-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rotating the current device keys will break encryption and cause UTDs #2374
Comments
@BillCarsonFr: where is this quote from, please? |
@BillCarsonFr: should this be "encrypt"? |
https://matrix.org/docs/matrix-concepts/end-to-end-encryption/ |
I'm all for ripping Curve25519 key rotation out of the spec and consider it nonsense. The only reason why we've historically opted for a pair of keys instead of just a single one was that we didn't know about or want to implement XEdDSA or equivalent, to be able to sign things with the Curve25519 key. Having a single key makes everything vastly simpler to reason about and also obviously cannot support key rotation without the device's identity changing. |
When a new session (device) is created, the device keys for that session (device) are uploaded:
These keys are then published to the homeserver, which is done by using the device_keys property of the /keys/upload endpoint.
As per implementation guide:
Currently matrix-sdk-crypto will reject updates of device keys if the signing key (fingerprint key) has changed.
There are some reports of clients re-uploading a new set of Ed25519/Curve25519 keys. This will break encryption for devices that already downloaded the previous set of keys, because the new keys will be ignored, and the old one will still be used as a target for Olm messages.
As a consequence future encrypted to-device messages for that device will encrypt for the old keys and will fail to decrypt with:
Olm event doesn't contain a ciphertext for our key
.Future devices will be able to decrypt because they will only have download the new keys.
The problem is that Synapse lets you update a new set of the device keys without complaining, and we know that it will break encryption.
What we can do
The text was updated successfully, but these errors were encountered: