@ -93,7 +93,7 @@ Example:
```
```
`ed25519` and `curve25519` keys are used for [device keys ](#device-keys ).`ed25519` and `curve25519` keys are used for [device keys ](#device-keys ).
Additionally, `ed25519` keys are used for [cross-signing keys ](#cross-signing ).
Additionally, `ed25519` keys are used for [cross-signing ](#cross-signing ).
`signed_curve25519` keys are used for [one-time and fallback keys ](#one-time-and-fallback-keys ).`signed_curve25519` keys are used for [one-time and fallback keys ](#one-time-and-fallback-keys ).
@ -675,7 +675,7 @@ The process between Alice and Bob verifying each other would be:
15. Assuming they match, Alice and Bob's devices each calculate Message
15. Assuming they match, Alice and Bob's devices each calculate Message
Authentication Codes (MACs) for:
Authentication Codes (MACs) for:
* Each of the keys that they wish the other user to verify (usually their
* Each of the keys that they wish the other user to verify (usually their
device ed25519 key and their master cross- signing key).
device ed25519 key and their master signing key, see below ).
* The complete list of key IDs that they wish the other user to verify.
* The complete list of key IDs that they wish the other user to verify.
The MAC calculation is defined [below ](#mac-calculation ).
The MAC calculation is defined [below ](#mac-calculation ).
@ -931,40 +931,43 @@ and can be translated online:
Rather than requiring Alice to verify each of Bob's devices with each of
Rather than requiring Alice to verify each of Bob's devices with each of
her own devices and vice versa, the cross-signing feature allows users
her own devices and vice versa, the cross-signing feature allows users
to sign their device keys such that Alice and Bob only need to verify
to sign their device keys such that Alice and Bob only need to verify
once. With cross-signing, each user has a set of cross-signing key s that
once. With cross-signing, each user has a set of ed25519 key pair s that
are used to sign their own device keys and other users' keys, and can be
are used to sign their own device keys and other users' keys, and can be
used to trust device keys that were not verified directly.
used to trust device keys that were not verified directly.
Each user has three ed25519 key pairs for cross-signing:
Each user has three ed25519 key pairs used for cross-signing:
- a master key (MSK) that serves as the user's identity in
- a master signing key (MSK, for historical reasons sometimes known as
cross-signing and signs their other cross-signing keys;
`master_key` ) that serves as the user's identity in cross-signing and signs
their user-signing and self-signing keys;
- a user-signing key (USK) -- only visible to the user that it belongs
- a user-signing key (USK) -- only visible to the user that it belongs
to --that signs other users' master keys; and
to -- that signs other users' master signing keys; and
- a self-signing key (SSK) that signs the user's own device keys.
- a self-signing key (SSK) that signs the user's own device keys.
The master key may also be used to sign other items such as the backup
The master signing key may also be used to sign other items such as the backup
key. The master key may also be signed by the user's own device keys to
key. The master signing key may also be signed by the user's own device keys to
aid in migrating from device verifications: if Alice's device had
aid in migrating from device verifications: if Alice's device had
previously verified Bob's device and Bob's device has signed his master
previously verified Bob's device and Bob's device has signed his master
key, then Alice's device can trust Bob's master key, and she can sign it
key, then Alice's device can trust Bob's master signing key, and she can sign it
with her user-signing key.
with her user-signing key.
Users upload their cross-signing keys to the server using [POST
Users upload the public part of their master signing, user-signing and
self-signing key to the server using [POST
/\_matrix/client/v3/keys/device\_signing/upload](/client-server-api/#post_matrixclientv3keysdevice_signingupload). When Alice uploads
/\_matrix/client/v3/keys/device\_signing/upload](/client-server-api/#post_matrixclientv3keysdevice_signingupload). When Alice uploads
new cross-signing keys, her user ID will appear in the `changed`
new keys, her user ID will appear in the `changed`
property of the `device_lists` field of the `/sync` of response of all
property of the `device_lists` field of the `/sync` of response of all
users who share an encrypted room with her. When Bob sees Alice's user
users who share an encrypted room with her. When Bob sees Alice's user
ID in his `/sync` , he will call [POST /\_matrix/client/v3/keys/query ](/client-server-api/#post_matrixclientv3keysquery )
ID in his `/sync` , he will call [POST /\_matrix/client/v3/keys/query ](/client-server-api/#post_matrixclientv3keysquery )
to retrieve Alice's device and cross-signing keys.
to retrieve Alice's device keys, as well as their master signing, user-signing
and self-signing key.
If Alice has a device and wishes to send an encrypted message to Bob,
If Alice has a device and wishes to send an encrypted message to Bob,
she can trust Bob's device if:
she can trust Bob's device if:
- Alice's device is using a master key that has signed her
- Alice's device is using a master signing key that has signed her
user-signing key,
user-signing key,
- Alice's user-signing key has signed Bob's master key,
- Alice's user-signing key has signed Bob's master signing key,
- Bob's master key has signed Bob's self-signing key, and
- Bob's master signing key has signed Bob's self-signing key, and
- Bob's self-signing key has signed Bob's device key.
- Bob's self-signing key has signed Bob's device key.
The following diagram illustrates how keys are signed:
The following diagram illustrates how keys are signed:
@ -1024,27 +1027,28 @@ signatures that she cannot see:
```
```
[Verification methods ](#device-verification ) can be used to verify a
[Verification methods ](#device-verification ) can be used to verify a
user's master key by using the master public key, encoded using unpadded
user's master signing key by treating its public key (master signing public
base64, as the device ID, and treating it as a normal device. For
key), encoded using unpadded base64, as the device ID, and treating it as a
example, if Alice and Bob verify each other using SAS, Alice's
normal device. For example, if Alice and Bob verify each other using SAS,
Alice's
`m.key.verification.mac` message to Bob may include`m.key.verification.mac` message to Bob may include
`"ed25519:alices+master+public+key": "alices+master+public+key"` in the`"ed25519:alices+master+public+key": "alices+master+public+key"` in the
`mac` property. Servers therefore must ensure that device IDs will not`mac` property. Servers therefore must ensure that device IDs will not
collide with cross-signing public keys .
collide with public keys used for cross-signing.
The cross-signing private keys can be stored on the server or shared with other Using the [Secrets ](#secrets ) module the private keys used for cross-signing can
devices using the [Secrets ](#secrets ) module. When doing so, the master, be stored on the server or shared with other devices. When doing so, the
user-signing, and self-signing keys are identified using the names
master signing, user-signing, and self-signing keys are identified using the
`m.cross_signing.master` , `m.cross_signing.user_signing` , andnames `m.cross_signing.master` , `m.cross_signing.user_signing` , and
`m.cross_signing.self_signing` , respectively, and the keys are base64-encoded`m.cross_signing.self_signing` , respectively, and the keys are base64-encoded
before being encrypted.
before being encrypted.
###### Key and signature security
###### Key and signature security
A user's master key could allow an attacker to impersonate that user to
A user's master signing key could allow an attacker to impersonate that user to
other users, or other users to that user. Thus clients must ensure that
other users, or other users to that user. Thus clients must ensure that
the private part of the master key is treated securely. If clients do
the private part of the master signing key is treated securely. If clients do
not have a secure means of storing the master key (such as a secret
not have a secure means of storing the master signing key (such as a secret
storage system provided by the operating system), then clients must not
storage system provided by the operating system), then clients must not
store the private part.
store the private part.
@ -1052,14 +1056,14 @@ If a user's client sees that any other user has changed their master
key, that client must notify the user about the change before allowing
key, that client must notify the user about the change before allowing
communication between the users to continue.
communication between the users to continue.
Since device key IDs (`ed25519:DEVICE_ID`) and cross-signing key IDs
Since device key IDs (`ed25519:DEVICE_ID`) as well as master signing,
(`ed25519:PUBLIC_KEY`) occupy the same namespace, clients must ensure that they
user-signing and self-signing key IDs (`ed25519:PUBLIC_KEY`) occupy the same
use the correct keys when verifying.
namespace, clients must ensure that they use the correct keys when verifying.
While servers MUST not allow devices to have the same IDs as cross-signing
While servers MUST not allow devices to have the same IDs as keys used for
keys , a malicious server could construct such a situation, so clients must not cross-signing , a malicious server could construct such a situation, so clients
rely on the server being well-behaved and should take the following precautions
must not rely on the server being well-behaved and should take the following
against this. precautions against this:
1. Clients MUST refer to keys by their public keys during the verification
1. Clients MUST refer to keys by their public keys during the verification
process, rather than only by the key ID.
process, rather than only by the key ID.
@ -1067,31 +1071,32 @@ against this.
verification process, and ensure that they do not change in the course of
verification process, and ensure that they do not change in the course of
verification.
verification.
3. Clients SHOULD also display a warning and MUST refuse to verify a user when
3. Clients SHOULD also display a warning and MUST refuse to verify a user when
they detect that the user has a device with the same ID as a cross-signing key.
they detect that the user has a device with the same ID as a key used for
cross-signing.
A user's user-signing and self-signing keys are intended to be easily
A user's user-signing and self-signing keys are intended to be easily
replaceable if they are compromised by re-issuing a new key signed by
replaceable if they are compromised by re-issuing a new key signed by
the user's master key and possibly by re-verifying devices or users.
the user's master signing key and possibly by re-verifying devices or users.
However, doing so relies on the user being able to notice when their
However, doing so relies on the user being able to notice when their
keys have been compromised, and it involves extra work for the user, and
keys have been compromised, and it involves extra work for the user, and
so although clients do not have to treat the private parts as
so although clients do not have to treat the private parts as
sensitively as the master key, clients should still make efforts to
sensitively as the master signing key, clients should still make efforts to
store the private part securely, or not store it at all. Clients will
store the private part securely, or not store it at all. Clients will
need to balance the security of the keys with the usability of signing
need to balance the security of the keys with the usability of signing
users and devices when performing key verification.
users and devices when performing key verification.
To avoid leaking of social graphs, servers will only allow users to see:
To avoid leaking of social graphs, servers will only allow users to see:
- signatures made by the user's own master, self-signing or
- signatures made by the user's own master signing , self-signing or
user-signing keys,
user-signing keys,
- signatures made by the user's own devices about their own master
- signatures made by the user's own devices about their own master
key,
key,
- signatures made by other users' self-signing keys about their
- signatures made by other users' self-signing keys about their
respective devices,
respective devices,
- signatures made by other users' master keys about their respective
- signatures made by other users' master signing keys about their respective
self-signing key, or
self-signing key, or
- signatures made by other users' devices about their respective
- signatures made by other users' devices about their respective
master keys.
master signing keys.
Users will not be able to see signatures made by other users'
Users will not be able to see signatures made by other users'
user-signing keys.
user-signing keys.
@ -1193,24 +1198,24 @@ The binary segment MUST be of the following form:
- one byte indicating the QR code verification mode. Should be one of the
- one byte indicating the QR code verification mode. Should be one of the
following values:
following values:
- `0x00` verifying another user with cross-signing
- `0x00` verifying another user with cross-signing
- `0x01` self-verifying in which the current device does trust the master key
- `0x01` self-verifying in which the current device does trust the master signing key
- `0x02` self-verifying in which the current device does not yet trust the
- `0x02` self-verifying in which the current device does not yet trust the
master key
master signing key
- the event ID or `transaction_id` of the associated verification
- the event ID or `transaction_id` of the associated verification
request event, encoded as:
request event, encoded as:
- two bytes in network byte order (big-endian) indicating the length in
- two bytes in network byte order (big-endian) indicating the length in
bytes of the ID as a UTF-8 string
bytes of the ID as a UTF-8 string
- the ID encoded as a UTF-8 string
- the ID encoded as a UTF-8 string
- the first key, as 32 bytes. The key to use depends on the mode field:
- the first key, as 32 bytes. The key to use depends on the mode field:
- if `0x00` or `0x01` , then the current user's own master cross- signing public key
- if `0x00` or `0x01` , then the current user's own master signing public key
- if `0x02` , then the current device's Ed25519 signing key
- if `0x02` , then the current device's Ed25519 signing key
- the second key, as 32 bytes. The key to use depends on the mode field:
- the second key, as 32 bytes. The key to use depends on the mode field:
- if `0x00` , then what the device thinks the other user's master
- if `0x00` , then what the device thinks the other user's master
cross-signing public key is
public key is
- if `0x01` , then what the device thinks the other device's Ed25519 signing
- if `0x01` , then what the device thinks the other device's Ed25519 signing
public key is
public key is
- if `0x02` , then what the device thinks the user's master cross- signing public
- if `0x02` , then what the device thinks the user's master signing public key
key is
is
- a random shared secret, as a sequence of bytes. It is suggested to use a secret
- a random shared secret, as a sequence of bytes. It is suggested to use a secret
that is about 8 bytes long. Note: as we do not share the length of the
that is about 8 bytes long. Note: as we do not share the length of the
secret, and it is not a fixed size, clients will just use the remainder of
secret, and it is not a fixed size, clients will just use the remainder of
@ -1221,14 +1226,14 @@ For example, if Alice displays a QR code encoding the following binary data:
```nohighlight
```nohighlight
"MATRIX" |ver|mode| len | event ID
"MATRIX" |ver|mode| len | event ID
4D 41 54 52 49 58 02 00 00 2D 21 41 42 43 44 ...
4D 41 54 52 49 58 02 00 00 2D 21 41 42 43 44 ...
| user's cross-signing key | other user's cross-signing key | shared secret
| the first key | the second key | shared secret
00 01 02 03 04 05 06 07 ... 10 11 12 13 14 15 16 17 ... 20 21 22 23 24 25 26 27
00 01 02 03 04 05 06 07 ... 10 11 12 13 14 15 16 17 ... 20 21 22 23 24 25 26 27
```
```
this indicates that Alice is verifying another user (say Bob), in response to Mode `0x00` indicates that Alice is verifying another user (say Bob), in
the request from event "$ABCD...", her cross- signing key isresponse to the request from event "$ABCD...", her master signing key is
`0001020304050607...` (which is "AAECAwQFBg..." in base64), she thinks that`0001020304050607...` (which is "AAECAwQFBg..." in base64), she thinks that
Bob's cross- signing key is `1011121314151617...` (which is "EBESExQVFh..." in
Bob's master signing key is `1011121314151617...` (which is "EBESExQVFh..." in
base64), and the shared secret is `2021222324252627` (which is "ICEiIyQlJic" in
base64), and the shared secret is `2021222324252627` (which is "ICEiIyQlJic" in
base64).
base64).
@ -1300,8 +1305,8 @@ one of its variants.
Clients must only store keys in backups after they have ensured that the
Clients must only store keys in backups after they have ensured that the
`auth_data` is trusted. This can be done either by:`auth_data` is trusted. This can be done either by:
- checking that it is signed by the user's [master cross-signing
- checking that it is signed by the user's [signing key](# cross-signing)
key](#cross-signing) or by a verified device belonging to the same user, or
or by a verified device belonging to the same user, or
- deriving the public key from a private key that it obtained from a trusted
- deriving the public key from a private key that it obtained from a trusted
source. Trusted sources for the private key include the user entering the
source. Trusted sources for the private key include the user entering the
key, retrieving the key stored in [secret storage ](#secret-storage ), or
key, retrieving the key stored in [secret storage ](#secret-storage ), or
@ -1786,13 +1791,14 @@ a way to identify the server's support for fallback keys.
| Parameter | Type | Description |
| Parameter | Type | Description |
|------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| changed | [string] | List of users who have updated their device identity or cross -signing keys, or who now share an encrypted room with the client since the previous sync response. |
| changed | [string] | List of users who have updated their device identity or their master signing, self-signing or user -signing keys, or who now share an encrypted room with the client since the previous sync response. |
| left | [string] | List of users with whom we do not share any encrypted rooms anymore since the previous sync response. |
| left | [string] | List of users with whom we do not share any encrypted rooms anymore since the previous sync response. |
{{% boxes/note %}}
{{% boxes/note %}}
For optimal performance, Alice should be added to `changed` in Bob's
For optimal performance, Alice should be added to `changed` in Bob's
sync only when she updates her devices or cross-signing keys, or when
sync only when she updates her devices or master signing, self-signing or
Alice and Bob now share a room but didn't share any room previously.
user-signing keys, or when Alice and Bob now share a room but didn't
share any room previously.
However, for the sake of simpler logic, a server may add Alice to
However, for the sake of simpler logic, a server may add Alice to
`changed` when Alice and Bob share a new room, even if they previously`changed` when Alice and Bob share a new room, even if they previously
already shared a room.
already shared a room.
codedust
3 weeks ago
committed by