-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC2134: Identity Hash Lookups #2134
Changes from 42 commits
3eff76b
a8c26d2
8b92df7
12431f1
f8dbf2b
d2b47a5
063b9f6
bc9b6c3
5049e55
6bb4a9e
f41ed02
3ee27d3
f28476f
1343e19
1fea604
e3b2ad3
c63edc7
2383a55
53f025e
21e93a1
e3ff802
acdb2b1
02ac0f3
ee10576
36a35a3
0a4c83d
fae6883
f951f31
96e43aa
df88b13
dfb37fc
0fd4fe2
7549c5d
6f81d37
922a20b
53bd384
f4a1e02
3702669
dd8a654
1963a24
ed67e26
3514437
36cb8ed
0444c80
887cd5e
577021f
b26a9ed
9fd6bd3
3031df7
3b8c57e
8f3e588
c6dd595
da876bb
0ac70b2
20c72a3
6119b9a
87a54e8
ffbfde8
5580a2a
a17c74f
027c2d7
6660768
4d1f2ea
c8527b7
57de107
9913f5b
33d22c3
3789d82
acf8d34
c401a4d
3877724
96e06b6
3edf5e3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,279 @@ | ||
# MSC2134: Identity Hash Lookups | ||
|
||
[Issue #2130](https://github.com/matrix-org/matrix-doc/issues/2130) has been | ||
recently created in response to a security issue brought up by an independent | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
party. To summarise the issue, lookups (of Matrix user IDs) are performed using | ||
plain-text 3PIDs (third-party IDs) which means that the identity server can | ||
identify and record every 3PID that the user has in their contacts, whether | ||
that email address or phone number is already known by the identity server or | ||
not. | ||
|
||
If the 3PID is hashed, the identity server could not determine the address | ||
unless it has already seen that address in plain-text during a previous call | ||
of the [/bind | ||
mechanism](https://matrix.org/docs/spec/identity_service/r0.2.1#post-matrix-identity-api-v1-3pid-bind) | ||
(without significant resources to reverse the hashes). This helps prevent | ||
bulk collection of user's contact lists by the identity server and reduces | ||
its ability to build social graphs. | ||
|
||
This proposal thus calls for the Identity Service API's | ||
[/lookup](https://matrix.org/docs/spec/identity_service/r0.2.1#get-matrix-identity-api-v1-lookup) | ||
endpoint to use hashed 3PIDs instead of their plain-text counterparts (and to | ||
deprecate both it and | ||
[/bulk_lookup](https://matrix.org/docs/spec/identity_service/r0.2.1#post-matrix-identity-api-v1-bulk-lookup)), | ||
which will leak less data to identity servers. | ||
|
||
## Proposal | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
This proposal suggests making changes to the Identity Service API's lookup | ||
endpoints. Instead, this proposal consolidates them into a single `/lookup` | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
endpoint. Additionally, the endpoint is to be on a `v2` path, to avoid | ||
confusion with the original `/lookup`. We also drop the `/api` in order to | ||
preserve consistency across other endpoints: | ||
|
||
- `/_matrix/identity/v2/lookup` | ||
|
||
A second endpoint is added for clients to request information about the form | ||
the server expects hashes in. | ||
|
||
- `/_matrix/identity/v2/hash_details` | ||
|
||
The following back-and-forth occurs between the client and server. | ||
|
||
Let's say the client wants to check the following 3PIDs: | ||
|
||
``` | ||
alice@example.com | ||
bob@example.com | ||
carl@example.com | ||
+1 234 567 8910 | ||
denny@example.com | ||
``` | ||
|
||
The client will hash each 3PID as a concatenation of the medium and address, | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
separated by a space and a pepper appended to the end. Note that phone numbers | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
should be formatted as defined by | ||
https://matrix.org/docs/spec/appendices#pstn-phone-numbers, before being | ||
hashed). First the client must append the medium to the address: | ||
|
||
``` | ||
"alice@example.com" -> "alice@example.com email" | ||
"bob@example.com" -> "bob@example.com email" | ||
"carl@example.com" -> "carl@example.com email" | ||
"+1 234 567 8910" -> "12345678910 msisdn" | ||
"denny@example.com" -> "denny@example.com email" | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
``` | ||
|
||
Hashes must be peppered in order to reduce both the information an identity | ||
server gains during the process, and attacks the client can perform. Clients | ||
will have to generate a full rainbow table specific to the set pepper to | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
obtain all registered MXIDs, while the server has to generate a full rainbow | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
table with the specific pepper to get the plaintext 3pids for non-matrix | ||
users. | ||
|
||
In order for clients to know the pepper and hashing algorithm they should use, | ||
Identity servers must make the information available on the `/hash_details` | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
endpoint: | ||
|
||
``` | ||
GET /_matrix/identity/v2/hash_details | ||
|
||
{ | ||
"lookup_pepper": "matrixrocks", | ||
"algorithms": ["sha256"] | ||
} | ||
``` | ||
|
||
The name `lookup_pepper` was chosen in order to account for pepper values | ||
being returned for other endpoints in the future. The contents of | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
`lookup_pepper` MUST match the regular expression `[a-zA-Z0-9]+` (unless no | ||
hashing is being performed, as described below). If `lookup_pepper` is an | ||
empty string, clients MUST cease the lookup operation. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
``` | ||
The client should append the pepper to the end of the 3PID string before | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
hashing. | ||
|
||
"alice@example.com email" -> "alice@example.com emailmatrixrocks" | ||
"bob@example.com email" -> "bob@example.com emailmatrixrocks" | ||
"carl@example.com email" -> "carl@example.com emailmatrixrocks" | ||
"12345678910 msdisn" -> "12345678910 msisdnmatrixrocks" | ||
"denny@example.com email" -> "denny@example.com emailmatrixrocks" | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
``` | ||
|
||
Clients SHOULD request this endpoint each time before performing a lookup, to | ||
handle identity servers which may rotate their pepper values frequently. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Clients MUST choose one of the given hash algorithms to encrypt the 3PID | ||
during lookup. | ||
|
||
At a minimum, clients and identity servers MUST support SHA-256 as defined by | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
[RFC 4634](https://tools.ietf.org/html/rfc4634), identified by the | ||
`algorithm` value `"sha256"`. SHA-256 was chosen as it is currently used | ||
throughout the Matrix spec, as well as its properties of being quick to hash. | ||
While this reduces the resources necessary to generate a rainbow table for | ||
attackers, a fast hash is necessary if particularly slow mobile clients are | ||
going to be hashing thousands of contact details. Other algorithms can be | ||
negotiated by the client and server at their discretion. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
There are certain situations when an identity server cannot be expected to | ||
compare hashed 3PID values; When a server is connected to a backend provider | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
such as LDAP, there is no way for the identity server to efficiently pull all | ||
of the addresses and hash them. For this case, the `algorithm` field of `GET | ||
/hash_details` may be set to `"none"`, and `lookup_pepper` will be an empty | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
string. No hashing will be performed if the client and server decide on this, | ||
and 3PIDs will be sent in plain-text, similar to the v1 `/lookup` API. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
When performing a lookup, the pepper and hashing algorithm the client used | ||
must be part of the request body (even when using the `"none"` algorithm | ||
value). If they do not match what the server has on file (which may be the | ||
case if the pepper was changed right after the client's request for it), then | ||
the server must inform the client that they need to query the hash details | ||
again, instead of just returning an empty response, which clients would | ||
assume to mean that no contacts are registered on that identity server. | ||
|
||
If the algorithm does not match the server's, the server should return a `400 | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
M_INVALID_PARAM`. If the pepper does not match the server's, the server should | ||
return a new error code, `400 M_INVALID_PEPPER`. A new error code is not | ||
defined for an invalid algorithm as that is considered a client bug. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The `M_INVALID_PEPPER` error response should contain the correct `algorithm` | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
and `lookup_pepper` fields. This is to prevent the client from needing to | ||
query `/hash_details` again, thus saving a round-trip. `M_INVALID_PARAM` does | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
not include these fields. An example response to an incorrect pepper would | ||
be: | ||
|
||
``` | ||
{ | ||
"error": "Incorrect value for lookup_pepper", | ||
"errcode": "M_INVALID_PEPPER", | ||
"algorithm": "sha256", | ||
"lookup_pepper": "matrixrocks" | ||
} | ||
``` | ||
|
||
Now comes time for the lookup. Note that the resulting hash digest MUST be | ||
encoded in URL-safe unpadded base64 (similar to [room version 4's event | ||
IDs](https://matrix.org/docs/spec/rooms/v4#event-ids)). Once hashing has been | ||
performed using the defined hashing algorithm, the client sends each hash in an | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
array. | ||
|
||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
``` | ||
NOTE: Hashes are not real values | ||
|
||
"alice@example.com emailmatrixrocks" -> "y_TvXLKxFT9CURPXI1wvfjvfvsXe8FPgYj-mkQrnszs" | ||
"bob@example.com emailmatrixrocks" -> "r0-6x3rp9zIWS2suIque-wXTnlv9sc41fatbRMEOwQE" | ||
"carl@example.com emailmatrixrocks" -> "ryr10d1K8fcFVxALb3egiSquqvFAxQEwegXtlHoQFBw" | ||
"12345678910 msisdnmatrixrocks" -> "c_30UaSZhl5tyanIjFoE1IXTmuU3vmptEwVOc3P2Ens" | ||
"denny@example.com emailmatrixrocks" -> "bxt8rtRaOzMkSk49zIKE_NfqTndHvGbWHchZskW3xmY" | ||
|
||
POST /_matrix/identity/v2/lookup | ||
|
||
{ | ||
"hashes": [ | ||
"y_TvXLKxFT9CURPXI1wvfjvfvsXe8FPgYj-mkQrnszs", | ||
"r0-6x3rp9zIWS2suIque-wXTnlv9sc41fatbRMEOwQE", | ||
"ryr10d1K8fcFVxALb3egiSquqvFAxQEwegXtlHoQFBw", | ||
"c_30UaSZhl5tyanIjFoE1IXTmuU3vmptEwVOc3P2Ens", | ||
"bxt8rtRaOzMkSk49zIKE_NfqTndHvGbWHchZskW3xmY" | ||
], | ||
"algorithm": "sha256", | ||
"pepper": "matrixrocks" | ||
} | ||
``` | ||
|
||
The identity server, upon receiving these hashes, can simply compare against | ||
the hashes of the 3PIDs it stores. The server then responds with the Matrix | ||
IDs of those that match: | ||
|
||
``` | ||
{ | ||
"mappings": { | ||
"y_TvXLKxFT9CURPXI1wvfjvfvsXe8FPgYj-mkQrnszs": "@alice:example.com", | ||
"c_30UaSZhl5tyanIjFoE1IXTmuU3vmptEwVOc3P2Ens": "@fred:example.com" | ||
} | ||
} | ||
``` | ||
|
||
The client can now display which 3PIDs link to which Matrix IDs. | ||
|
||
No parameter changes will be made to | ||
[/bind](https://matrix.org/docs/spec/identity_service/r0.2.1#post-matrix-identity-api-v1-3pid-bind) | ||
as part of this proposal. | ||
|
||
## Fallback considerations | ||
|
||
`v1` versions of these endpoints may be disabled at the discretion of the | ||
implementation, and should return a `403 M_FORBIDDEN` error if so. | ||
|
||
If an identity server is too old and a HTTP 400 or 404 is received when | ||
accessing the `v2` endpoint, they should fallback to the `v1` endpoint instead. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
However, clients should be aware that plain-text 3PIDs are required for the | ||
`v1` endpoint, and SHOULD ask for user consent to send 3PIDs in plain-text, and | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
be clear about where they are being sent to. | ||
|
||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
## Tradeoffs | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
* There is a small cost incurred by performing hashes before requests, but this | ||
is outweighed by the privacy implications of sending plain-text addresses. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Security Considerations | ||
|
||
Hashes are still reversible with a rainbow table, but the provided pepper, | ||
which can be rotated by identity servers at will, should help mitigate this. | ||
Phone numbers (with their relatively short possible address space of 12 | ||
numbers), short email addresses, and addresses of both type that have been | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
leaked in database dumps are more susceptible to hash reversal. | ||
|
||
Mediums and peppers are appended to the address as to prevent a common prefix | ||
for each plain-text string, which prevents attackers from pre-computing bits | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
of a stream cipher. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hash functions aren't stream ciphers. I think a more appropriate phrasing would be "pre-computing the internal state of the hash function". I wonder if there is actually any useful benefit here to appending the medium instead of prepending though, given a pepper is also appended. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Sounds good, thanks for the clarification.
It doesn't hurt, right? |
||
|
||
Additionally, this proposal does not stop an identity server from storing | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
plain-text 3PIDs. There is a GDPR argument in keeping email addresses, such | ||
that if a breach happens, users must be notified of such. Ideally this would be | ||
done over Matrix, but people may've stuck their email in an identity server and | ||
then left Matrix forever. Perhaps if only hashes were being stored on the | ||
identity server then that isn't considered personal information? In any case, a | ||
discussion for another MSC. | ||
|
||
## Other considered solutions | ||
|
||
Ideally identity servers would never receive plain-text addresses, however it | ||
is necessary for the identity server to send email/sms messages during a | ||
bind, as it cannot trust a homeserver to do so as the homeserver may be lying. | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Bloom filters are an alternative method of providing private contact discovery. | ||
However, they do not scale well due to requiring clients to download a large | ||
filter that needs updating every time a new bind is made. Further considered | ||
solutions are explored in https://signal.org/blog/contact-discovery/. Signal's | ||
eventual solution of using Software Guard Extensions (detailed in | ||
https://signal.org/blog/private-contact-discovery/) is considered impractical | ||
for a federated network, as it requires specialized hardware. | ||
|
||
k-anonymity was considered as an alternative, in which the identity server | ||
would never receive a full hash of a 3PID that it did not already know about. | ||
While this has been considered plausible, it comes with heightened resource | ||
requirements (much more hashing by the identity server). The conclusion was | ||
that it may not provide more privacy if an identity server decided to be evil, | ||
however it would significantly raise the resource requirements to run an evil | ||
identity server. | ||
|
||
Discussion and a walk-through of what a client/identity-server interaction would | ||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
look like are documented [in this Github | ||
comment](https://github.com/matrix-org/matrix-doc/pull/2134#discussion_r298691748). | ||
|
||
anoadragon453 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Additionally, a radical model was also considered where the first portion of | ||
the above scheme was done with an identity server, and the second would be done | ||
with various homeservers who originally reported the 3PID to the identity | ||
server. While interesting and a more decentralised model, some attacks are | ||
still possible if the identity server is running an evil homeserver which it | ||
can direct the client to send its hashes to. Discussion on this matter has | ||
taken place in the MSC-specific room [starting at this | ||
message](https://matrix.to/#/!LlraCeVuFgMaxvRySN:amorgan.xyz/$4wzTSsspbLVa6Lx5cBq6toh6P3TY3YnoxALZuO8n9gk?via=amorgan.xyz&via=matrix.org&via=matrix.vgorcum.com). | ||
|
||
## Conclusion | ||
|
||
This proposal outlines a simple method to stop bulk collection of user's | ||
contact lists and their social graphs without any disastrous side effects. All | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
functionality which depends on the lookup service should continue to function | ||
unhindered by the use of hashes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is almost there - thank you for the epic. The current draft reads really well.
My main remaining concerns are that we need to spell out the attacks and tradeoffs and conclusion rationale between the solutions more clearly. I’ve tried to do this in note form at https://gist.github.com/ara4n/8d5fe3030d9fad00111f9ec343e86feb - would it be possible to try to incorporate this?
Meanwhile, I agree that a rotating pepper hash lookups is the best approach here (having reasoned it through).
Otherwise, my only other remaining concern is that we should be protecting the IS db better by storing 3pids in hashed form (and thus also 3pid invites and other bindings). ie wherever we currently pass around 3pids instead we pass around a hash salted with a static salt for that IS. i don’t think we even need the raw 3pid for validation purposes, as we can validate using a nonce instead? I’d much rather we spent the time to figure out protecting the db rather than figuring out k-anon further. This could be a separate MSC though, but it feels like we should have thought it through enough to ensure that this MSC doesn’t design it out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On it, thanks!
This is something we could append on to
/hash_details
,or even use theWe don't want to reuselookup_pepper
from it for this purpose? Perhaps renaming it to something more generic in the process?lookup_pepper
of course. The salt shouldn't rotate, while the pepper should.Looking at the IS API docs, the following would need to be changed to enable storing hashed IDs at rest.
Endpoints that would already work are:
There's still the GDPR concern that if we do get compromised, we're obligated to notify everyone that hashes were taken. Either we use matrix as the communication medium (does the law disallow this?) or we send a message to Homeservers who do have the plaintext 3PIDs that they should send an email (this could be horribly abused by an evil IS though).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right - thanks for doing the storing hashed ID analysis, this is excellent. i suggest we copy-paste this verbatim as a starting point for a new MSC so as to not block this one further.
I've asked @lampholder whether we can do data breach notifications via Matrix or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(i've given this the FCP ✅on the assumption that the spelling-out-the-attack and the more concrete tradeoff comparison makes it into the MSC)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one other gotcha sprang to mind which we should note: having written out a basic threat model, it becomes clear that a malicious IS could just fail to rotate the pepper (or reuse the same pepper). So the rotating pepper really buys us very little indeed unless clients check for pepper reuse, which seems onerous and also useless given they can’t tell about pepper reuse from before they connected.
So while we might as well keep the ability of the server to specify the pepper it uses for the hashes, in think there is limited use in bothering to rotate it.