[WIP] QR codes, symmetric encryption, and a new securejoin protocol for broadcast channels#7042
Closed
[WIP] QR codes, symmetric encryption, and a new securejoin protocol for broadcast channels#7042
Conversation
Hocuri
changed the title
This was referenced Jul 28, 2025
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
from
322bf0c to
abc4e12
Compare
Hocuri
changed the title
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
2 times, most recently
from
983d050 to
e4e7a36
Compare
Hocuri
changed the title
Hocuri
changed the title
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
from
e4e7a36 to
0b365d3
Compare
2 tasks
…in a 'member added' message.
…ually add a contact to a broadcast list, don't have unpromoted broadcast lists, make basic multi-device, inviter side, work
…another one where I couldn't find the problem
…oadcast_multidevice
Not possible to use create_multiuser_record(), because it's nicer to do things in a transaction here
Hocuri
commented
Sep 10, 2025
| hash_alg: HashAlgorithm::default(), | ||
| salt, | ||
| }; | ||
| let mut msg = msg.seipd_v2( |
Collaborator
Author
There was a problem hiding this comment.
This uses SEIPD v2, while in other places, we use SEIPD v1. I assume that we used SEIPD v1 because v2 didn't exist yet at the time, and SEIPD v2 is superior, so, we should use it?
Hocuri
commented
Sep 12, 2025
Comment on lines
-4230
to
-4234
| } else if chat.typ == Chattype::InBroadcast && contact_id == ContactId::SELF { | ||
| // For incoming broadcast channels, it's not possible to remove members, | ||
| // but it's possible to leave: | ||
| let self_addr = context.get_primary_self_addr().await?; | ||
| send_member_removal_msg(context, chat_id, contact_id, &self_addr).await?; |
Collaborator
Author
There was a problem hiding this comment.
Leaving a broadcast channel now uses the same code as leaving a group, so, we don't need this block anymore.
See this code a few lines above:
if matches!(
chat.typ,
Chattype::Group | Chattype::OutBroadcast | Chattype::InBroadcast
) {
Hocuri
commented
Sep 15, 2025
Comment on lines
-4011
to
-4013
| if is_contact_in_chat(context, chat_id, contact_id).await? { | ||
| return Ok(false); | ||
| } |
Collaborator
Author
There was a problem hiding this comment.
I removed this block because we're in the else clause of if is_contact_in_chat(context, chat_id, contact_id).await?, so, this was dead code
Hocuri
commented
Sep 15, 2025
| "invalid contact_id {} for adding to group", | ||
| contact_id | ||
| ); | ||
| ensure!(!chat.is_mailing_list(), "Mailing lists can't be changed"); |
Collaborator
Author
There was a problem hiding this comment.
I removed this line because above we're ckecking ensure!(chat.typ == Chattype::Group || chat.typ == Chattype::OutBroadcast [...]), so, this was dead code
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
from
d5ce883 to
43d65cb
Compare
Collaborator
Author
|
Bad news: The 2-step protocol designed here would reveal Bob's display name and avatar to the server operator, if the server operator can also see the QR code. While this a rare occasion, it's bad that it's possible - a server operator could scrape the interned for QR codes, and then see if it's possible to use it to get the display name and avatar. After some discussions with @hpk42 and @link2xt, there are 2 alternatives: a 3-step protocol and a 4-step protocol that solve this problem, at the expense of taking longer. This is fine, though, because the current securejoin protocol also requires 4 steps. After some more discussions, we settled on the 4-step protocol for now, because it is a lot less complex than the 3-step protocol: 
Rationale:
About the complexity "Alice needs to create a Bob-contact without knowing his fingerprint": It should be possible for Alice to receive and answer the first message without any database changes. This will probably mean that The 4-step protocol in text form
Required security propertiesSecurity properties we want:
Security properties we probably want:
Other possibly-interesting security properties:
Security properties we don't need to talk about right now:
|
Hocuri
changed the title
Collaborator
Author
|
I decided for the following next steps:
|
12 tasks
Collaborator
FTR: The display name and avatar aren't the main problem, but Bob's cryptographic identity. The display name and avatar could be sent in the 3rd, confirmation message.
|
Hocuri
added a commit
that referenced
this pull request
Nov 3, 2025
Follow-up for #7042, part of #6884. This will make it possible to create invite-QR codes for broadcast channels, and make them symmetrically end-to-end encrypted. - [x] Go through all the changes in #7042, and check which ones I still need, and revert all other changes - [x] Use the classical Securejoin protocol, rather than the new 2-step protocol - [x] Make the Rust tests pass - [x] Make the Python tests pass - [x] Fix TODOs in the code - [x] Test it, and fix any bugs I find - [x] I found a bug when exporting all profiles at once fails sometimes, though this bug is unrelated to channels: #7281 - [x] Do a self-review (i.e. read all changes, and check if I see some things that should be changed) - [x] Have this PR reviewed and merged - [ ] Open an issue for "TODO: There is a known bug in the securejoin protocol" - [ ] Create an issue that outlines how we can improve the Securejoin protocol in the future (I don't have the time to do this right now, but want to do it sometime in winter) - [ ] Write a guide for UIs how to adapt to the changes (see deltachat/deltachat-android#3886) ## Backwards compatibility This is not very backwards compatible: - Trying to join a symmetrically-encrypted broadcast channel with an old device will fail - If you joined a symmetrically-encrypted broadcast channel with one device, and use an old core on the other device, then the other device will show a mostly empty chat (except for two device messages) - If you created a broadcast channel in the past, then you will get an error message when trying to send into the channel: > The up to now "experimental channels feature" is about to become an officially supported one. By that, privacy will be improved, it will become faster, and less traffic will be consumed. > > As we do not guarantee feature-stability for such experiments, this means, that you will need to create the channel again. > > Here is what to do: > • Create a new channel > • Tap on the channel name > • Tap on "QR Invite Code" > • Have all recipients scan the QR code, or send them the link > > If you have any questions, please send an email to delta@merlinux.eu or ask at https://support.delta.chat/. ## The symmetric encryption Symmetric encryption uses a shared secret. Currently, we use AES128 for encryption everywhere in Delta Chat, so, this is what I'm using for broadcast channels (though it wouldn't be hard to switch to AES256). The secret shared between all members of a broadcast channel has 258 bits of entropy (see `fn create_broadcast_shared_secret` in the code). Since the shared secrets have more entropy than the AES session keys, it's not necessary to have a hard-to-compute string2key algorithm, so, I'm using the string2key algorithm `salted`. This is fast enough that Delta Chat can just try out all known shared secrets. [^1] In order to prevent DOS attacks, Delta Chat will not attempt to decrypt with a string2key algorithm other than `salted` [^2]. ## The "Securejoin" protocol that adds members to the channel after they scanned a QR code This PR uses the classical securejoin protocol, the same that is also used for group and 1:1 invitations. The messages sent back and forth are called `vg-request`, `vg-auth-required`, `vg-request-with-auth`, and `vg-member-added`. I considered using the `vc-` prefix, because from a protocol-POV, the distinction between `vc-` and `vg-` isn't important (as @link2xt pointed out in an in-person discussion), but 1. it would be weird if groups used `vg-` while broadcasts and 1:1 chats used `vc-`, 2. we don't have a `vc-member-added` message yet, so, this would mean one more different kind of message 3. we anyways want to switch to a new securejoin protocol soon, which will be a backwards incompatible change with a transition phase. When we do this change, we can make everything `vc-`. [^1]: In a symmetrically encrypted message, it's not visible which secret was used to encrypt without trying out all secrets. If this does turn out to be too slow in the future, then we can remember which secret was used more recently, and and try the most recent secret first. If this is still too slow, then we can assign a short, non-unique (~2 characters) id to every shared secret, and send it in cleartext. The receiving Delta Chat will then only try out shared secrets with this id. Of course, this would leak a little bit of metadata in cleartext, so, I would like to avoid it. [^2]: A DOS attacker could send a message with a lot of encrypted session keys, all of which use a very hard-to-compute string2key algorithm. Delta Chat would then try to decrypt all of the encrypted session keys with all of the known shared secrets. In order to prevent this, as I said, Delta Chat will not attempt to decrypt with a string2key algorithm other than `salted` BREAKING CHANGE: A new QR type AskJoinBroadcast; cloning a broadcast channel is no longer possible; manually adding a member to a broadcast channel is no longer possible (only by having them scan a QR code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #6884.
This will make it possible to create invite-QR codes for broadcast channels, and make them symmetrically end-to-end encrypted.
I posted the benchmark results at #6884 (comment)
Overview of the protocol when both sides have multi-device
The technical design
The QR codes / invite links and the network protocol build on the securejoin protocol in order to secure broadcast channels against MitM attacks, to securely exchange key material, and to add a member to the broadcast channel.
The mentioned securejoin protocol has 4 steps of exchanging messages. Rather than using the same protocol for broadcast channels, I will implement an improved protocol consisting of only 2 steps, described below. I will call it Securejoin v2.
The securejoin v2 protocol has these advantages over the old protocol:
If Securejoin v2 turns out to work nicely for broadcast channels, we can also use them for group and 1:1 invites, and remove the code for securejoin v1.
The QR code / invite link scheme
I will call the channel owner's device "Alice" and the device of the user who scans / clicks on the invite link "Bob".
Alice creates an invite link like this; QR codes contain the same text.
where:
The network protocol for joining a channel - Securejoin v2
In summary, Bob sends a message that is encrypted symmetrically with the AUTH token. Alice answers by adding Bob to the broadcast channel, and sending the broadcast channel's shared secret to Bob.
This is adapted from https://securejoin.readthedocs.io/en/latest/new.html:
a) Alice generates an invite code for this broadcast channel.
b) The AUTH token is generated specifically for this broadcast channel; Alice remembers in the
tokensSQL table that this AUTH token belongs to this broadcast channel.a) Bob (the user) scans the QR code or clicks on the link. Bob saves Alice's fingerprint into the database and creates the broadcast channel chat; only messages signed with this fingerprint will be allowed in the broadcast channel.
b) Bob sends a message with the header
Secure-Join: vb-request-with-authto Alice. (vb-request-with-authfollows the scheme of the securejoin v1 messages).In the encrypted part, this message contains Bob's own fingerprint
Bob_FPin the headerSecure-Join-Fingerprint.This message additionally contains all the information Delta Chat adds in every message: Bob's public key (so that Alice can send private messages to Bob), as well as Bob's display name and avatar (so that Alice can see who joined her channel; note that Delta Chat makes it easy to create an anonymous profile where the name and avatar are not identifying).
Alice decrypts Bob's
vb-request-with-authmessage using the AUTH token from step 1a) and verifies that Bob’s Autocrypt key matches Bob_FP and that the transferred AUTH matches the one from step 1.
b) If any verification fails, the protocol terminates.
a) Alice adds Bob to the broadcast channel in her database,
b) and sends a message with the header
Secure-Join: vb-member-addedto Bob.This message contains the broadcast channel's shared secret in the header
Chat-Broadcast-Secret.This message is asymmetrically encrypted with Bob's public key; alternatively, it could be encrypted with the AUTH token, or with both the public key and the AUTH token.
Bob saves the shared secret into his database and is now able to decrypt messages that are sent into the channel.
If this network protocol works nicely in practice, we can start using it also for normal contact/group invites.
The symmetric encryption
Symmetric encryption uses a shared secret. Currently, we use AES128 for encryption everywhere in Delta Chat, so, this is what I'm using for broadcast channels (though it wouldn't be hard to switch to AES256).
vb-request-with-authhas 144 bits of entropy (seefn create_idin the code). If and when we switch to AES256, we can just generate larger AUTH tokens.fn create_broadcast_shared_secretin the code).Since the shared secrets have more entropy than the AES session keys, it's not necessary to have a hard-to-compute string2key algorithm, so, I'm using the string2key algorithm
salted. This is fast enough that Delta Chat can just try out all known shared secrets. 1 In order to prevent DOS attacks, Delta Chat will not attempt to decrypt with a string2key algorithm other thansalted2.Footnotes
In a symmetrically encrypted message, it's not visible which secret was used to encrypt without trying out all secrets. If this does turn out to be too slow in the future, then we can assign a short, non-unique (~2 characters) id to every shared secret, and send it in cleartext. The receiving Delta Chat will then only try out shared secrets with this id. Of course, this would leak a little bit of metadata in cleartext, so, I would like to avoid it. ↩
A DOS attacker could send a message with a lot of encrypted session keys, all of which use a very hard-to-compute string2key algorithm. Delta Chat would then try to decrypt all of the encrypted session keys with all of the known shared secrets. In order to prevent this, as I said, Delta Chat will not attempt to decrypt with a string2key algorithm other than
salted↩