Skip to content

MSC4153: Exclude non-cross-signed devices #4153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Oct 13, 2025
Merged

MSC4153: Exclude non-cross-signed devices #4153

Changes from 3 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
a9071b1
initial draft of invisible crypto
uhoreg Jun 10, 2024
33cb6a5
use MSC number
uhoreg Jun 10, 2024
f02666f
clarifications and respond to PR review comments
uhoreg Jun 25, 2024
b2c9541
respond to review comments and add some more clarifications
uhoreg Jan 31, 2025
5e01739
fix typo
uhoreg Jan 31, 2025
010b294
additional clarification
uhoreg Jan 31, 2025
ea450d2
another typo
uhoreg Jan 31, 2025
31748ab
add cross-signing status for clients
uhoreg Feb 19, 2025
6084c6e
add cross-signing status for bots, and fix note about authenticated b…
uhoreg Mar 11, 2025
aeceee3
add information on handling encrypted bridges
uhoreg Sep 11, 2025
1ef347d
clarify some wording
uhoreg Sep 15, 2025
5d4bd81
Update bot support
uhoreg Sep 15, 2025
99d440a
Apply suggestions from code review
uhoreg Sep 24, 2025
2019c4c
Apply changes from code review
uhoreg Sep 25, 2025
48cb558
add note about conflicting when creating cross-signing keys
uhoreg Sep 25, 2025
6dadee8
fix reference to two sections that are no longer "the last two"
uhoreg Oct 1, 2025
772f556
change MUST to SHOULD
uhoreg Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
143 changes: 143 additions & 0 deletions proposals/4153-invisible-crypto.md
View file
Open in desktop
Copy link
Member

@turt2live turt2live Jun 10, 2024
edited by uhoreg
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation requirements:

  • Client embodying these values (preferably cross platform).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that EW and EX both implement this, via their respective labs flags.

EW's setting looks like this:

image

Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
# MSC4153: Exclude non-cross-signed devices

End-to-end encryption was first introduced to Matrix in 2016. Over the years,
more encryption-related features have been added, such as key verification,
cross-signing, key backup, and secure storage/sharing.

The current spec allows clients freedom to choose what features to implement.
And while clients should be able to make decisions based on their threat model,
there are behaviours that the spec can recommend that will improve the user
experience and security of encrypted conversations.

In general, this MSC proposes to standardize on using cross-signing as a basis
for trusting devices. While a user may be unable to verify every other user
that they communicate with, or may be unaware of the need to verify other
users, cross-signing gives some measure of protection and so should be used
where possible. One of the goals of this MSC is to reduce the number of
warnings that users will encounter by taking advantage of cross-signing.

## Proposal

The changes below only apply to clients that support encryption.

### Users should have cross-signing keys

Clients should create new cross-signing keys for users who do not yet have
cross-signing keys.

### Users should have Secret Storage

Secret Storage allows users to keep secrets on the server so that they are
accessible when the user logs in to a new device.

The spec currently does not give recommendations for what information is stored
in Secret Storage, or even whether Secret Storage is available to users. A
user’s Secret Storage should contain the user’s cross-signing secret keys and
the key backup decryption key (if the user is using key backup). This ensures
that users use cross-signing and key backup on new devices.

Users should have Secret Storage with a default key (a key referred to by
`m.secret_storage.default_key`) that encrypts the private cross-signing keys
and key backup key (if available).

### Verifying individual devices of other users is deprecated

When one user verifies a different user, the verification should verify the
users’ cross-signing keys. Any flow that verifies only the device keys of
different users is deprecated. Verifying a user’s own device keys is still
supported.

### Devices should be cross-signed

Clients should encourage users to cross-sign their devices. This includes both
when logging in a new device, and for existing devices. Clients may even go so
far as to require cross-signing of devices by preventing the user from using
the client until the device is cross-signed. If the user cannot cross-sign
their device (for example, if they have forgotten their Secret Storage key),
the client can allow users to reset their Secret Storage, cross-signing, and
key backup.

### Clients should flag when cross-signing keys change

If Alice’s cross-signing keys change, Alice’s own devices must alert her to
this fact, and prompt her to re-cross-sign those devices. If Bob is in an
encrypted room with Alice, Bob’s devices should inform him of Alice’s key
change and should prevent him from sending an encrypted message to Alice
without acknowledging the change.

Bob’s clients may behave differently depending on whether Bob had previously
verified Alice or not. For example, if Bob had previously verified Alice, and
Alice’s keys change, Bob’s client may require Bob to re-verify, or may display
a more aggressive warning.

Note that this MSC does not propose a mechanism for remembering previous
cross-signing keys between devices. In other words if Alice changes her
cross-signing keys and then Bob logs in a new device, Bob’s new device will not
know that Alice’s cross-signing keys had changed, even if Bob has other devices
that were previously logged in. Such a mechanism could be proposed by another
MSC.

### Room keys and secrets should by default not be sent to non-cross-signed devices

Since non-cross-signed devices don’t provide any assurance that the device
belongs to the user, and server admins can trivially create new devices for
users, clients should not send room keys to non-cross-signed devices by
default. Clients may provide users the ability to encrypt to specific
non-cross-signed devices, for example, for development or testing purposes.

In addition, users should not send secrets (via Secret Sharing) to their own
devices that are not cross-signed.

### Messages from non-cross-signed devices should be ignored by default

Similarly, clients have no assurance that encrypted messages sent from
non-cross-signed devices were sent by the user, rather than an
impersonator. Therefore messages sent from non-cross-signed devices cannot be
trusted and should not be displayed differently to the user. Again, clients
may be allow the user to override this behaviour for specific devices for
development or testing purposes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proposed addition:

Updates to documentation

If MSC4161 is merged before
this MSC, the section "Devices (Sessions)" should be replaced with:

### Devices (Sessions)

Instances of a client are called 'devices' or alternatively 'sessions'. All devices taking
part in encryption should have been cross-signed by the user who owns them, and
we call these simply **devices** or **sessions**.

Devices which have published cryptographic keys (thus being visible as "cryptographic devices"
to other users) but which have not been cross-signed are considered an error state. These
devices are referred to as **not secure** or **insecure** and they are ignored for the purposes
of sending or receiving encrypted messages.

> "This device is not secure. Please verify it to continue."

> "Ignoring 5 messages that were sent from a device that is not secure."

> "Confirm it's you" (when asking to verify a device during login)

⚠️ Avoid saying "secure device". All devices are considered secure by default;
the user doesn't typically need to worry about the fact that insecure devices
are a thing, given they should only ever occur in error (or transitional)
scenarios.

⚠️ Avoid saying "trusted device" or "verified device". Devices are not users,
and it is helpful to use different language for users vs. devices. (However, we
do use the verb "verify" to describe how to make a device secure. By using the
same verb, we help users understand the confusing fact that verifying devices
and verifying users are similar processes, but with different outcomes.)

⚠️ Avoid using "cross-signing", which requires a deeper knowledge of
cryptography to understand.

⚠️ Avoid mentioning "device keys". While a device may have keys, the user
is only concerned about whether it is secure or not.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(As per #4161 (comment) I think it makes sense to leave this material out of MSC4161 and add it when this MSC is merged.)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think anything needs to be done here, since it looks like this MSC will be accepted before 4161, but leaving this open for documentation purposes.

## Potential Issues

### Client support

If a user has devices that are not cross-signed, they will not be able to
communicate with other users whose clients implement this proposal completely,
due to the last two points. Thus we encourage clients to implement
cross-signing as soon as possible, and to encourage users to cross-sign their
devices, and clients should delay the implementation of the last two points (or
make it optional) until most clients have implemented cross-signing.

TODO: status of cross-signing in clients

### Bots and application services

This is a special case to the issue above, but seems to be a large enough class
that it deserves its own mention: support for cross-signing in bots and
application services may be less common than in interactive clients. When a
client fully implements this proposal, users will be unable to interact with
bots and application services in encrypted rooms if they do not support
cross-signing.
Comment on lines +213 to +218
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there some timeline specifying some duration for application services/bot authors to implement support for this? It seems that, if this is implemented and enabled by default too soon, this would prevent use of popular e2be bridges like mautrix-signal, etc.

I see the note that support is planned for application services in mautrix-go which I think is the basis of mautrix-signal, but this would be a big disruption if this MSC were enabled before the application services had an opportunity to update.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to worry about mautrix-go, but it is a valid concern for less actively developed libraries. It'd probably be appropriate to define a recommended minimum time before this MSC is enabled by default, with the expectation that at least Element would follow that timeline, then be noisy about it in TWIM and other channels to make bot/library developers aware.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Element is planning on making an announcement soon about enabling this MSC, but it will probably be a bit before it's enabled by default. The timing for enabling it by default will depend on somewhat on how well it's supported by other clients, bots, and bridges, and I'd expect that there will be noise made about it before it's enabled by default. I don't want to specify a timeline, as various factors will affect it, but I would guess that it would be on the order of months.


TODO: status of cross-signing in bots/application services

## Alternatives

## Security considerations

## Unstable prefix

No new names are introduced, so no unstable prefix is needed.

## Dependencies

Though not strictly dependencies, other MSCs improve the behaviour of this MSC:
- [Authenticated backups
(MSC4048)](https://github.com/matrix-org/matrix-spec-proposals/pull/4048)
will improve the user experience by ensuring that trust information is
preserved when loading room keys from backup. TODO: I think we also need to
add information to the backup about the cross-signing status of the device
- [Including device keys with Olm-encrypted events
(MSC4147)](https://github.com/matrix-org/matrix-spec-proposals/pull/4147)
allows recipients to check the cross-signing status of devices that have been
deleted