-
Notifications
You must be signed in to change notification settings - Fork 375
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* proposal for using fixed base64 encoding * use MSC number * add missing word * add links to spec and clarifications
- Loading branch information
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # MSC3783: Fixed base64 for SAS verification | ||
|
|
||
| libolm's original implementation for calculating the | ||
| [MAC](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationmac) for | ||
| SAS-based device verification [encoded the base64 output | ||
| incorrectly](https://gitlab.matrix.org/matrix-org/olm/-/merge_requests/16). | ||
| Thus other implementations that use a correct base64 encoding are not | ||
| compatible, and must instead [re-implement libolm's incorrect | ||
| encoding](https://matrix-org.github.io/vodozemac/vodozemac/sas/struct.EstablishedSas.html#method.calculate_mac_invalid_base64). | ||
| libolm now has a function that returns the correct base64 encoding, but it is | ||
| currently not used to ensure compatibility with older clients. | ||
|
|
||
| This proposal introduces a new message authentication code identifier for use | ||
| with SAS verification that uses the correct base64 encoding. The current | ||
| method will be deprecated. | ||
|
|
||
| ## Proposal | ||
|
|
||
| A new message authentication code identifier `hkdf-hmac-sha256.v2` is | ||
| introduced. This identifier is used in the `message_authentication_codes` | ||
| property of the | ||
| [`m.key.verification.start`](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationstartmsasv1) | ||
| event, and the `message_authentication_code` property of the | ||
| [`m.key.verification.accept`](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationaccept) | ||
| event. Clients that implement SAS verification are required to implement this | ||
| method. The `message_authentication_codes` parameter for the | ||
| [`m.key.verification.start`](https://spec.matrix.org/v1.5/client-server-api/#mkeyverificationstartmsasv1) | ||
| event will require clients to include `hkdf-hmac-sha256.v2`. Clients are no | ||
| longer required to include `hkdf-hmac-sha256`, but should still do so for | ||
| compatibility with older clients. | ||
|
|
||
| When the two clients that are verifying each other agree to use | ||
| this method, the MAC is calculated in the same way as `hkdf-hmac-sha256`, but | ||
| is encoded to base64 correctly. | ||
|
|
||
| The old `hkdf-hmac-sha256` method is redefined to use the base64 encoding | ||
| implemented in the original libolm implementation, and is deprecated: if both | ||
| clients involved in the verification support `hkdf-hmac-sha256.v2` as the | ||
| message authentication code, then `hkdf-hmac-sha256` must not be used, even if | ||
| both clients support it. | ||
|
|
||
| `hkdf-hmac-sha256` will be removed by a future MSC. | ||
|
|
||
| ## Potential issues | ||
|
|
||
| None | ||
|
|
||
| ## Alternatives | ||
|
|
||
| None | ||
|
|
||
| ## Security considerations | ||
|
|
||
| This change does not introduce any security issues. | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| Until this MSC is accepted, the key agreement protocol identifier | ||
| `org.matrix.msc3783.hkdf-hmac-sha256` should be used instead of | ||
| `hkdf-hmac-sha256.v2`. | ||
|
|
||
| ## Dependencies | ||
|
|
||
| None |