Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC1544: Key verification using QR codes #1544
MSC1544: Key verification using QR codes #1544
Changes from 13 commits
3aba9b1
3734471
acd9a5d
95280d8
517754b
ba39779
3b0073a
38689a8
10b6fd6
332b560
4f83bd3
379bb79
a8c7fda
be9c37e
0b4411e
fcfd5d9
21ddf85
7f93084
78b8133
405ac1e
c77d04c
ea0abe9
a7279d9
7b3c98c
0b97ac5
9db8cc9
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the m.key.verification.start isn't encrypted/signed, isn't there an attack where an evil HS admin called Eve shouldersurfs Bob's QR code and then MITMs Alice's reciprocate msg?
I think there's also a variation of this where Eve doesn't MITM the reciprocate but just sends her own - but times it right so that Bob gets confused and thinks Alice did scan him when it was actually Eve, and hits the "confirm" button (to Eve's horror) and gets pwned.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reciprocate message doesn't affect what key that Bob trusts. The only way that Bob would trust Eve is if Bob's server sent Eve's key to Bob when he asks for Alice's key. In this case, the QR code that Bob shows to Alice will contain Eve's key rather than Alice's key. But then, when Alice scans the QR code, she will notice that the QR code has the wrong key, and her device will display an error message. Unless Alice manages to move her device away from in front of Bob's device faster than her device can compare a few strings (i.e. within a couple milliseconds), her device will display an error before Bob can react to his devices prompting him to verify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh right - the penny finally dropped; for my notes (and anyone else ever reading this): we're just confirming that Bob's copy of the keys matches Alice's copy of the keys, by sending them out-of-band via QR from Bob to Alice, having Alice compare them, and then if Alice says she's happy, Bob infers he must be happy too. The
secret
is just there to make it harder for Eve to spoof a reciprocate message to try to cause confusion (although if she colludes with the HS admin, she can MITM the secret anyway). (@uhoreg, is this right?)So the actual worst-case scenario attack here is:
The fact they can know they've been pwned and revoke Eve is not much use if she's already stolen history or SSSS keys etc.
It feels like there's a concrete risk of this attack being viable.
Assuming i've got it right, this time, is there an equivalent attack for SAS verif? If not, this feels like another slight advantage in favour of showing SAS codes in QR rather than the blunt keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SAS-over-QR would have a similar issue. With SAS, Alice and Bob both need to check that the emoji match, and they need to hit the confirm button. With SAS-over-QR, Alice would be in charge of making sure that the QR code matches what's expected, and then telling Bob whether to hit the OK or the Panic button, so if we're worried about Bob hitting the OK button before Alice says whether it's OK or not, then we get the same thing.
Perhaps instead of presenting it as a "Confirm" or "Panic", we can have Bob's device, when it receives the "reciprocate" message, say "Did Alice successfully scan the code? Yes/No", which at least will indicate that Bob should ask Alice for the verdict rather than just blindly hitting "OK".