-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encryption for message relationships #660
Comments
There was yesterday? two days ago? recently! a lengthy discussion about this in the spec room with multiple people. While multiple ideas were pitched, the things everyone seemed to agree on were:
|
Idea developed together with nico on how to maybe do encryption of event_id (and maybe rel_type, soru might prefer it to not be aggregatable at all): Have the attribute in plaintext be So then the cyphertext of a reaction would read {
"type": "m.reaction",
"content": {
"m.relates_to": {
"event_id": "$orig_event",
"rel_type": "m.annotation",
"key": "🦊",
}
}
} And the event would then read
That way the server can still aggregate random strings, clients can calculate the random strings as they can decrypt messages, and clients have the proper / real relation in the megolm cyphertext. hereby it is crucial to only include event_id (and rel_type), and NOT key, or anything else, as the server can otherwise know which relation type it is, ruining the whole hashing. This might also be important for MSCs like matrix-org/matrix-spec-proposals#2730 |
Could we perhaps consider using a HMAC construction for enhanced security? |
This comment has been minimized.
This comment has been minimized.
@Mikaela no, that problem is covered in #368, and also in the MSC matrix-org/matrix-spec-proposals#2781. |
@Sorunome I think the approach you outlined breaks event aggregations, does it not? Since the server no longer knows which event an event with a relationship refers to, only that it contains a relationship. |
that is incorrect; the server can still aggregate relations, however by a (for the server) random opaque string, rather than the event id. The client can calculate said opaque string from the event to be able to query the server then. If that is unwanted it'd ofc be trivial to not encrypt the event id and just stick to the rel_type and key and whatever else may come in the future |
I'm talking about bundled relations specifically. These should be returned along with messages from a bunch of APIs, specifically: the initial sync, gappy incremental sync, Since the server no longer knows which relations pertain to which event IDs, I don't see how these could be returned from e.g. So I'm not sure hiding event IDs will be feasible.
Yes, the general idea of hiding stuff like |
Why does the server need to aggregate the messages at all? Isn't it enough that the client does it for encrypted rooms? That would encrypt a lot more metadata and would be desirable from my point of view. |
There is a trade off for requiring clients to download full history and compute an index vs storing an encrypted index that gets updated by anything appending state to the room and letting other clients only download the slices of the index it queries, both provide better privacy than a server readable index. (However for its full effect that requires something like Sealed Sender and Anonymous Credentials, see #549 .) |
Just wanted to leave a comment documenting that Encryption for Reactions specifically is no longer blocked on aggregation grounds as they are no longer being aggregated as of matrix-org/matrix-spec-proposals@749198f Synapse implements this change to the MSC in 1.79.0rc1 and later as of writing. |
I'm afraid I'm struggling to parse this sentence. Please can you rephrase. |
Event relationships are currently sent unencrypted so that they may be aggregated server-side. However, they may contain information that we do not want to be plain-text (e.g. we don't want the server to know if a user reacted with a 👍 or 👎 ). We should figure out a way to encrypt them. matrix-org/matrix-spec-proposals#1849 includes some thoughts on how to do encryption, and sorunome and deepbluev7 have also given some thoughts at matrix-org/matrix-spec-proposals#1849 (comment)
The text was updated successfully, but these errors were encountered: