[matrix] encryption
Hej ! Jeg er The one with the [braid]
Flutter developer from France
Working on [matrix] in healthcare
Contributor to various [matrix] projects
I like trains
🦆2🦆 [🔐]
[matrix]
per device keys
one time
fallback
each device has different keys
verification via SAS
SSSS backup for key access
PGP
key pair per person
subitentities
verification via keyservers
private can decrypt everything
[matrix]
is
complex
Olm
Key "session"
Used to manage your keys
Holds peer's device list
Manages key sharing
Megolm
Each key Olm encrypted
Algorithm for event encryption
Each message is individually encrypted
Cryptographic device onboarding
Each device has its own public-private key pair
This key pair is called signing key
Canonical JSON content is signed using these keys to ensure integrity
Each account has a
ma
ster
in
key
Each device signing key must be signed using the main key to ensure authenticity
Once the device is trusted it can upload megolm session keys generate fallback keys and receive encrypted content
Device signing bootstrap
Device generates key pair and uploads to HS
Cross-signing device keys using the main key
Either the device can open the main key and sign itself (in case we are the first device or verify via SSSS recovery)
Otherwise another device must sign the newly added key after verification (e.g. SAS verification)
megolm session keys
Each key used to encrypt one event
Only encrypt to verified sessions
Fallback onto persistent, rotating fallback keys per megolm session
SSSS
Secure Secret Storage and Sharing
[ssss]
Encrypted storage for megolm sessions
Used for online key backup
Contains cross-signing keys
root of [trust]
SAS
short authentication [strings]
SAS verification [methods]
String comparison
Emoji comparison
QR code
[your unknown fourth option]
cross [signing]
If you receive your own master key, you sign it with your own device key
If you receive a device key of your own account, you sign it with your own self-signing key
If you receive another persons master key, you sign it with your own user-signing key
further [reading]
https://spec.matrix.org/latest/client-server-api/#end-to-end-encryption
https://matrix.org/docs/older/e2ee-cross-signing/
https://blog.neko.dev/posts/unable-to-decrypt-matrix.html
Made with Slides.com