the email address or phone number associated with it. In an and find the corresponding 3PID. To prevent this, one would use a hashing
ideal world, one would use a hashing algorithm such as algorithm such as [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) with many
[bcrypt](https://en.wikipedia.org/wiki/Bcrypt), with many rounds, which would rounds, making the construction of a large rainbow table an infeasibly
make building such a rainbow table an extraordinarily expensive process. expensive process. Unfortunately, this is impractical for our use case, as it
Unfortunately, this is impractical for our use case, as it would require would require clients to also perform many, many rounds of hashing, linearly
clients to perform many, many rounds of hashing, linearly dependent on their dependent on the size of their address book, which would likely result in
address book size, which would likely result in lower-end mobile phones lower-end mobile phones becoming overwhelmed. We are then forced to use a
becoming overwhelmed. Thus, we must use a fast hashing algorithm, at the cost fast hashing algorithm, at the cost of making rainbow tables easy to build.
of making rainbow tables easy to build.
The rainbow table attack is not perfect, because one does need to know email
The rainbow table attack is not perfect. While there are only so many addresses and phone numbers to build it. While there are only so many
possible phone numbers, and thus it is simple to generate the hash value for possible phone numbers, and thus it is relatively inexpensive to generate the
each one, the address space of email addresses is much, much wider. Therefore hash value for each one, the address space of email addresses is much, much
if your email address is decently long and is not publicly known to wider. If your email address is decently long and is not publicly
attackers, it is unlikely that it would be included in a rainbow table. known to attackers, it is unlikely that it would be included in a rainbow
table.
Thus the approach of hashing, while adding complexity to implementation and Thus the approach of hashing, while adding complexity to implementation and
minor resource consumption of the client and identity server, does provide resource consumption of the client and identity server, does provide added
added difficultly for the identity server to carry out contact detail difficulty for the identity server to carry out contact detail harvesting,
harvesting, which should be considered worthwhile. which should be considered worthwhile.
## Proposal ## Proposal
@ -106,8 +107,7 @@ hashing is being performed, as described below). If hashing is being
performed, and `lookup_pepper` is an empty string, clients MUST cease the performed, and `lookup_pepper` is an empty string, clients MUST cease the
lookup operation. lookup operation.
The client should append the pepper to the end of the 3PID string before If hashing, the client should append the pepper to the end of the 3PID string.
hashing.
``` ```
"alice@example.com email" -> "alice@example.com emailmatrixrocks" "alice@example.com email" -> "alice@example.com emailmatrixrocks"
@ -119,8 +119,8 @@ hashing.
Clients SHOULD request this endpoint each time before performing a lookup, to Clients SHOULD request this endpoint each time before performing a lookup, to
handle identity servers which may rotate their pepper values frequently. handle identity servers which may rotate their pepper values frequently.
Clients MUST choose one of the given hash algorithms to encrypt the 3PID Clients MUST choose one of the given `algorithms` values to encrypt the
during lookup. 3PID during lookup.
Clients and identity servers MUST support SHA-256 as defined by [RFC Clients and identity servers MUST support SHA-256 as defined by [RFC
4634](https://tools.ietf.org/html/rfc4634), identified by the value 4634](https://tools.ietf.org/html/rfc4634), identified by the value
@ -133,15 +133,11 @@ negotiated by the client and server at their discretion.
There are certain situations when an identity server cannot be expected to There are certain situations when an identity server cannot be expected to
compare hashed 3PID values; for example, when a server is connected to a compare hashed 3PID values; for example, when a server is connected to a
backend provider such as LDAP, there is no way for the identity server to backend provider such as LDAP, it is not efficient for the identity server to
efficiently pull all of the addresses and hash them. For this case, clients pull all of the addresses and hash them on lookup. For this case, clients
and server MUST also support sending plain-text 3PID values. To agree upon and server MUST also support sending plain-text 3PID values. To agree upon
this, the `"algorithms"` field of `GET /hash_details` MUST contain the value this, the `"algorithms"` field of `GET /hash_details` MUST contain the value
`"none"`, and `lookup_pepper` will be an empty string. For this case, the `"none"`.
identity server could only send `"none"` as part of the `"algorithms"` array.
The client can then decide whether it wants to accept this. The identity
server could also send `["none", "sha256"]` and cease from looking up
contacts in LDAP unless `"none"` is decided upon.
