153 lines
6.7 KiB
Markdown
153 lines
6.7 KiB
Markdown
# MSC3061: Sharing room keys for past messages
|
|
|
|
In Matrix, rooms can be configured via the `m.room.history_visibility` state
|
|
event such that historical messages can be visible to all Matrix users
|
|
(`world_readable`), all room members (`shared`), room members from the time
|
|
that they are invited to a room (`invited`), or room members from the time that
|
|
they join a room (`joined`). However, currently in encrypted rooms, rooms with
|
|
the history visibility set to `world_readable` or `shared` are effectively
|
|
set to `invited` since other members generally do not send new members the keys
|
|
to decrypt messages sent before they were invited or joined a room.
|
|
|
|
We define a "shared-history" flag that identifies keys for messages that were
|
|
sent when the room's visibility setting was set to `world_readable` or
|
|
`shared`. This allows clients to know which keys are "safe" to share with new
|
|
members so that they can decrypt historical messages. We also give examples of
|
|
ways in which this flag can be used.
|
|
|
|
|
|
## Proposal
|
|
|
|
A room key (such as a megolm session) is flagged as having been used for shared
|
|
history when it was used to encrypt a message while the room's history
|
|
visibility setting was set to `world_readable` or `shared`.
|
|
|
|
If the client does not have an `m.room.history_visibility` state event for the
|
|
room, or its value is not understood, the client should treat it as if its
|
|
value is `joined` for the purposes of determining whether the key is used for
|
|
shared history. This is in contrast with the normal processing of
|
|
`m.room.history_visibility` which defaults to `world_readable` when there is no
|
|
`m.room.history_visibility` state event or its value is not understood. This
|
|
is done so that, in the event of a bug that causes the client to fail to obtain
|
|
the state event, the client will fail in a secure manner.
|
|
|
|
Internally, a client may use any mechanism it wants to keep track of this flag.
|
|
When a room key is marked as having been used for shared history:
|
|
|
|
- `m.room_key` and `m.forwarded_room_key` messages used to share this key have
|
|
a `shared_history` property set to `true` e.g.
|
|
|
|
```json
|
|
{
|
|
"type": "m.room_key",
|
|
"content": {
|
|
"algorithm": "m.megolm.v1.aes-sha2",
|
|
"room_id": "!room_id",
|
|
"session_id": "session_id",
|
|
"session_key": "session_key",
|
|
"shared_history": true
|
|
}
|
|
}
|
|
```
|
|
|
|
- the [`SessionData` type](https://spec.matrix.org/unstable/client-server-api/#definition-sessiondata)
|
|
in key backups (that is, the plaintext object that gets encrypted into the
|
|
`session_data` field) of this key has a `shared_history` property set to
|
|
`true` in the decrypted JSON structure e.g.
|
|
|
|
```json
|
|
{
|
|
"algorithm": "m.megolm.v1.aes-sha2",
|
|
"forwarding_curve25519_key_chain": [
|
|
"hPQNcabIABgGnx3/ACv/jmMmiQHoeFfuLB17tzWp6Hw"
|
|
],
|
|
"sender_claimed_keys": {
|
|
"ed25519": "aj40p+aw64yPIdsxoog8jhPu9i7l7NcFRecuOQblE3Y"
|
|
},
|
|
"sender_key": "RF3s+E7RkTQTGF2d8Deol0FkQvgII2aJDf3/Jp5mxVU",
|
|
"session_key": "AgAAAADxKHa9uFxcXzwYoNueL5Xqi69IkD4sni8Llf...",
|
|
"shared_history": true
|
|
}
|
|
```
|
|
|
|
and,
|
|
- the [`SessionData` type](https://spec.matrix.org/unstable/client-server-api/#key-export-format)
|
|
used in key exports has a `shared_history` property that is set to `true` for
|
|
this key e.g.
|
|
|
|
```json
|
|
{
|
|
"algorithm": "m.megolm.v1.aes-sha2",
|
|
"forwarding_curve25519_key_chain": [
|
|
"hPQNcabIABgGnx3/ACv/jmMmiQHoeFfuLB17tzWp6Hw"
|
|
],
|
|
"sender_claimed_keys": {
|
|
"ed25519": "aj40p+aw64yPIdsxoog8jhPu9i7l7NcFRecuOQblE3Y"
|
|
},
|
|
"sender_key": "RF3s+E7RkTQTGF2d8Deol0FkQvgII2aJDf3/Jp5mxVU",
|
|
"session_key": "AgAAAADxKHa9uFxcXzwYoNueL5Xqi69IkD4sni8Llf...",
|
|
"shared_history": true
|
|
}
|
|
```
|
|
|
|
When a client obtains a key that has the `shared_history` property set to
|
|
`true`, then it flags the key internally as having been used for shared
|
|
history. Otherwise, the key should not be flagged as such.
|
|
|
|
When the room's history visibility setting changes to `world_readable` or
|
|
`shared` from `invited` or `joined`, or changes to `invited` or `joined` from
|
|
`world_readable` or `shared`, senders that support this flag must rotate their
|
|
megolm sessions.
|
|
|
|
Clients may use this flag to modify their behaviour with respect to sharing
|
|
keys. For example, when the user invites someone to the room, they may
|
|
preemptively share keys that have this flag with the invited user. Other
|
|
behaviours may be possible, but must be careful not to guard against malicious
|
|
homeservers. See the "Security Considerations" section.
|
|
|
|
## Potential issues
|
|
|
|
Room keys from clients that do not support this proposal will not be eligible
|
|
for the modified client behaviour.
|
|
|
|
The suggested behaviour in this MSC is to only share additional keys when
|
|
inviting another user. This does not allow users who join the room but were
|
|
not invited (for example, if membership is restricted to another space, or if
|
|
the room is publicly joinable) to receive the keys. Also, if the inviter does
|
|
not have all the keys available for whatever reason, the invitee has no way of
|
|
receiving the keys. This may be solved in the future when we have a mechanism
|
|
for verifying room membership.
|
|
|
|
## Alternatives
|
|
|
|
Rather than having the sender flagging keys, a client can paginate through the
|
|
room's history to determine the room's history visibility settings when the
|
|
room key was used. This would not require any changes, but has performance
|
|
problems. In addition, the server could lie about the room history while the
|
|
user is paginating through the history. By having the sender flag keys, this
|
|
ensures that the key is treated in a manner consistent with the sender's view
|
|
of the room.
|
|
|
|
Rather than using a boolean flag, we could include the history visibility
|
|
setting as-is. For example, a `history_visibility` field could be added, which
|
|
is set to the history visibility setting (e.g. `world_readable`). This
|
|
produces an equivalent effect, but it pushes the processing of the history
|
|
visibility setting to the receiver rather than the sender. For consistency, it
|
|
is better for as much of the decision-making done by the sender, rather than
|
|
the receiver.
|
|
|
|
## Security considerations
|
|
|
|
Clients should still ensure that keys are only shared with authorized users and
|
|
devices, as a malicious homeserver could inject fake room membership events.
|
|
One way to ensure that keys are only shared with authorized users is to only
|
|
share keys with users when the client invites them, as the client is then
|
|
certain that the user is allowed to be in the room. Another way is to have a
|
|
mechanism of verifying membership, such as the method proposed in
|
|
[MSC3917](https://github.com/matrix-org/matrix-spec-proposals/pull/3917).
|
|
|
|
## Unstable prefix
|
|
|
|
Until this feature lands in the spec, the property name to be used is
|
|
`org.matrix.msc3061.shared_history` rather than `shared_history`.
|