|
| 1 | +# MSCxxxx: Olm fallback keys |
| 2 | + |
| 3 | +Olm uses a set of one-time keys when initializing a session between two |
| 4 | +devices: Alice uploads one-time keys to her homeserver, and Bob claims one of |
| 5 | +them to perform a Diffie-Hellman to generate a shared key. As implied by the |
| 6 | +name, a one-time key is only to be used once. However, if all of Alice's |
| 7 | +one-time keys are claimed, Bob will not be able to create a session with Alice. |
| 8 | + |
| 9 | +This can be addressed by Alice uploading a fallback key that is used in place |
| 10 | +of a one-time key when no one-time keys are available. |
| 11 | + |
| 12 | +## Proposal |
| 13 | + |
| 14 | +A new request parameter, `fallback_keys`, is added to the body of the |
| 15 | +`/keys/upload` client-server API, which is in the same format as the |
| 16 | +`one_time_keys` parameter with the exception that there must be at most one key |
| 17 | +per key algorithm. If the user had previously uploaded a fallback key for a |
| 18 | +given algorithm, it is replaced -- the server will only keep one fallback key |
| 19 | +per algorithm for each user. |
| 20 | + |
| 21 | +When Bob calls `/keys/claim` to claim one of Alice's one-time keys, but Alice |
| 22 | +has no one-time keys left, the homeserver will return the fallback key instead, |
| 23 | +if Alice had previously uploaded one. Unlike with one-time keys, fallback keys |
| 24 | +are not deleted when they are returned by `/keys/claim`. However, the server |
| 25 | +marks that they have been used. |
| 26 | + |
| 27 | +A new response parameter, `device_unused_fallback_keys`, is added to `/sync`. |
| 28 | +This is an array listing the key algorithms for which the server has an unused |
| 29 | +fallback key for the user. If the client wants the server to have a fallback |
| 30 | +key for a given key algorithm, but that algorithm is not listed in |
| 31 | +`device_unused_fallback_keys`, the client will upload a new key as above. |
| 32 | + |
| 33 | +## Security considerations |
| 34 | + |
| 35 | +Using a fallback key rather than a one-time key has security implications. An |
| 36 | +attacker can replay a message that was originally sent with a fallback key, and |
| 37 | +the receiving client will accept it as a new message if the fallback key is |
| 38 | +still active. Also, an attacker that compromises a client may be able to |
| 39 | +retrieve the private part of the fallback key to decrypt past messages if the |
| 40 | +client has still retained the private part of the fallback key. |
| 41 | + |
| 42 | +For this reason, clients should not store the private part of the fallback key |
| 43 | +indefinitely. For example, client should only store at most two fallback keys: |
| 44 | +the current fallback key (that it has not yet received any messages for) and |
| 45 | +the previous fallback key, and should remove the previous fallback key once it |
| 46 | +is reasonably certain that it has received all the messages that use it (for |
| 47 | +example, one hour after receiving the first message that used it). |
| 48 | + |
| 49 | +For addressing replay attacks, clients can also keep track of inbound sessions |
| 50 | +to detect replays. |
| 51 | + |
| 52 | +## Unstable prefix |
| 53 | + |
| 54 | +TODO: ... |
0 commit comments