@@ -422,13 +422,19 @@ Device verification may reach one of several conclusions. For example:
422422 decrypted by such a device. For the Olm protocol, this is documented at
423423 https://matrix.org/git/olm/about/docs/signing.rst.
424424
425- Key sharing
426- -----------
425+ .. section name changed, so make sure that old links keep working
426+ key-sharing :
427+
428+ Sharing keys between devices
429+ ----------------------------
427430
428431If Bob has an encrypted conversation with Alice on his computer, and then logs in
429432through his phone for the first time, he may want to have access to the previously
430- exchanged messages. To address this issue, events exist for requesting and sending
431- keys from device to device.
433+ exchanged messages. To address this issue, several methods are provided to
434+ allow users to transfer keys from one device to another.
435+
436+ Key requests
437+ ~~~~~~~~~~~~
432438
433439When a device is missing keys to decrypt messages, it can request the keys by
434440sending `m.room_key_request `_ to-device messages to other devices with
@@ -447,6 +453,111 @@ previously-received ``request`` message with the same ``request_id`` and
447453 A reasonable stategy is for a user's client to only send keys requested by the
448454 verified devices of the same user.
449455
456+ Key exports
457+ ~~~~~~~~~~~
458+
459+ Keys can be manually exported from one device to an encrypted file, copied to
460+ another device, and imported. The file is encrypted using a user-supplied
461+ passphrase, and is created as follows:
462+
463+ 1. Encode the sessions a JSON object, formatted as described in `Key export
464+ format `_.
465+ 2. Generate a 512-bit key from the user-entered passphrase by computing
466+ `PBKDF2 `_\( HMAC-SHA-512, passphrase, S, N, 512), where S is a 128-bit
467+ cryptographically-random salt and N is the number of rounds. N should be at
468+ least 100,000. The keys K and K' are set to the first and last 256 bits of
469+ this generated key, respectively. K is used as an AES-256 key, and K' is
470+ used as an HMAC-SHA-256 key.
471+ 3. Serialize the JSON object as a UTF-8 string, and encrypt it using
472+ AES-CTR-256 with the key K generated above, and with a 128-bit
473+ cryptographically-random initialization vector, IV, that has bit 63 set to
474+ zero. (Setting bit 63 to zero in IV is needed to work around differences in
475+ implementations of AES-CTR.)
476+ 4. Concatenate the following data:
477+
478+ ============ ===============================================================
479+ Size (bytes) Description
480+ ============ ===============================================================
481+ 1 Export format version, which must be ``0x01 ``.
482+ 16 The salt S.
483+ 16 The initialization vector IV.
484+ 4 The number of rounds N, as a big-endian unsigned 32-bit integer.
485+ variable The encrypted JSON object.
486+ 32 The HMAC-SHA-256 of all the above string concatenated together,
487+ using K' as the key.
488+ ============ ===============================================================
489+
490+ 5. Base64-encode the string above. Newlines may be added to avoid overly long
491+ lines.
492+ 6. Prepend the resulting string with ``-----BEGIN MEGOLM SESSION DATA----- ``,
493+ with a trailing newline, and append ``-----END MEGOLM SESSION DATA----- ``,
494+ with a leading and trailing newline.
495+
496+ Key export format
497+ <<<<<<<<<<<<<<<<<
498+
499+ The exported sessions are formatted as a JSON object of type ``ExportData ``
500+ described as follows:
501+
502+ ``ExportData ``
503+
504+ =============== ================= ==============================================
505+ Parameter Type Description
506+ =============== ================= ==============================================
507+ sessions ``[SessionData] `` Required. The sessions that are being
508+ exported.
509+ =============== ================= ==============================================
510+
511+ ``SessionData ``
512+
513+ .. table ::
514+ :widths: auto
515+
516+ =============================== =========== ====================================
517+ Parameter Type Description
518+ =============================== =========== ====================================
519+ algorithm string Required. The encryption algorithm
520+ that the session uses. Must be
521+ ``m.megolm.v1.aes-sha2 ``.
522+ forwarding_curve25519_key_chain [string] Required. Chain of Curve25519 keys
523+ through which this session was
524+ forwarded, via
525+ `m.forwarded_room_key `_ events.
526+ room_id string Required. The room where the
527+ session is used.
528+ sender_key string Required. The Curve25519 key of the
529+ device which initiated the session
530+ originally.
531+ sender_claimed_keys {string: Required. The Ed25519 key of the
532+ integer} device which initiated the session
533+ originally.
534+ session_id string Required. The ID of the session.
535+ session_key string Required. The key for the session.
536+ =============================== =========== ====================================
537+
538+ Example:
539+
540+ .. code :: json
541+
542+ {
543+ "sessions" : [
544+ {
545+ "algorithm" : " m.megolm.v1.aes-sha2"
546+ "forwarding_curve25519_key_chain" : [
547+ " hPQNcabIABgGnx3/ACv/jmMmiQHoeFfuLB17tzWp6Hw"
548+ ],
549+ "room_id" : " !Cuyf34gef24t:localhost"
550+ "sender_key" : " RF3s+E7RkTQTGF2d8Deol0FkQvgII2aJDf3/Jp5mxVU"
551+ "sender_claimed_keys" : {
552+ "ed25519" : " <device ed25519 identity key>"
553+ },
554+ "session_id" : " X3lUlvLELLYxeTx4yOVu6UDpasGEVO0Jbu+QFnm0cKQ"
555+ "session_key" : " AgAAAADxKHa9uFxcXzwYoNueL5Xqi69IkD4sni8Llf..."
556+ },
557+ ...
558+ ]
559+ }
560+
450561
451562--------------------
452563
@@ -724,6 +835,7 @@ Example response:
724835.. _`Megolm specification` : http://matrix.org/docs/spec/megolm.html
725836.. _`JSON Web Key` : https://tools.ietf.org/html/rfc7517#appendix-A.3
726837.. _`W3C extension` : https://w3c.github.io/webcrypto/#iana-section-jwk
838+ .. _`PBKDF2` : https://tools.ietf.org/html/rfc2898#section-5.2
727839
728840.. _`Signing JSON` : ../appendices.html#signing-json
729841
0 commit comments