Skip to content

Commit 1590ae2

Browse files
uhoreguhoreg
committed
make hash commitment always include the m.relates_to
1 parent a514485 commit 1590ae2

File tree

1 file changed

+79
-0
lines changed

1 file changed

+79
-0
lines changed

proposals/2241-e2e-verification-in-dms.md

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,85 @@ The messages used in SAS verification are the same as those currently defined,
159159
except that instead of the `transaction_id` property, an `m.relates_to`
160160
property, as defined above, is used instead.
161161

162+
If the key verification messages are encrypted, the hash commitment sent in the
163+
`m.key.verification.accept` message MUST be based on the decrypted
164+
`m.key.verification.start` message contents, and include the `m.relates_to`
165+
field, even if the decrypted message contents do not include that field. For
166+
example, if Alice sends a message to start the SAS verification:
167+
168+
```json
169+
{
170+
"content": {
171+
"algorithm": "m.megolm.v1.aes-sha2",
172+
"ciphertext": "ABCDEFG...",
173+
"device_id": "Dynabook",
174+
"sender_key": "alice+sender+key",
175+
"session_id": "session+id",
176+
"m.relates_to": {
177+
"rel_type": "m.reference",
178+
"event_id": "$verification_request_event"
179+
}
180+
},
181+
"event_id": "$event_id",
182+
"origin_server_ts": 1234567890,
183+
"sender": "@alice:example.org",
184+
"type": "m.room.encrypted",
185+
"room_id": "!room_id:example.org"
186+
}
187+
```
188+
189+
which, when decrypted, yields:
190+
191+
```json
192+
{
193+
"room_id": "!room_id:example.org",
194+
"type": "m.key.verification.start",
195+
"content": {
196+
"from_device": "Dynabook",
197+
"hashes": [
198+
"sha256"
199+
],
200+
"key_agreement_protocols": [
201+
"curve25519"
202+
],
203+
"message_authentication_codes": [
204+
"hkdf-hmac-sha256"
205+
],
206+
"method": "m.sas.v1",
207+
"short_authentication_string": [
208+
"decimal",
209+
"emoji"
210+
]
211+
}
212+
}
213+
```
214+
215+
then the hash commitment will be based on the message contents:
216+
217+
```json
218+
{
219+
"from_device": "Dynabook",
220+
"hashes": [
221+
"sha256"
222+
],
223+
"key_agreement_protocols": [
224+
"curve25519"
225+
],
226+
"message_authentication_codes": [
227+
"hkdf-hmac-sha256"
228+
],
229+
"method": "m.sas.v1",
230+
"short_authentication_string": [
231+
"decimal",
232+
"emoji"
233+
],
234+
"m.relates_to": {
235+
"rel_type": "m.reference",
236+
"event_id": "$verification_request_event"
237+
}
238+
}
239+
```
240+
162241
## Alternatives
163242

164243
Messages sent by the verification methods, after the initial key verification

0 commit comments

Comments
 (0)