MSC4153: Exclude non-cross-signed devices #4153
There are no files selected for viewing
|
There was a problem hiding this comment. Moving @escix 's question to a thread:
There was a problem hiding this comment. Your questions aren't easy to understand, but:
Yes, it is proposed that users will trust other users' identity on first use, but it will still be possible to verify other users' identity explicitly via QR codes or emoji. And some applications may expose a feature where they will only send messages in rooms where all users have been explicitly verified in this way. I don't think there are any plans to support that in EX, but that would be a matter for the Element X issue trackers, not this Matrix spec proposal.
I think that when you say "Backup Security keys", you mean what we now refer to as the Recovery key? (see also element-hq/element-meta#2394 (comment)). I don't think this MSC changes anything in this area. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| # MSC4153: Exclude non-cross-signed devices | ||
|
|
||
| End-to-end encryption was first introduced to Matrix in 2016. Over the years, | ||
| more encryption-related features have been added, such as key verification, | ||
|
|
@@ -25,14 +25,20 @@ The changes below only apply to clients that support encryption. | |
| Clients should create new cross-signing keys for users who do not yet have | ||
| cross-signing keys. | ||
|
|
||
| ### Users should have Secret Storage | ||
|
|
||
| Secret Storage allows users to keep secrets on the server so that they are | ||
| accessible when the user logs in to a new device. | ||
|
|
||
| The spec currently does not give recommendations for what information is stored | ||
| in Secret Storage, or even whether Secret Storage is available to users. A | ||
| user’s Secret Storage should contain the user’s cross-signing secret keys and | ||
| the key backup decryption key (if the user is using key backup). This ensures | ||
| that users use cross-signing and key backup on new devices. | ||
|
|
||
| Users should have Secret Storage with a default key (a key referred to by | ||
| `m.secret_storage.default_key`) that encrypts the private cross-signing keys | ||
| and key backup key (if available). | ||
|
|
||
| ### Verifying individual devices of other users is deprecated | ||
|
|
||
|
|
@@ -71,26 +77,30 @@ know that Alice’s cross-signing keys had changed, even if Bob has other device | |
| that were previously logged in. Such a mechanism could be proposed by another | ||
| MSC. | ||
|
|
||
| ### Room keys and secrets should by default not be sent to non-cross-signed devices | ||
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Since non-cross-signed devices don’t provide any assurance that the device | ||
| belongs to the user, and server admins can trivially create new devices for | ||
| users, clients should not send room keys to non-cross-signed devices by | ||
| default. Clients may provide users the ability to encrypt to specific | ||
| non-cross-signed devices, for example, for development or testing purposes. | ||
|
|
||
| In addition, users should not send secrets (via Secret Sharing) to their own | ||
| devices that are not cross-signed. | ||
|
|
||
| ### Messages from non-cross-signed devices should be ignored by default | ||
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Similarly, clients have no assurance that encrypted messages sent from | ||
| non-cross-signed devices were sent by the user, rather than an | ||
| impersonator. Therefore messages sent from non-cross-signed devices cannot be | ||
| trusted and should not be displayed differently to the user. Again, clients | ||
| may be allow the user to override this behaviour for specific devices for | ||
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| development or testing purposes. | ||
|
|
||
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ## Potential Issues | ||
|
|
||
| ### Client support | ||
|
|
||
| If a user has devices that are not cross-signed, they will not be able to | ||
| communicate with other users whose clients implement this proposal completely, | ||
| due to the last two points. Thus we encourage clients to implement | ||
|
|
@@ -100,6 +110,17 @@ make it optional) until most clients have implemented cross-signing. | |
|
|
||
| TODO: status of cross-signing in clients | ||
|
|
||
| ### Bots and application services | ||
|
|
||
| This is a special case to the issue above, but seems to be a large enough class | ||
| that it deserves its own mention: support for cross-signing in bots and | ||
| application services may be less common than in interactive clients. When a | ||
| client fully implements this proposal, users will be unable to interact with | ||