No hashing will be performed if the client and server decide on `"none"`, and No hashing will be performed if the client and server decide on `"none"`, and
3PIDs will be sent in plain-text, similar to the v1 `/lookup` API. When this 3PIDs will be sent in plain-text, similar to the v1 `/lookup` API. When this
@ -153,7 +149,7 @@ must be part of the request body (even when using the `"none"` algorithm
value). If they do not match what the server has on file (which may be the value). If they do not match what the server has on file (which may be the
case if the pepper was changed right after the client's request for it), then case if the pepper was changed right after the client's request for it), then
the server must inform the client that they need to query the hash details the server must inform the client that they need to query the hash details
again, instead of just returning an empty response, which clients would again, as opposed to just returning an empty response, which clients would
assume to mean that no contacts are registered on that identity server. assume to mean that no contacts are registered on that identity server.
If the algorithm is not supported by the server, the server should return a `400 If the algorithm is not supported by the server, the server should return a `400
@ -175,11 +171,11 @@ include these fields. An example response to an incorrect pepper would be:
} }
``` ```
Now comes time for the lookup. Note that the resulting hash digest MUST be Now comes time for the lookup. We'll first cover an example of the client
encoded in URL-safe unpadded base64 (similar to [room version 4's event choosing the `"sha256"` algorithm. Note that the resulting hash digest MUST
be encoded in URL-safe unpadded base64 (similar to [room version 4's event
IDs](https://matrix.org/docs/spec/rooms/v4#event-ids)). Once hashing has been IDs](https://matrix.org/docs/spec/rooms/v4#event-ids)). Once hashing has been
performed using the defined hashing algorithm, the client sends each hash in an performed, the client sends each hash in an array.
array.
``` ```
NOTE: Hashes are not real values NOTE: Hashes are not real values
@ -193,7 +189,7 @@ NOTE: Hashes are not real values
POST /_matrix/identity/v2/lookup POST /_matrix/identity/v2/lookup
{ {
"hashes": [ "addresses": [
"y_TvXLKxFT9CURPXI1wvfjvfvsXe8FPgYj-mkQrnszs", "y_TvXLKxFT9CURPXI1wvfjvfvsXe8FPgYj-mkQrnszs",
"r0-6x3rp9zIWS2suIque-wXTnlv9sc41fatbRMEOwQE", "r0-6x3rp9zIWS2suIque-wXTnlv9sc41fatbRMEOwQE",
"ryr10d1K8fcFVxALb3egiSquqvFAxQEwegXtlHoQFBw", "ryr10d1K8fcFVxALb3egiSquqvFAxQEwegXtlHoQFBw",
@ -206,7 +202,7 @@ POST /_matrix/identity/v2/lookup
``` ```
The identity server, upon receiving these hashes, can simply compare against The identity server, upon receiving these hashes, can simply compare against
the hashes of the 3PIDs it stores. The server then responds with the Matrix the hashes of the 3PIDs it stores. The server then responds with the Matrix
IDs of those that match: IDs of those that match:
``` ```
@ -220,6 +216,67 @@ IDs of those that match:
The client can now display which 3PIDs link to which Matrix IDs. The client can now display which 3PIDs link to which Matrix IDs.
For the case of the identity server sending, and the client choosing,
`"none"` as the algorithm, we would do the following.
The client would first make `GET` a request to `/hash_details`, perhaps
receiving the response:
```
{
"lookup_pepper": "matrixrocks",
"algorithms": ["none", "sha256"]
}
```
The client decides that it would like to use `"none"`, and thus ignores the
lookup pepper, as no hashing will occur. Appending a space and the 3PID
medium to each address is still necessary:
```
"alice@example.com" -> "alice@example.com email"
"bob@example.com" -> "bob@example.com email"
"carl@example.com" -> "carl@example.com email"
"12345678910" -> "12345678910 msisdn"
"denny@example.com" -> "denny@example.com email"
```
The client then sends these off to the identity server in a `POST` request to
`/lookup`:
```
POST /_matrix/identity/v2/lookup
{
"addresses": [
"alice@example.com email",
"bob@example.com email",
"carl@example.com email",
"12345678910 msisdn",
"denny@example.com email"
],
"algorithm": "none",
"pepper": "matrixrocks"
}
```
Note that even though we haven't used the `lookup_pepper` value, we still
include the same one sent to us by the identity server in `/hash_details`.
The identity server should still return `400 M_INVALID_PEPPER` if the pepper
is incorrect. This is intended to make implementation simpler.
Finally, the identity server will check its database for the Matrix user IDs
it has that correspond to these 3PID addresses, and returns them:
```
{
"mappings": {
"alice@example.com email": "@alice:example.com",
"12345678910 msisdn": "@fred:example.com"
}
}
```
No parameter changes will be made to No parameter changes will be made to
[/bind](https://matrix.org/docs/spec/identity_service/r0.2.1#post-matrix-identity-api-v1-3pid-bind) [/bind](https://matrix.org/docs/spec/identity_service/r0.2.1#post-matrix-identity-api-v1-3pid-bind)
as part of this proposal. as part of this proposal.

Write Preview
Loading…
Cancel
Save