e2ee: derive per-participant keys

derived from the participant id in addition to the salt, separated by a null
byte to avoid ambiguity attacks along the lines of
  (someRoom, someParticipant)
  (someRoo, mSomeParticipant)

doc/e2ee.md

@@ -14,8 +14,7 @@ It is important to note that this key should not get exchanged via the server.
 There needs to be some other means of exchanging it.
 
 From this key we derive a 128bit key using PBKDF2. We use the room name as a salt in this key generation. This is a bit weak but we need to start with information that is the same for all participants so we can not yet use a proper random salt.
-
-We derive the same key and use it for encrypting and decrypting from all participants. We are working on including the MUC resource of the sender in this in order to switch to per-participant keys which is the model want to migrate to in the end.
+We add the participant id to the salt when deriving the key which allows us to use per-sender keys. This is done to prepare the ground for the actual architecture and does not change the cryptographic properties.
 
 We plan to rotate the key whenever a participant joins or leaves. However, we need end-to-end encrypted signaling to exchange those keys so we are not doing this yet.
 

modules/e2ee/Worker.js

@@ -86,6 +86,21 @@ const code = `
             this._id = id;
         }
 
+        /**
+         * Derives a per-participant key.
+         * @param {Uint8Array} keyBytes - Value to derive key from
+         * @param {Uint8Array} salt - Salt used in key derivation
+         */
+        async deriveKey(keyBytes, salt) {
+            const encoder = new TextEncoder();
+            const idBytes = encoder.encode(this._id);
+            // Separate both parts by a null byte to avoid ambiguity attacks.
+            const participantSalt = new Uint8Array(salt.byteLength + idBytes.byteLength + 1);
+            participantSalt.set(salt);
+            participantSalt.set(idBytes, salt.byteLength + 1);
+
+            return deriveKey(keyBytes, participantSalt);
+        }
         /**
          * Sets a key and starts using it for encrypting.
          * @param {CryptoKey} key
@@ -304,7 +319,7 @@ const code = `
                 .pipeThrough(transformStream)
                 .pipeTo(writableStream);
             if (keyBytes) {
-                context.setKey(await deriveKey(keyBytes, keySalt));
+                context.setKey(await context.deriveKey(keyBytes, keySalt));
             }
         } else if (operation === 'decode') {
             const { readableStream, writableStream, participantId } = event.data;
@@ -321,13 +336,13 @@ const code = `
                 .pipeThrough(transformStream)
                 .pipeTo(writableStream);
             if (keyBytes) {
-                context.setKey(await deriveKey(keyBytes, keySalt));
+                context.setKey(await context.deriveKey(keyBytes, keySalt));
             }
         } else if (operation === 'setKey') {
             keyBytes = event.data.key;
             contexts.forEach(async context => {
                 if (keyBytes) {
-                    context.setKey(await deriveKey(keyBytes, keySalt));
+                    context.setKey(await context.deriveKey(keyBytes, keySalt));
                 } else {
                     context.setKey(false);
                 }