archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
release/v1.12
dbkr/msc4178
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.12
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e32d9a9af3'
${ noResults }
matrix-spec/proposals/2630-sas-check-public-keys.md

2.5 KiB
Raw Blame History

MSC2630: Checking public keys in SAS verification

The current SAS protocol does not ensure that the two users correctly received each other's public keys. An attacker could send Alice and Bob public keys that he has created and, if the attacker is lucky, could obtain the same shared secret with both Alice and Bob, so that when they verify the SAS string, will believe that the exchange was secure.

To mitigate against this, Alice and Bob can use the two public keys in the generation of the SAS string by including it in the info parameter of the HKDF. Thus if an attacker sends them different public keys, the info parameters will be different, and so the key generated by the HKDF will be different.

Thanks to David Wong for identifying the issue, disclosing responsibly, and for helping to design the fix.

Proposal

A new key_agreement_protocol, curve25519-hkdf-sha256 is introduced, and will be mandatory for clients to support when performing SAS verification. It is the same as curve25519 except that the info parameter for the HKDF is the concatenation of:

  • The string MATRIX_KEY_VERIFICATION_SAS|.
  • The Matrix ID of the user who sent the m.key.verification.start message, followed by |.
  • The Device ID of the device which sent the m.key.verification.start message, followed by |.
  • The public key from the m.key.verification.key message sent by the device which sent the m.key.verification.start message, followed by |.
  • The Matrix ID of the user who sent the m.key.verification.accept message, followed by |.
  • The Device ID of the device which sent the m.key.verification.accept message, followed by |.
  • The public key from the m.key.verification.key message sent by the device which sent the m.key.verification.accept message, followed by |.
  • The transaction_id being used.

The differences from curve25519 are the addition of the public keys, and the addition of | as delimiter between the fields.

The key_agreement_protocol curve25519 is deprecated and may be removed in the future. It will no longer be mandatory for clients to support, and new implementations are discouraged from implementing it.

Implementation

This has been implemented in:

  • Riot Web 1.6.3 (matrix-js-sdk 6.2.0)
  • Riot Android 0.9.12 (matrix-android-sdk 0.9.35)
  • RiotX 0.21
  • Riot iOS 0.11.5 (matrix-ios-sdk 0.16.5)
  • matrix-weechat and pantalaimon (matrix-nio 0.12.0)
  • famedlysdk