Rename "recovery key" to "backup decryption key" (#1819)

Also, some other editorial improvements, including factoring out our two definitions of the same key encoding algorithm.

Co-authored-by: Travis Ralston <travisr@matrix.org>
pull/1827/head
Richard van der Hoff 7 months ago committed by GitHub
parent b0df8e7fb5
commit dac867dd6a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -0,0 +1 @@
Define common cryptographic key representation.

@ -0,0 +1 @@
Rename "recovery key" to "backup decryption key".

@ -940,6 +940,31 @@ The acceptable character set matches the unreserved character set in [RFC
3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3). 3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3).
{{% /boxes/note %}} {{% /boxes/note %}}
## Cryptographic key representation
Sometimes it is necessary to present a private cryptographic key in the user
interface.
When this happens, the key SHOULD be presented as a string formatted as
follows:
1. A byte array is created, consisting of two bytes `0x8B` and `0x01`,
followed by the raw key.
2. All the bytes in the array above, including the two header bytes,
are XORed together to form a parity byte. This parity byte is
appended to the byte array.
3. The byte array is encoded using base58, using the the alphabet
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`.
4. A space is added after every 4th character.
When reading in a key, clients should disregard whitespace, and
perform the reverse of steps 1 through 4.
{{% boxes/note %}}
The base58 alphabet is the same as that used for [Bitcoin
addresses](https://en.bitcoin.it/wiki/Base58Check_encoding#Base58_symbol_chart).
{{% /boxes/note %}}
## 3PID Types ## 3PID Types
Third-party Identifiers (3PIDs) represent identifiers on other Third-party Identifiers (3PIDs) represent identifiers on other

@ -1271,10 +1271,10 @@ tries to read a message that it does not have keys for, it may request
the key from the server and decrypt it. Backups are per-user, and users the key from the server and decrypt it. Backups are per-user, and users
may replace backups with new backups. may replace backups with new backups.
In contrast with [Key requests](#key-requests), Server-side key backups In contrast with [key requests](#key-requests), server-side key backups do not
do not require another device to be online from which to request keys. require another device to be online from which to request keys. However, as
However, as the session keys are stored on the server encrypted, it the session keys are stored on the server encrypted, the client requires a
requires users to enter a decryption key to decrypt the session keys. [decryption key](#decryption-key) to decrypt the session keys.
To create a backup, a client will call [POST To create a backup, a client will call [POST
/\_matrix/client/v3/room\_keys/version](#post_matrixclientv3room_keysversion) and define how the keys are to /\_matrix/client/v3/room\_keys/version](#post_matrixclientv3room_keysversion) and define how the keys are to
@ -1295,7 +1295,7 @@ Clients must only store keys in backups after they have ensured that the
- checking that it is signed by the user's [master cross-signing - checking that it is signed by the user's [master cross-signing
key](#cross-signing) or by a verified device belonging to the same user, or key](#cross-signing) or by a verified device belonging to the same user, or
- by deriving the public key from a private key that it obtained from a trusted - deriving the public key from a private key that it obtained from a trusted
source. Trusted sources for the private key include the user entering the source. Trusted sources for the private key include the user entering the
key, retrieving the key stored in [secret storage](#secret-storage), or key, retrieving the key stored in [secret storage](#secret-storage), or
obtaining the key via [secret sharing](#sharing) from a verified device obtaining the key via [secret sharing](#sharing) from a verified device
@ -1312,31 +1312,24 @@ replace it with the new key based on the key metadata as follows:
- and finally, if `is_verified` and `first_message_index` are equal, - and finally, if `is_verified` and `first_message_index` are equal,
then it will keep the key with a lower `forwarded_count`. then it will keep the key with a lower `forwarded_count`.
###### Recovery key ###### Decryption key
If the recovery key (the private half of the backup encryption key) is Normally, the decryption key (i.e. the secret part of the encryption key) is
presented to the user to save, it is presented as a string constructed stored on the server or shared with other devices using the [Secrets](#secrets)
as follows: module. When doing so, it is identified using the name `m.megolm_backup.v1`,
and the key is base64-encoded before being encrypted.
1. The 256-bit curve25519 private key is prepended by the bytes `0x8B`
and `0x01` If the backup decryption key is given directly to the user, the key should be
2. All the bytes in the string above, including the two header bytes, presented as a string using the common [cryptographic key
are XORed together to form a parity byte. This parity byte is representation](/appendices/#cryptographic-key-representation).
appended to the byte string.
3. The byte string is encoded using base58, using the same [mapping as {{% boxes/note %}}
is used for Bitcoin The backup decryption key was previously referred to as a "recovery
addresses](https://en.bitcoin.it/wiki/Base58Check_encoding#Base58_symbol_chart), key". However, this conflicted with common practice in client user
that is, using the alphabet interfaces, which often use the term "recovery key" to refer to the [secret
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`. storage](#storage) key. The term "recovery key" is no longer used in this
4. A space should be added after every 4th character. specification.
{{% /boxes/note %}}
When reading in a recovery key, clients must disregard whitespace, and
perform the reverse of steps 1 through 3.
The recovery key can also be stored on the server or shared with other devices
using the [Secrets](#secrets) module. When doing so, it is identified using the
name `m.megolm_backup.v1`, and the key is base64-encoded before being
encrypted.
###### Backup algorithm: `m.megolm_backup.v1.curve25519-aes-sha2` ###### Backup algorithm: `m.megolm_backup.v1.curve25519-aes-sha2`

@ -262,22 +262,8 @@ For example, data encrypted using this algorithm could look like this:
##### Key representation ##### Key representation
When a user is given a raw key for `m.secret_storage.v1.aes-hmac-sha2`, When a user is given a raw key for `m.secret_storage.v1.aes-hmac-sha2`,
it will be presented as a string constructed as follows: the key should be presented as a string using the common [cryptographic key
representation](/appendices/#cryptographic-key-representation).
1. The key is prepended by the two bytes `0x8b` and `0x01`
2. All the bytes in the string above, including the two header bytes,
are XORed together to form a parity byte. This parity byte is
appended to the byte string.
3. The byte string is encoded using base58, using the same [mapping as
is used for Bitcoin
addresses](https://en.bitcoin.it/wiki/Base58Check_encoding#Base58_symbol_chart),
that is, using the alphabet
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`.
4. The string is formatted into groups of four characters separated by
spaces.
When decoding a raw key, the process should be reversed, with the
exception that whitespace is insignificant in the user's input.
##### Deriving keys from passphrases ##### Deriving keys from passphrases

Loading…
Cancel
Save