MSC4153: Exclude non-cross-signed devices #4153
Conversation
uhoreg
changed the title
uhoreg
added
e2e
proposal
There was a problem hiding this comment.
Implementation requirements:
- Client embodying these values (preferably cross platform).
proposals/4153-invisible-crypto.md
Outdated
| @@ -0,0 +1,122 @@ | |||
| # MSC4153: Invisible Cryptography | |||
There was a problem hiding this comment.
I don't see how that name has anything to do with the proposal? Maybe the MSC could explain, where that name comes from?
There was a problem hiding this comment.
The name comes from the fact that crypto should "just work", rather than continually bothering users with popups or warnings or multi-coloured shields which they need to understand. In other words, it should be "invisible" to the casual user.
But yes, that could do with writing in the MSC.
There was a problem hiding this comment.
It might be better to rename this MSC to more closely represent the changes ("isolation of unsigned devices" or something); this MSC is really just a small part of "invisible crypto"
There was a problem hiding this comment.
After discussion with the rest of the Element crypto team, we came to the consensus that "Invisible crypto" referred more to specific UI changes that this MSC would enable (such as getting rid of some shields), rather than the recommendations in this MSC. So I've given this MSC a more boring name. The filename will remain the same, so that we don't lose comments.
proposals/4153-invisible-crypto.md
Outdated
| Users should have Secret Storage with a default key that encrypts the private | ||
| cross-signing keys and key backup key (if available) | ||
|
|
||
| The spec currently does not give recommendations for what information is stored | ||
| in Secret Storage, or even whether Secret Storage is available to users. A | ||
| user’s Secret Storage should contain the user’s cross-signing secret keys and | ||
| the key backup decryption key (if the user is using key backup). This ensures | ||
| that users have a more consistent experience. |
There was a problem hiding this comment.
don't these two paragraphs say the same thing? Or am I missing a subtlety?
There was a problem hiding this comment.
The first is referring to this paragraph in https://spec.matrix.org/unstable/client-server-api/#key-storage:
A key can be marked as the “default” key by setting the user’s account data with event type
m.secret_storage.default_keyto an object that has the ID of the key as its key property. The default key will be used to encrypt all secrets that the user would expect to be available on all their clients. Unless the user specifies otherwise, clients will try to use the default key to decrypt secrets.
and is saying that the user's Secret Storage should have such a key.
Whereas the second paragraph is describing what secrets should be stored.
Perhaps it would make more sense if I switched the order of the paragraphs, since the first paragraph also touches on what's stored.
uhoreg
changed the title
This sharing strategy is defined as part of MSC4153[1]. [1]: matrix-org/matrix-spec-proposals#4153
| ### Bots and application services | ||
|
|
||
| This is a special case to the issue above, but seems to be a large enough class | ||
| that it deserves its own mention: support for cross-signing in bots and | ||
| application services may be less common than in interactive clients. When a | ||
| client fully implements this proposal, users will be unable to interact with | ||
| bots and application services in encrypted rooms if they do not support | ||
| cross-signing. | ||
|
|
||
| TODO: status of cross-signing in bots/application services |
There was a problem hiding this comment.
Cross-signing in general is relatively easy to implement, but receiving messages from bridges may be a more complicated issue: most encryption-capable bridges (i.e. mautrix-*) only generate keys for the bridge bot, not every ghost, which means messages are sent with a different user than the user who created the megolm session.
We likely have to invent some new mechanism to "delegate" crypto to another user so that clients wouldn't get scared when ghosts send messages encrypted by the bridge bot. Generating keys for every ghost would be ridiculously wasteful, the bridge is a single entity so there's no reason for it to have more than one encryption device.
There was a problem hiding this comment.
When you say "most encryption-capable bridges (i.e. mautrix-*) only generate keys ...", are you talking about device keys? Can you explain how megolm session distribution works with mautrix bridges? Is it something like: bridge generates megolm session, bridge bot sends megolm session to recipient, ghost sends encrypted message to room?
There was a problem hiding this comment.
There was some discussion about this in #element-x-ios:matrix.org
For clarity: the wasteful part is not the device key generation itself, but rather the resulting large number of olm sessions when clients have to encrypt megolm sessions for each ghost individually.
Matthew suggested that the ghost could create a device with no identity key (to prevent olm sessions being created) and use it to sign the bot's device.
I'm thinking ghosts will probably need a cross-signing key (because that's the real root of trust). Maybe ghosts could just upload the bot's cross-signing key? They'd have the wrong user_id, which clients could detect to realize it's a ghost user. The key could also have a special usage field or something else as an extra ghost identification. Or maybe the user_id field should be the ghost, but there could be a new bridge_bot_id field which points at the bridge bot.
There was a problem hiding this comment.
Oh, there's also another related annoying part: double puppeting, where bridge logs in with your account to bridge messages you send from the remote network using your real account instead of a ghost. Currently it works the same way as ghosts in terms of encryption: create megolm keys with bridge bot, send with double puppet.
The number of double puppets is generally much lower than the number of ghosts, so technically it would be fine to create a full e2ee session (which the user can then cross-sign normally). However, that would mean the bridge receives decryption keys for messages in all your rooms instead of only its own rooms, which is not great.
I don't think it's worth creating a separate mechanism for trusting double puppets, but at least the "upload bot's cross-signing keys to ghost" mechanism wouldn't work for double puppets. Creating a device without identity keys could work for both though
| Clients should encourage users to cross-sign their devices. This includes both | ||
| when logging in a new device, and for existing devices. Clients may even go so | ||
| far as to require cross-signing of devices by preventing the user from using | ||
| the client until the device is cross-signed. If the user cannot cross-sign | ||
| their device (for example, if they have forgotten their Secret Storage key), | ||
| the client can allow users to reset their Secret Storage, cross-signing, and | ||
| key backup. |
There was a problem hiding this comment.
If a client enforces cross signing, how would cross signing work without access to other devices or recovery key?
Real scenario that happens to me from time to time:
Not all my accounts have the same powerlevel in rooms, sometimes I need to switch accounts on the go to carry out a moderation action. Worse, most of the moderation bot rooms I interact with on the regular use End-to-End Encryption (usually via Pantalaimon). Additionally, I do not feel comfortable keeping a copy of my Recovery Keys on my phone, or accessible to my phone, nor want to rely on physical devices (eg. security keys) when eg. going to a party, hanging out with friends at an entertainment park, etc.
Element X Android provides a good example here: while I enjoy using sliding sync, using Element X left me unable to carry out moderation actions due to being unable to switch accounts without cross-signing.
I'm currently using Schildichat Next to bypass cross signing requirements, but having multiple copies installed would exacerbate my out-of-memory issues on my phone, which are already preventing me from using it effectively at all.
| non-cross-signed devices were sent by the user, rather than an | ||
| impersonator. Therefore messages sent from non-cross-signed devices cannot be | ||
| trusted and should not be displayed differently to the user. Again, clients | ||
| may be allow the user to override this behaviour for specific devices for |
There was a problem hiding this comment.
typo:
| may be allow the user to override this behaviour for specific devices for | |
| may allow the user to override this behaviour for specific devices for |
|
|
||
| ## Alternatives | ||
|
|
||
| ## Security considerations |
There was a problem hiding this comment.
This MSC has some severe T&S related security problems by effectively acting as a availability break. Now once the bot ecosystem has advanced sufficiently in its E2EE implementations this problem can be resolved. Recovery Keys will allow easy self restoration of cross signed status just like we have access to today in normal clients like Element Web.
Thanks to Tulir in the Spec room for mentioning Recovery Key based workflows as a realistic way to help resolve this conflict.
There was a problem hiding this comment.
It also would be nice to point the potential tripwires for headless clients in the spec text later on as an info box. Since this is a thing easily overlooked imho if you aren't proficient in e2ee.
Rendered
Conflict of Interest declaration: I am a member of the Spec Core Team, and am employed by Element. This MSC was written as part of my work on the Element Cryptography team.