Matrix X-Signing

3 minute read Published: 2020-05-25

Matrix X-Signing Keys

With the recent release of riot-web 1.6.0, matrix's new cross signing was released to the public. While it makes usage a lot easier, those users who want to understand what's happening underneath will likely feel overwhelmed by all the new keys that this introduces.

Scope

This blog post will skip over how olm and megolm work, this is meant as just a quick explainer of why devices can trust other devices through the usage of cross signing keys.

Previous situation

So far, every user had a key pair per device. Trusting the other devices in a room meant having to verify each of these device key pairs from each of your own devices. Not really feasible, since the amount of verifications there grows very quickly, when chats get bigger. Additionally, each time someone signs in on a new device, everyone who had previously verified them needs to verify that new device.

New situation with cross signing

Now, each user get's three additional key pairs:

MSK: The master signing key. This key is used as the root of trust for the given user and signs the other two keys.
SSK: The self signing key. This key is used by a user to sign their own devices, usually after logging in on a new device.
USK: The user signing key. This key is used to sign the master key of other users.

I've built a little diagram below to show which keys are signed by which keys, hoping that will make stuff a bit clearer.

Now, this diagram is about the situation when cross signing is already enabled, and Alice and Bob have already verified all their devices and each other. When Alice now wants to send a message from her computer in the (E2EE) DM with Bob, her computer will check what devices are in the room. It'll see itself and three other devices. Alice's "Phone", and Bob's "Phone" and "Computer". It can trust the phone, because the computer trusts the MSK, which trusts the SSK, which trusts the phone. For Bob's devices, she has a similar trust chain, from her computer, to her MSK, to her USK, to Bob's MSK, to Bob's SSK, and finally, to Bob's devices. Therefore, she can trust the devices in the channel, and will send the encryption key of those messages to those devices. Encrypting the message is done using megolm, and olm is then used to share the encryption keys for that message with the other devices in the room, but the details of that are too much for this post.