Olm sessions can get out of sync #2330
Comments
|
We probably want a way to expire old sessions anyway, so will need to consider these together. |
|
I'm also seeing established Olm sessions being out of sync (the symptoms being that both ends can send a message using the session, but neither can decrypt). The Olm protocol/algorithm doesn't make it easy to figure out why that is happening, but obviously it can't be just due to expired one-time keys. Possibly #2325 could be a factor. Either way, we're probably going to need to figure out a way to expire old olm sessions. |
richvdh
added
the
S-Major
|
I'm coming to the conclusion that the most effective way to do this will be for senders just to use the Olm session that they most recently received a message on. (This is also the approach used by Signal's Sesame algorithm: https://whispersystems.org/docs/specifications/sesame/#receiving-messages.) The concern with this approach is that it could weaken security by allowing an attacker to initiate a new Olm session which he controls. For instance, if Eve compromises Bob's device keys, she can send a new message to Alice which will appear to come from Bob; and Alice will then use that session to send new messages, thinking she is sending them to Bob. On the other hand, Eve can do that now - she just might have to try a couple of times to get a session with a lower ID than the existing one. (The current algorithm is for Alice to use the session with the lowest ID, where the ID is defined as a SHA-256 of the three public keys |
|
(doing the above would also fix #2783) |
|
This should be addressed by matrix-org/matrix-js-sdk#780, though it won't fully be fixed until the Android and iOS SDKs get the same fix. |
|
The Element Android and matrix-ios-sdk contain references to the keyword "unwedging", so I would assume that they now do this. |
Under certain circumstances (in particular, when Alice uses one of Bob's one-time keys which has since expired), it's possible for Olm session setup to fail. Worse, there is then no backchannel, so Alice may go on sending pre-key messages over the broken session forever.
The text was updated successfully, but these errors were encountered: