Key Transparency

[soatok]

Background

In the section on Key Substitution, you wrote:

One mitigation for this attack is key-fingerprint verification, in which participants in a group compare the fingerprints they see for keys for an identity.

Professional cryptographers tell me they have never verified a key fingerprint or safety number in their private chats with their family members. This is a box-checking exercise that only the most pedantic tech nerds will ever bother with. This doesn't provide security for most users.

The cryptography and privacy communities have spent 30 or so years trying to get Johnny to be able to encrypt in paradigms where "manually verify a key fingerprint" is part of the user experience. See also: https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf

Separately, I have sketched out a proposed specification for building a special kind of ActivityPub server that can be used to provide a security property known as Key Transparency. You can read the draft specification here.

Proposal

In addition to whatever fingerprint / safety number / etc. mechanism you want to provide, key transparency should be used as an automated, distributed verification for the integrity of the mapping between Actors and their keyPackages.

To this end, W3C SHOULD adopt a specification for Key Transparency, and use it to augment the security of the current MLS-based design. This is the direction that incumbent E2EE systems today are moving towards (WhatsApp, Signal, etc.).

If there is any interest in adopting my designs, I've released my relevant work under public domain (as well as a public domain-equivalent license, CC0, for jurisdictions that do not recognize public domain declarations).

Related Issues

• Verifiably end-to-end encrypted #14 - This provides verification of the end-to-end nature of the keys in question
• No manual key management #32 - This obviates the need for manual key management

[evanp]

This. Is. Awesome.

Thanks so much for pointing it out. I'm going to take a look and incorporate the learnings.

[evanp]

Oh, and in terms of key verification: I have actually done this! It was only because I was trying to understand how it could work. I walked through the process with Facebook Messenger with my partner. It was pretty easy.

I think the process is much more useful when you have different parties responsible for the client software and the server software. Facebook Messenger (for example) could be hiding the substituted keys in their app interface -- I'd have no way to know.

[soatok]

Oh, and in terms of key verification: I have actually done this! It was only because I was trying to understand how it could work. I walked through the process with Facebook Messenger with my partner. It was pretty easy.

Yeah, it's not insurmountable. But I know professional, Ph.D-carrying cryptographers who swear they've never done this in practice.

Anecdotally, most of my Signal contacts also have not attempted to verify my Safety Number out-of-band. (Most also have never met me in person, so there's not a highly trustworthy channel for doing so if you distrust Signal.)

I think it's a serviceable solution for power users, and it SHOULD be an option available if people wish to use it, but Key Transparency provides a robust minimum level of trust without manual user interaction.

[soatok]

Just a small update:

1. The specification is now on version 0.2.0
2. We now have a reference implementation for the server software

If you wanted to explore baking Key Transparency into the proposal for ActivityPub E2EE, even if only as a recommendation, you can now be more specific about what a concrete implementation might look like.

[soatok]

Proposed ActivityPub-E2EE Change

Add two fields alongside each KeyPackage object:

1. A contentSignature field, which MUST be present, which is a base64-encoded signature of the content field.
2. A contentSignatureKeyId field, which also MUST be present, which is a string identifying which of the actor's public keys was used to produce the signature (for when the Actor has more than one).

(You are free to change the names if you prefer a different convention.)

The public key MUST NOT be directly embedded in this object. Clients are encouraged to manage public keys asynchronously from the server's response.

Version and algorithm identifiers are not necessary for the signature field.

For the purposes of crypto agility, the algorithm selection should be determined by the public key, not the message. If a new signature algorithm is desired, adoption of this new algorithm should be solved by key rotation (generate a new keypair for that algorithm then deprecate the old one).

Note

The Public Key Directory currently only supports Ed25519 signatures, but a future revision may introduce ML-DSA or another post-quantum cryptographic signature algorithm.

Validation

a.k.a., How to use the Public Key Directory Specification to use Key Transparency for ActivityPub-E2EE.

If your ActivityPub server supports RFC 9421 (HTTP Message Signatures) and FEP-521a (in order to support Ed25519), you're most of the way there.

The Fediverse server SHOULD advertise a list of Public Key Directory servers that it federates with. Clients MAY prefer their own Public Key Directory servers.

Signing KeyPackage Contents

After enrolling your secret key

1. Calculate the signature of the content field (raw binary, not base64-encoded) using one of your secret keys.
2. Encode the signature (e.g., with base64) as contentSignature.
3. For end user ease, place the "key ID" chosen by the Public Key Directory server in the contentSignatureKeyId field.

Verifying KeyPackage Contents

When querying the server for a KeyPackage, clients SHOULD send an HTTP GET request to the Public Key Directory instances advertised by the server to fetch currently-trusted public keys for the Actor in question.

If a corresponding public key with a matching key ID is not present in the Public Key Directory API response, abort.

If the signature is not valid for content, abort.

If the signature is valid for a public key that is currently trusted for the end user, proceed with the MLS protocol.

Security Considerations

If a signing public key in the Public Key Directory is revoked, any unused KeyPackage signatures are no longer valid, but this doesn't necessarily invalidate the security of any prior conversations signed by that public key. Clients MAY (not MUST) trigger a new epoch to ensure forward secrecy.

Clients MAY verify the Merkle Tree inclusion proofs associated with each public key stored in the Public Key Directory. Clients SHOULD verify the witness co-signatures. End users MUST NOT be required to manually verify public keys or fingerprints, but clients MAY add this as an optional higher-trust mechanism.