True identity key rotation seems somewhat important in the long term

ell1e · March 14, 2025, 11:16am

True identity key rotation seems somewhat important in the long term, even with custom PGP keys removed. Since I saw some people seem divided on this I thought I’d put my thoughts here in case that is useful:

When your password leaks for an important account, many people won’t immediately burn the account, but change the password. This action should perhaps be available to Delta Chat users after a leak. This could be for example if one of your devices was stolen in a locked state, where data access may be plausible but not imminent.
I don’t think it’s the worst idea in the world to rotate the identity key every year or so if you have legitimate reasons to be paranoid, if you’re willing to accept that will render old backups unusable.
If group moderation ever gets added and has group moderation attached to a fixed account, accounts may not be easy to simply abandon to get a new identity key.
(Minor but still seems relevant) As I saw pointed out on the issue tracker, it might be the goal that all identity keys eventually have a certain algorithm. People who still use custom may therefore need a migration path.

Perhaps I’m missing something, however.

Edit: challenges/pitfalls of key rotation, as collected by users below:

QR codes won’t work anymore if they haven’t expired since anyway, same for invitation links.
All own devices must get the new key, hence probably all be brought online timely.
All contacts’ devices must get the new key, but that process might be more staggered with peer-to-peer propagation.
If a non-delta email client is used next to delta, the key needs manually updating.
Old device backups will be rendered broken and the user should understand that.

ebert · March 15, 2025, 10:28am

What are the challenges of key rotation in general?

if I printed my QR-Code, if have to reprint it
update my invitation link
all my devices must get the new key
all my contact’s devices must have the new key (maybe the devices can exchange among each other)
if I use an email client, update your key manually

Are there more?

ell1e · March 15, 2025, 11:13am

I think also one is all old device backups will become unusable.

link2xt · March 16, 2025, 9:23am

I don’t know of any messenger that does identity key rotation.

Rotating encryption key is more realistic:

For PQC introduction if we try to migrate users to PQC, we will likely keep EdDSALegacy identity key and only update the encryption subkey, because there is no reason to invalidate identity until quantum computers exist.

ell1e · March 16, 2025, 9:45am

I’m pretty sure Matrix allows changing the user key which breaks e2ee, but afaik keeps connections, room ownership, permissions, etc. After device theft with possible leak of all keys, you can change password and reset all keys.

If delta chat ties rights to identity key rather than e-mail, but has no such reset or rotation, the user seems to be screwed in this situation.

Or am I missing something?

link2xt · March 16, 2025, 11:03am

This only shows that in Matrix group metadata, membership and permissions is not E2E protected. It is instead protected with homeserver keys. IIRC even the group description is not protected for encrypted groups.

In Signal there is something in-between: if you resetup but use Secure Value Recovery (enter a PIN), you get the same account ID (similar to the same email address) and restore your group membership and verifications, but your identity key is changed. Group membership is managed on the server, but in a way that the server cannot see account IDs stored there: Signal >> Blog >> Technology Preview: Signal Private Group System, The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption
What happens if the identity key is actually compromised and available to the attacker is hard to tell, Signal >> Specifications >> The Sesame Algorithm: Session Management for Asynchronous Message Encryption just says “Security is catastrophically compromised if an attacker learns a device’s secret values, such as the identity private key and session state.”

There are Continuous Group Key Agreement protocols in development that can have “post-compromise security” and “clone detection”, but no messenger has deployed it yet AFAIK and the protocols that are being deployed now are not decentralized:

In Delta Chat group membership is managed entirely on devices without any servers, so there is no place where you can recover your group membership from.

If user lost the identity key, the only way to recover from this cryptographically is to tell as many peers as possible that the key is revoked so it is removed from all chats and no messages are sent to encryption keys signed by this identity. Then you need to create a new identity and join the chats with it.

There is a draft for OpenPGP key replacement at draft-ietf-openpgp-replacementkey-03 - OpenPGP Key Replacement but in case of key compromise it cannot work automatically because the key in this case is “hard-revoked”.

For non-cryptographic means see:

ell1e · March 16, 2025, 11:15am

I’m pretty sure it would be possible to allow an identity key rotation on a technical level to recover here, edit: for leaks not loss. It could be combined with a revocation that is enforced along/after the change.

As for Matrix, I don’t think it matters why it handles this case better.

link2xt · March 16, 2025, 11:57am

I opened Element, in “Security and Privacy” section of the settings it has this section:

When I click “Reset”, it shows this:

This is probably not related, don’t know what the use case is. Maybe it is the only way if you don’t have any devices anymore and logged in from scratch, but don’t know how the user will discover this option.

In the “Encryption” section I found “Reset cryptographic identity” button:

When I click “Reset cryptographic identity”, it shows:

I clicked “Cancel” then.

This looks like just creating a new key, not key rotation. This is indistinguishable from an attacker breaking into the server and creating a new identity.

link2xt · March 16, 2025, 12:08pm

For key replacement with OpenPGP Key Replacement we can probably create a new key, move the old key into Autocrypt-2 and add “Replacement Key” subpacket to it referring to the new Autocrypt header.

Need to transmit two certs in an autocrypt header/or two headers

opened 07:53AM - 28 May 22 UTC

closed 10:36AM - 10 Jun 24 UTC

teythoon

There are (at least) two reasons for that: - v5 OpenPGP certs will have only …very limited interoperability with the current v4 certs. The way the design team pictures the transition to v5 is to have both a v5 and a v4 cert during the transition period. Hence, we need to transmit both certs in Autocrypt. - The user may have two certs where you don't support one of the algorithms used by the primary key. The main use case for this is the transition to PQ algorithms.

ell1e · March 16, 2025, 12:11pm

This looks like just creating a new key, not key rotation. This is indistinguishable from an attacker breaking into the server and creating a new identity.

Correct, but for the leak scenario, the equivalent for a peer-to-peer messenger like Delta would be a key rotation. For loss, there’s likely no fix