Let devices request keys to decrypt past history for a room. #647
Comments
|
Could a possible solution to this be:
|
|
@apexo this is sort of the plan, except we now have a dedicated "to device" store-and-forward API for sharing data like this, which is encrypted in turn by olm. Also, we'd probably request the historical ratchet state from a specific device rather than all of them, and require the target user to approve/deny the request. e.g. "Matthew has added a new device 'iPad' and is requesting room history since Sept 18th. Do you want to share history?" or something. |
|
@ara4n So I am currently in a room listed with seven devices from three machines and as many browsers. well, I guess vector --> riot transition helped to increase the number. But with only one other person in the room, this is cumbersome. PS: I haven't seen another issue / discussion on this matter, so I hope this is the right place to put this :) |
|
Maybe look at Bitcoin wallets, e.g. http://wallet.counterwallet.io, which ask a 12 dictionary word passphrase from the user. That passphrase is the private key. Now when I log in to a device, I could be asked if I wanted to create a device-specific key, or if I wanted to instate the user's key from such a passphrase. |
|
Can I check my understanding please, does the following represents current expected behaviour? Say I'm in a room which has encryption turned on and we're all happily chatting away and everyone has verified keys. Then I sign out of riot and back in to see that all previous conversations are encrypted again and that there's no way to get the original key to you, so history remains unavailable? Thanks! |
|
It doesn't matter whether keys are verified. The point is that the encryption algorithm (megolm/ld double ratchet) encrypts to the current keys of all the people present. Now if you log out of Riot, your key is discarded from local storage, and upon rejoining, a new key is made. Future messages will now be encrypted (also) to that key, but since you no longer have access to the previous key, the old messages aren't accessible any longer. The solution is IMHO to allow one to export/safe/backup one's key and restore it upon rejoin. |
|
Right, thanks @madduck |
|
I've been having major usability problems with end to end encryption in riot, and I didn't realize that it was because logging out deletes your session key! riot-android/#869 would be nice, because I had no idea! Now that I understand why I've been losing my keys -- and being locked out of my chat history -- I have to say I'm really annoyed. I'm sure everyone agrees you shouldn't have to stay logged in to your chat program continuously in order to be able to use it reliably. It's one thing to hide past messages from newcomers to a channel, but this same issue means that I can't share decryption keys with myself! In my opinion, E2E should not have been rolled out as a feature before this problem was solved. It's been a trainwreck for everyone I know who's tried turning it on. |
|
@kebertx Aside from this issue (which I now understand) e2e has been awesome for me and those I've been chatting with. IIRC, it was advertised as beta and at least in the Android app it says it's that e2e is an "experimental labs feature which may break in unexpected ways." So I think the warning has been fair enough. Having said that, I do think things can be improved (a simple warning about losing keys when signing out, for example would be handy for new users). IMO, it's been great to have the feature early and be able to test it. |
|
Hey @kebertx, sorry you've had a bad experience. It is true that e2e at the moment is highly beta, and things certainly need to be improved, which is, in part, why this issue exists. FWIW, I see no need to ever log out. I do have riot.im exempted from my cookie munger, and so I don't have this issue. Similarly, I don't log out the Android app, but the problem will come when I need to switch to a new phone, and by then I hope they've got a fix. |
|
(fwiw the warning was added) |
|
I don't see a need to log out either, if the app supports multiple identities, which riot seems to not do, so logging in and out would be a workaround for me. Alternatively I could use a second android user, but that drains my battery more. |
|
@madduck You could also go the other-way an export an existing private key as a mnemonic - e.g. BIP39 uses a 2048 word list (https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt) which is sufficient to store 128-bit keys (2048^12). Although one issue is that ed25519 and curve25519 keys are I believe independently derived in Olm? So you would need mnemonics for both, or support deriving one from the other.
I'm not sure I understand the original issue very well, can't an existing member just key-share all of the session_keys they have received from other members in that room via. the same |
|
having read through prior comments - most of them don't relate to this bug, but are general UISI concerns (#2996) or key management concerns (#3611); please upvote and/or comment on the right bugs rather than using this one as a dumping ground O:-) As per element-hq/element-web#2996 (comment) we're moving on and implementing this asap, both to provide an escape hatch for cleaning up remaining UISIs as well as to provide the feature of syncing history to new devices without having to manually export/re-import megolm session keys. @richvdh, @NegativeMjark and I just went through the discussion of how this should work, resulting in the plan:
Separately, we will obviously need to improve the verification UX, e.g. by cross-signing devices to automatically trust them, QR codes or mnemonics for verifying fingerprints, etc. This is all element-hq/element-web#2142 however and orthogonal to the problem of actually sharing keys. We also discussed whether we should store megolm keys on the server, to try to both improve clientside key storage capacity problems (#3660) or to provide an easier way of backing up keys and/or sharing them - this is element-hq/element-web#3661. We concluded that this is basically an optimisation for key storage and wouldn't change the semantics of the crypto at all (i.e. if you're running out of clientside storage, you're welcome to use an encrypted cloud storage service to store data, but that's not going to change our E2E behaviour). Finally, we considered the edge case that Alice and Bob are both pretty paranoid, and only ever use Matrix by firing up an incognito window, logging in, sending a message, and closing the tab (not implausible). As a result, at any given point they probably wouldn't have any devices live. Therefore when Alice sends a message to Bob, she won't know how to encrypt for him, and when Bob gets a UISI, there won't be any devices of Alice he can query for the megolm keys (unless Alice happens to be logged in and having re-imported her megolm keys at the moment that Bob requests history, or perhaps later). We concluded that there were two possible solutions to this:
In the end, both of these are tantamount to the same idea, whether the device is stored encrypted on the server or on a USB stick. Both suffer from element-hq/element-web#3822 - that if two identical devices ever exist concurrently Olm will completely wedge and E2E will break. So the conclusion there was to educate users that they need to keep at least one device active if they expect E2E to work, unless we ever get as far as dehydrating/rehydrating devices. @pik: hopefully this resolves your confusion a bit :) |
|
Will there also be a button somewhere to request all the keys from one of your own devices, in order to aid migration from one device to another? Without this, it sounds like when people want to replace one device with another, people would either need to manually export/import the keys (a bit less convenient than just clicking a button to request keys), or else go to each encrypted room and backfill to the beginning so that the device automatically requests keys (a lot less convenient). |
|
@uhoreg possibly. i'm a bit scared at how powerful such a button would be; at least an attacker needs to know the IDs of the megolm sessions they're trying to get keys for in the "send_missing_keys" to_device event outlined above. Whereas an "send_all_keys_ever" feels like a terrible thing to fall into the wrong hands... |
|
Didn't this get fixed? |
|
Can we close this in favor of #749? To my knowledge element-hq/element-web#749 will be the way to go here and we want to schedule it soon(tm). |
|
element-hq/element-web#749 is an epic describing a desired end goal rather than a particular solution, whereas this was more an idea for a particular implementation. Nevertheless I still think this has been done and should be closed; if anyone disagrees, we can reopen with more context. |
|
Pardon my intrusion but in which version did this get solved? I'm using 1.71 and it still doesn't work there. |
Version 1.71 of what? Note that this is the element bug tracker. The fix landed in Element Web in matrix-org/matrix-js-sdk#454. You're likely seeing a different problem; feel free to open a new issue and send bug reports from both the sender and recipient applications (see also #245) |
|
Oh sorry, the ecosystem around matrix is a bit convoluted. I'm using synapse 1.71 and element-web 1.1.17 and we're still seeing this problem. |
|
Based on the problem statement in OP (without reading the whole thread) and the explanation in #647 (comment), I don't think this is "solved", merely worked around in one specific setting. To me the wording of both implies that element-hq/element-web#749 duplicates this issue (but is phrased more clearly). |
|
No, this issue is for getting keys for messages sent while you were not in the room. For messages sent while you were in the room, and that other devices of yours can decrypt, it should be handled by key backup. |
|
This issue started in 2016, any update? Is this possible now? I just had another friend want to QUIT using element chat! I was basically in the chats with him, and my user/device should be able to send him keys to decrypt past messages. |
|
jittygitty, I'm really sorry it got to be this long.
As I know it was done in Element web (maybe desktop and android too), in a special way. When you, from an Element client, invited a user, your client has sent all the keys for past messages (of course only those that it has known) to the invited user. Maybe they also needed to be using a device with an element client, possibly with a version that has implemented support for it. I think this was the MSC proposal for it. However, the clients since then have switched to the more efficient Rust-based cryptographic library, and this feature was not (yet?) reimplemented there. See the "Sharing room history" heading under "Notes" here. I would appreciate if an Element employee could tell if this is accurate.
I totally agree that it is very uncomfortable. This is one of the strongest reasons why I don't yet bring people onto this platform, because I know this will bother them, and as it stands now, virtually everyone will experience it at least once. What is Matrix, when looking at its end to end encrypted rooms? So basically, I think Matrix is just more, because it allows more flexibility than Signal. Why is Matrix miserable at implementing this reliably? I think it may be related to the reason why is it that they are the only one doing E2EE with multiple simultaneous logins at all: handling keys in this manner is very hard.
Often this will fix itself because one of your devices has the key, but it is not online to respond to key transfer requests of your other device. At least they dont need to be online at the same time. But this case is probably not even about a key handling bug that is that much complicated. You know, when the same thing happened to me and got to learn the lesson, my account was fairly new and I didnt lose much. Often this is the reason software orgs are afraid from implementing complicated features. This got to be very much too long, but it is not a scolding or anything like that, I was just hoping I could give my perspective, in case it helps. For the long term, I very much hope that we will get the possibility to send the keys for former messages to the other members. |
|
mpeter50 thanks for the very detailed write-up. I decided that until the complex crypto is stabilized that I will "only" be using encryption on rooms/chats with users on home servers I do not control. When I use on my own server, I think it makes more sense to simply encrypt the underlying storage via dm-crypt/Luks or other, and as long as everyone in chat is on the same home server, it doesn't seem much benefit to enable encryption at all in such cases, so I won't enable it. Of course, for federation uses and connecting to home-servers you don't 'fully trust', encryption is "indispensable". Also, t3chguy replied to me at #245 |
You may be able to transfer the keys to your friend in a file:
Instructions for exporting and importing room keys in various versions of Element: https://ems-docs.element.io/books/element-cloud-documentation/page/export-and-import-e2e-room-keys |
|
@mcg-matrix Awesome! Thanks for taking the time to share that! I'll try convincing my friend to give it another shot and reinstall element chat, and then will try that! |
|
I really don't understand. If you are able to export the keys and manually give them to the other user, why can't you just make a simple button? |
I think that would introduce a security vulnerability, backed by social engineering. You suggest this to be done manually, but that has similar issues. If I can recall correctly, the rationale behind the past workaround (sending the keys to the user being invited by you) was generally that the inviting user (who still has the keys) can verify that he account he is inviting is actually the account of his friend, but I dont remember the specifics. So to answer your question, this is actually safer because the homeserver operator cant fool you to spill your keys to him. This way you can transfer the keys to your friend "out of band", in a channel of your choosing that is not affected by the adversary, lets say on a pendrive handed over in person, or a shared encrypted cloud storage folder (but still making sure in person that its really them who requested your keys). Additionally, even if you believe that you have choosen a homeserver in which you trust, it could get compromised, or even confiscated by adversaries. Probably this does not affect most people, but its always good to be aware of the risks. On the other hand, sharing your keys this way is risky because if you did not filter the backup correctly, your friend will also receive keys for other messages of yours.
I think that button just instructs your client to ask all your other logged in devices if they have the keys for that message. |
|
@mrlogick Actually I was thinking the same. If this works just fine, then I don't see why users can't be given the option. I think the "user is too stupid" mantra is usually taken too far and ends up with oh let's lock out users out of their own $1500 device/phone that they bought, no Admin/root access to users, or they'll uninstall factory spyware? Encryption on phones with modems and baseband/master processors without true isolation, gives a "false" sense of security, agreed? And so, while I sympathize with the points mpeter50 made in his reply to you, and I'd agree such measures shouldn't be done "automatically or even too easily" such that it could be accidental, a good trade-off 'balance' should be attainable. I really wanted to try out Kopia soon, and now I want to try bupstash.io also! But tell me, why force encryption like Kopia also? Why not let us skip it? Sometimes I just don't want encryption and I don't like being 'forced' to use it. It adds more complexity and harder recovery. And isn't it easier to do deduplication, or do it better even (not really sure how dedupe works with encryption), if there's no encryption enabled? Sorry I digressed. |
|
The recent migration of element-web to the new rust crypto system without supporting MSC3061 has broken some of systems that relied on this feature. Specifically, the functionality where a bot would invite whitelisted users to a room and share room keys with them so they could see historic messages. What is the current solution for an automated system that invites users to a room with existing messages and enables them to see historic messages now? |
Because its not necessarily a stupid user. Maybe one with a very short attention span or one who really is in hurry, and does not read the option but just proceed out of habit. The former is not a rarity, to say the least. I have had a hard time believing this until I have seen this happen regularly with my eyes. Not in the context of Matrix, but with tech, the simpler kind. A lot of people also just dont read, but rather agonize, literally. And in either case I'm not speaking about the elderly. Having it behind 4 button presses, plus a 10 second "thinking timer" like some android phones do with security settings would probably work fine, though.
You can skip it at room creation.
If your primary DM chat room's encryption breaks, you can create a new unencrypted one until you sort that out.
This is nothing official and it would be much better if Element employees could give advice. I once again want to highlight that I am not an Element employee, I just wanted to give my 2 cents because for some issues I have already found a solution. |
|
@mpeter50 Sorry for the confusion, you misunderstood my reply to @mrlogick because the entire section starting with "I really wanted to try out Kopia soon, and now I want to try bupstash.io also!" and ending with "Sorry I digressed" had nothing to do with Element chat at all, it was only about his "bupstash.io" project ( see https://github.com/andrewchambers/bupstash ) I knew that encryption in rooms is optional, I now no longer use it in some rooms which are hosted on my server (with encrypted drives) only and for which there's no federation and if only users on my server are allowed to join that room. Anyway, I had already said that: "I'd agree such measures shouldn't be done "automatically or even too easily" such that it could be accidental, a good trade-off 'balance' should be attainable." So, of course I am perfectly fine to require a user to "TYPE" a long and exact phrase saying: "I Agree this is Dangerous and I insist on etc etc and know what I'm doing.." Point was there's definitely ways like making people type something out which informs them that this is for advanced users and can be security risks involved etc, and such that nobody would be able to say they enabled it by "accident". I'm just against policies that say, nope we're just not gonna give anyone such options, they'll have to go fork da code. Anyway, I haven't had a chance yet to try this: #647 (comment) |
and others
If I'm in a room as device A, and join it later as device B, i need a way to request the old room key data from device A.
Similarly if I'm invited into a room by someone and they want to share past history with me, they need a way of transferring key data.
The text was updated successfully, but these errors were encountered: