mirror of
https://github.com/matrix-org/matrix-spec
synced 2026-02-20 04:53:42 +01:00
Expand description of validation and verification
This commit is contained in:
Johannes Marbach
parent
c1894e09f0
commit
3f3c0ca0ba
|
|
@ -1517,25 +1517,63 @@ The plaintext payload is of the form:
|
||||||
The type and content of the plaintext message event are given in the
|
The type and content of the plaintext message event are given in the
|
||||||
payload.
|
payload.
|
||||||
|
|
||||||
Other properties are included in order to prevent an attacker from
|
###### Validation of incoming decrypted events
|
||||||
publishing someone else's curve25519 keys as their own and subsequently
|
|
||||||
claiming to have sent messages which they didn't. `sender` must
|
|
||||||
correspond to the user who sent the event, `recipient` to the local
|
|
||||||
user, and `recipient_keys` to the local ed25519 key.
|
|
||||||
|
|
||||||
Clients must ensure that the sending device owns the private part of
|
After decrypting an incoming encrypted event, clients MUST apply the
|
||||||
the ed25519 key it claims to have in the Olm payload. This is crucial
|
following checks:
|
||||||
when the ed25519 key corresponds to a verified device. To perform
|
|
||||||
this check, clients MUST confirm that the `sender_key` property in the
|
1. The `sender` property in the decrypted content must match the
|
||||||
cleartext `m.room.encrypted` event body, and the `keys.ed25519` property
|
`sender` of the event.
|
||||||
in the decrypted plaintext, match the keys under the `sender_device_keys`
|
2. The `keys.ed25519` property in the decrypted content must match
|
||||||
property. Additionally, clients MUST also verify the signature of the keys.
|
the `sender_key` property in the cleartext `m.room.encrypted`
|
||||||
If `sender_device_keys` is absent, clients MUST retrieve the sender's
|
event body.
|
||||||
keys from [`/keys/query`](#post_matrixclientv3keysquery) instead. This
|
3. The `recipient` property in the decrypted content must match
|
||||||
will not allow them to verify key ownership if the sending device was
|
the user ID of the local user.
|
||||||
logged out or had its keys reset since sending the event. Therefore,
|
4. The `recipient_keys.ed25519` property in the decrypted content
|
||||||
clients MUST populate the `sender_device_keys` property when sending
|
must match the client device's [Ed25519 signing key](#device-keys).
|
||||||
events themselves.
|
5. Where `sender_device_keys` is present in the decrypted content:
|
||||||
|
1. `sender_device_keys.user_id` must also match the `sender`
|
||||||
|
of the event.
|
||||||
|
2. `sender_device_keys.keys.ed25519:<device_id>` must also match
|
||||||
|
the `sender_key` property in the cleartext `m.room.encrypted`
|
||||||
|
event body.
|
||||||
|
3. `sender_device_keys.keys.curve25519:<device_id>` must match
|
||||||
|
the Curve25519 key used to establish the Olm session.
|
||||||
|
4. The `sender_device_keys` structure must have a valid signature
|
||||||
|
from the key with ID `ed25519:<device_id>` (i.e., the sending
|
||||||
|
device's Ed25519 key).
|
||||||
|
|
||||||
|
Any event that does not comply with these checks MUST be discarded.
|
||||||
|
|
||||||
|
###### Verification of the sending user for incoming events
|
||||||
|
|
||||||
|
In addition, for each Olm session, clients MUST verify that the
|
||||||
|
Curve25519 key used to establish the Olm session does indeed belong
|
||||||
|
to the claimed `sender`. This requires a signed "device keys" structure
|
||||||
|
for that Curve25519 key, which can be obtained in one of two ways:
|
||||||
|
|
||||||
|
1. An Olm message may be received with a `sender_device_keys` property
|
||||||
|
in the decrypted content.
|
||||||
|
2. The keys are returned via a [`/keys/query`](#post_matrixclientv3keysquery)
|
||||||
|
request. Note that both the Curve25519 key **and** the Ed25519 key in
|
||||||
|
the returned device keys structure must match those used in an
|
||||||
|
Olm-encrypted event as above. (In particular, the Ed25519 key must
|
||||||
|
be present in the **encrypted** content of an Olm-encrypted event
|
||||||
|
to prevent an attacker from claiming another user's Curve25519 key
|
||||||
|
as their own.)
|
||||||
|
|
||||||
|
Ownership of the Curve25519 key is then established in one of two ways:
|
||||||
|
|
||||||
|
1. Via [cross-signing](#cross-signing). For this to be sufficient, the
|
||||||
|
device keys structure must be signed by the sender's self-signing key,
|
||||||
|
and that self-signing key must itself have been validated (either via
|
||||||
|
[explicit verification](#device-verification) or a TOFU mechanism).
|
||||||
|
2. Via explicit verification of the device's Ed25519 signing key, as
|
||||||
|
contained in the device keys structure. This is no longer recommended.
|
||||||
|
|
||||||
|
A failure to complete these verifications does not necessarily mean that
|
||||||
|
the session is bogus; however it is the case that there is no proof that
|
||||||
|
the claimed sender is accurate, and the user should be warned accordingly.
|
||||||
|
|
||||||
If a client has multiple sessions established with another device, it
|
If a client has multiple sessions established with another device, it
|
||||||
should use the session from which it last received and successfully
|
should use the session from which it last received and successfully
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue