matrix-spec-proposals
matrix-spec-proposals copied to clipboard
matrix-org
MSC3013: Encrypted Push
Signed-off-by: Sorunome [email protected] Signed-off-by: Sorunome [email protected]
Synapse PR: https://github.com/matrix-org/synapse/pull/11512 FamedlySDK PR: https://gitlab.com/famedly/company/frontend/famedlysdk/-/merge_requests/868 Hedwig PR: https://gitlab.com/famedly/company/backend/services/hedwig/-/merge_requests/41
Hi
1. Generate an ephemeral curve25519 key, and perform an ECDH with the ephemeral key and the backup's
public key to generate a shared secret. The public half of the ephemeral key, encoded using unpadded
base64, becomes the `ephemeral` property of the new payload.
Should backup's public key be pusher's public key?
Thanks
MSC 3079: Low Bandwidth CS API may be an alternative to this as it makes it viable to rely on /sync for push notifications directly as it is made bandwidth efficient.
I think this and #3079 are likely to be complementary. If you are already using your platforms push provider running a permanent background process is still going to be more expensive than using the push provider, no matter how well optimised it is. #3979 with the extra work to add sync filters just for events which trigger push is a good solution to if you don't have (or don't want) and untrusted push provider.
Indeed, they can be complementary but at the cost of an increased API surface. If you don't trust your push provider, that has knock on concerns though. Malicious push providers can do more subtle attacks than just sniff the message (e.g delay the delivery) so the point the provider is untrusted then really you shouldn't be using it at all.
Have put this in the "initial review" column on the SCT Backlog board to get eyes on it, though it may already be under the watchful purview of @dbkr. Feel free to take it off the board if you want to re-claim it Dave.
This FCP proposal has been cancelled by https://github.com/matrix-org/matrix-spec-proposals/pull/3013#issuecomment-1577585995.
Team member @mscbot has proposed to merge this. The next step is review by the rest of the tagged people:
- [ ] @dbkr
- [x] @uhoreg
- [x] @turt2live
- [x] @ara4n
- [ ] @anoadragon453
- [ ] @richvdh
- [x] @erikjohnston
- [ ] @KitsuneRal
Concerns:
- Enums vs namespaces
- Algorithm might need further review
- Push data is overloaded currently and should be avoided (use top level keys instead)
Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!
See this document for information about what commands tagged team members can give me.
Just to pick up on an earlier comment by @dbkr
This does add significant complexity (especially because it means Homeservers now have to do elliptic curve crypto too)
note that homeservers always had to do EC crypto, for signing events/requests. Admittedly that was all ed25519 signing rather than x25519 DH, but the point remains that any HS implementation is already going to be linked against a curve25519 library.
@mscbot concern Enums vs namespaces @mscbot concern Algorithm might need further review @mscbot concern Push data is overloaded currently and should be avoided (use top level keys instead)
@turt2live I am planning to implement the changes proposed in ~1.5 weeks and try them out, then update the MSC. But I am still a bit busy next week (and was for the last 8).
@deepbluev7 From the chat in the SCT office room last week it sounds like you're aiming to take this on? It looks like it's stuck in needing an implementation and a text update.
Given it's been over a year since the FCP call was stalled due to concerns, I'm cancelling FCP for now and we can re-start it with modern process/considerations. It sounds like it'll be relatively easy to get back into shape?
@mscbot fcp cancel
Once this is ready for re-review, let us know in the SCT Office please.