Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-01-29 10:33:43 +01:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

switch to symmetric algorithm

Browse source
This commit is contained in:
Hubert Chathi 2020-02-14 16:20:10 -05:00
parent b8b0e0d792
commit eb17e5d826
1 changed files with 25 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
proposals/1946-secure_server-side_storage.md
View file

@ -123,38 +123,33 @@ and the key descriptions for the keys would be:
#### Encryption algorithms
##### `m.secret_storage.v1.curve25519-aes-sha2`
##### `m.secret_storage.v1.aes-hmac-sha2`
The public key is stored in the `pubkey` property of the `m.secret_storage.key.[key
ID]` account_data as a base64-encoded string.
Secrets are encrypted using AES-CTR-256 and MACed using HMAC-SHA-256. The data
is encrypted and MACed as follows:
The data is encrypted and MACed as follows:
1. Given the secret storage key, generate 64 bytes by performing an HKDF with
SHA-256 as the hash, a salt of 32 bytes of 0, and with the secret name as
the info. The first 32 bytes are used as the AES key, and the next 32 bytes
are used as the MAC key
2. Generate 16 random bytes, set bit 63 to 0 (in order to work around
differences in AES-CTR implementations), and use this as the AES
initialization vector. This becomes the `iv` property, encoded using base64.
3. Encrypt the data using AES-CTR-256 using the AES key generated above. This
encrypted data, encoded using base64, becomes the `ciphertext` property.
4. Pass the raw encrypted data (prior to base64 encoding) through HMAC-SHA-256
using the MAC key generated above. The resulting MAC is base64-encoded and
becomes the `mac` property.
1. Generate an ephemeral curve25519 key, and perform an ECDH with the ephemeral
key and the public key to generate a shared secret. The public half of the
ephemeral key, encoded using base64, becomes the `ephemeral` property.
2. Using the shared secret, generate 80 bytes by performing an HKDF using
SHA-256 as the hash, with a salt of 32 bytes of 0, and with the empty string
as the info. The first 32 bytes are used as the AES key, the next 32 bytes
are used as the MAC key, and the last 16 bytes are used as the AES
initialization vector.
4. Encrypt the data using AES-CBC-256 with PKCS#7 padding. This encrypted
data, encoded using base64, becomes the `ciphertext` property.
5. Pass the raw encrypted data (prior to base64 encoding) through HMAC-SHA-256
using the MAC key generated above. The first 8 bytes of the resulting MAC
are base64-encoded, and become the `mac` property.
(We use AES-CTR to match file encryption and key exports.)
(The key HKDF, AES, and HMAC steps are the same as what are used for encryption
in olm and megolm.)
For example, the `m.secret_storage.key.[key ID]` for a key using this algorithm
For example, the `m.secret_storage.key.key_id` for a key using this algorithm
could look like:
```json
{
"name": "m.default",
"algorithm": "m.secret_storage.v1.curve25519-aes-sha2",
"pubkey": "base64+public+key"
"algorithm": "m.secret_storage.v1.aes-hmac-sha2"
}
```
@ -164,8 +159,8 @@ and data encrypted using this algorithm could look like this:
{
"encrypted": {
"key_id": {
"iv": "16+bytes+base64",
"ciphertext": "base64+encoded+encrypted+data",
"ephemeral": "base64+ephemeral+key",
"mac": "base64+encoded+mac"
}
}
@ -174,7 +169,7 @@ and data encrypted using this algorithm could look like this:
###### Keys
When a user is given a raw key for `m.secret_storage.v1.curve25519-aes-sha2`,
When a user is given a raw key for `m.secret_storage.v1.aes-hmac-sha2`,
it will be encoded as follows (this is the same as what is proposed in MSC1703):
* prepend the two bytes 0x8b and 0x01 to the key
@ -200,7 +195,8 @@ ID]` account-data:
"passphrase": {
"algorithm": "m.pbkdf2",
"salt": "MmMsAlty",
"iterations": 100000
"iterations": 100000,
"bits": 256
},
...
}
@ -209,7 +205,9 @@ ID]` account-data:
**`m.pbkdf2`**
The key is generated using PBKDF2 using the salt given in the `salt` parameter,
and the number of iterations given in the `iterations` parameter.
and the number of iterations given in the `iterations` parameter. The key size
that is generated is given by the `bits` parameter, or 256 bits if no `bits`
parameter is given.
### Sharing