| bots and application services in encrypted rooms if they do not support | ||
| cross-signing. | ||
|
|
||
| TODO: status of cross-signing in bots/application services | ||
|
There was a problem hiding this comment. Cross-signing in general is relatively easy to implement, but receiving messages from bridges may be a more complicated issue: most encryption-capable bridges (i.e. mautrix-*) only generate keys for the bridge bot, not every ghost, which means messages are sent with a different user than the user who created the megolm session. We likely have to invent some new mechanism to "delegate" crypto to another user so that clients wouldn't get scared when ghosts send messages encrypted by the bridge bot. Generating keys for every ghost would be ridiculously wasteful, the bridge is a single entity so there's no reason for it to have more than one encryption device. There was a problem hiding this comment. When you say "most encryption-capable bridges (i.e. mautrix-*) only generate keys ...", are you talking about device keys? Can you explain how megolm session distribution works with mautrix bridges? Is it something like: bridge generates megolm session, bridge bot sends megolm session to recipient, ghost sends encrypted message to room? There was a problem hiding this comment. There was some discussion about this in #element-x-ios:matrix.org For clarity: the wasteful part is not the device key generation itself, but rather the resulting large number of olm sessions when clients have to encrypt megolm sessions for each ghost individually. Matthew suggested that the ghost could create a device with no identity key (to prevent olm sessions being created) and use it to sign the bot's device. I'm thinking ghosts will probably need a cross-signing key (because that's the real root of trust). Maybe ghosts could just upload the bot's cross-signing key? They'd have the wrong There was a problem hiding this comment. Oh, there's also another related annoying part: double puppeting, where bridge logs in with your account to bridge messages you send from the remote network using your real account instead of a ghost. Currently it works the same way as ghosts in terms of encryption: create megolm keys with bridge bot, send with double puppet. The number of double puppets is generally much lower than the number of ghosts, so technically it would be fine to create a full e2ee session (which the user can then cross-sign normally). However, that would mean the bridge receives decryption keys for messages in all your rooms instead of only its own rooms, which is not great. I don't think it's worth creating a separate mechanism for trusting double puppets, but at least the "upload bot's cross-signing keys to ghost" mechanism wouldn't work for double puppets. Creating a device without identity keys could work for both though There was a problem hiding this comment. I think that it's a bug that we're accepting messages encrypted using a key that we received from a different user, because that seems bad from a cryptographic point of view. So I'm not too keen to try to work around it. I also don't think that we should have bots upload cross-signing keys of different users. If the big issue is in receiving encrypted messages, maybe the easier solution would be to add a flag in the device keys object to indicate that the device doesn't want to receive any keys? There was a problem hiding this comment. The flag to not receive encrypted messages sounds good, that'd at least solve the double puppeting issue of receiving unwanted keys. Sending messages would still require creating olm sessions from every ghost that sends messages though Technically there's also the option of deciding that appservices were a mistake and switching to MSC4144, but having to build duplicates of a bunch of different mechanisms like member lists and membership actions would be unfortunate There was a problem hiding this comment. I've written MSC4261 to propose adding a flag to mark devices that don't want to receive room keys. |
||
|
|
||
| ## Alternatives | ||
|
|
||
| ## Security considerations | ||
uhoreg marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
@@ -111,7 +132,7 @@ No new names are introduced, so no unstable prefix is needed. | |
| ## Dependencies | ||
|
|
||
| Though not strictly dependencies, other MSCs improve the behaviour of this MSC: | ||
| - [Authenticated backups | ||
| (MSC4048)](https://github.com/matrix-org/matrix-spec-proposals/pull/4048) | ||
| will improve the user experience by ensuring that trust information is | ||
| preserved when loading room keys from backup. TODO: I think we also need to | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that EW and EX both implement this, via their respective labs flags.
EW's setting looks like this: