sas: clarify ECDH process in step 12

As written, the spec is not clear what Bob's device is supposed to do as that device does not have Alice's device's private key. Signed-off-by: Sumner Evans <sumner@beeper.com>
4 months ago · a6b643bbc5
parent 9a5cacda90
commit a6b643bbc5
2 changed files with 7 additions and 4 deletions
--- a/changelogs/client_server/newsfragments/1720.clarification
+++ b/changelogs/client_server/newsfragments/1720.clarification
@ -0,0 +1 @@
+Clarify how to perform the ECDH exchange in step 12 of the SAS process.
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@ -660,10 +660,12 @@ The process between Alice and Bob verifying each other would be:
 11. Alice's device receives Bob's message and verifies the commitment
    hash from earlier matches the hash of the key Bob's device just sent
    and the content of Alice's `m.key.verification.start` message.
-12. Both Alice and Bob's devices perform an Elliptic-curve
-    Diffie-Hellman
-    (*ECDH(K<sub>A</sub><sup>private</sup>*, *K<sub>B</sub><sup>public</sup>*)),
-    using the result as the shared secret.
+12. Both Alice and Bob's devices perform an Elliptic-curve Diffie-Hellman using
+    their private ephemeral key, and the other device's ephemeral public key
+    (*ECDH(K<sub>A</sub><sup>private</sup>*, *K<sub>B</sub><sup>public</sup>*)
+    for Alice's device and
+    *ECDH(K<sub>B</sub><sup>private</sup>*, *K<sub>A</sub><sup>public</sup>*)
+    for Bob's device), using the result as the shared secret.
 13. Both Alice and Bob's devices display a SAS to their users, which is
    derived from the shared key using one of the methods in this
    section. If multiple SAS methods are available, clients should allow
				`@ -0,0 +1 @@`
				`Clarify how to perform the ECDH exchange in step 12 of the SAS process.`