IETF Logo Mail Archive

Re: [Mimi] Metadata Minimal MIMI (MIMIMI)

Konrad Kohbrok <konrad.kohbrok@datashrine.de> Mon, 08 April 2024 15:21 UTC

Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 744CFC14CEFA for <mimi@ietfa.amsl.com>; Mon, 8 Apr 2024 08:21:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=datashrine.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fc2oU1RBNZ01 for <mimi@ietfa.amsl.com>; Mon, 8 Apr 2024 08:21:15 -0700 (PDT)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [IPv6:2001:67c:2050:0:465::101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59F79C14F74E for <mimi@ietf.org>; Mon, 8 Apr 2024 08:21:12 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4VCt8f5Fkzz9sTx; Mon, 8 Apr 2024 17:21:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=datashrine.de; s=MBO0001; t=1712589666; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aaT/PEFh+zTLNpVAoQWj2hp0+MydlnEy0WDKTKwezeI=; b=ASyxA8GCqXrHR0AOENJ8kGPlYJpyku4eWWOtaPC9jKZU6rQAnsi1khiHWlmSrnvpv3DGW5 ch59PhMciSMVptku4bwG3s5f27kPQlpIENrsn29QxuAnizB+iflecwzCuiaPREIxQbmzUs 2qt7gbetqhif9JaFu1lwJQXV+v6prkSSOI4K9ZHIu5Z3DiH8ydhOamG/u3SNrEUtvwHVxJ yeSEGuUr2WKPdmAzCE9/lsMjn7YfFp1720Ybmue3n4KrXaXgRSjW0q/xoxgSMv5jMydYWz e5twb9IKgL/3qA2AbvOY5GLB79Fu6BFEFBmqA96jiuU8vphKGoPBJsm/FhTeUg==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
In-Reply-To: <CAJTd26LY4n2tnOOEhX4hS-fCEwkNwvXvY6YYA_2fyW6DU+4uZw@mail.gmail.com>
Date: Mon, 08 Apr 2024 17:20:55 +0200
Cc: Raphael Robert <ietf@raphaelrobert.com>, mimi@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2E61A939-6F2B-4D0D-AEF0-3C330052A98D@datashrine.de>
References: <8381F4BA-4E8E-4CE0-9FEF-20CEDD30A2CC@datashrine.de> <CAJTd26KqjV1BKq9Vtar4QQ4KnPhm=dF7WbysuR-MRsM4mNOkVA@mail.gmail.com> <0E12AA02-1656-4C49-8473-3A85DC51E9C3@raphaelrobert.com> <CAJTd26LY4n2tnOOEhX4hS-fCEwkNwvXvY6YYA_2fyW6DU+4uZw@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/Sz9iwdUhqdcy5w_GbLpPfJX-ds8>
Subject: Re: [Mimi] Metadata Minimal MIMI (MIMIMI)
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 15:21:20 -0000

Good point. We’ve been a bit vague on how the key material is transported and what it actually looks like.

Both to avoid the linear upload-overhead for inviters that you describe and to enable an easier way for new members to join externally, we will want the server to assist in a similar way that it does with the group state. At the same time, we want FS and PCS s.t. new members can’t de-pseudonymize members who had left the group previously and members that are no longer in the group can’t de-pseudonymize members that join after they are gone.

We can do this (in true MLS-fashion) via a tree-shaped key-wrapping scheme (TreeWrap?), where each parent is a symmetric key which is used to encrypt (wrap) its children. In the leaves we have the keys that wrap the keys used to decrypt the leaf credentials. The tree consisting of wrapped keys (but none of the actual keys) is uploaded to the server. Only the key wrapping the root key is required to decrypt the whole tree and thus all leaf credentials. If a member leaves the group, its direct path in the tree is replaced by newly generated and wrapped keys. The wrappers around co-path keys also have to be re-created. If a member joins the group, the tree is expanded (potentially by creating a new root key by wrapping the previous root wrapper key), or they are inserted into a previously blank spot.

To summarize: On membership changes (in particular for removes), log(n) new wrapper ciphertexts have to be uploaded. New members have to download 2n-1 wrapper ciphertexts. Adders have to include the root wrapper key in the GroupInfo. External joiners need the root wrapper key to properly authenticate all group members.

I should note that we have not tested this yet. In our implementation we have some additional key management that is a bit more lax in terms of its FS/PCS guarantees.

Cheers,
Konrad

> Am 07.04.2024 um 21:47 schrieb Brendan McMillion <brendanmcmillion@gmail.com>:
> 
> On the contrary, the proposal is to use public messages so that the DS can do what it would normally do without pseudonyms: Parse the public messages and keep a copy of the GroupInfo/ Public tree on the server to maximise efficiency. In other words, adding a new member to a groups only requires the sender to send a Commit and a Welcome. The invited member can then fetch the ratchet tree from the server. Conversely, when using External Commits, new joiners can fetch the ratchet tree from the server.
> 
>  The document says, "For the new user(s), the key material can be transported along with the Welcome, e.g. via a GroupInfo extension." I understood this to mean that the connection key for each member of the group must be shared with joining users, encrypted in the GroupInfo. There is one connection key per member, so the encrypted portion of the Welcome scales linearly with the number of members. What am I missing here?
> 
> 
> On Sun, Apr 7, 2024 at 10:37 AM Raphael Robert <ietf@raphaelrobert.com> wrote:
> Hi Brendan,
> 
> Thanks for the feedback, I’ll address your points inline:
> 
>> At first glance, it seems this approach has the same efficiency as using encrypted handshake messages. That is, when I add a user to a group, I need to upload an encrypted blob whose size scales linearly with the number of members in the group. Is that right?
> 
> 
> On the contrary, the proposal is to use public messages so that the DS can do what it would normally do without pseudonyms: Parse the public messages and keep a copy of the GroupInfo/ Public tree on the server to maximise efficiency. In other words, adding a new member to a groups only requires the sender to send a Commit and a Welcome. The invited member can then fetch the ratchet tree from the server. Conversely, when using External Commits, new joiners can fetch the ratchet tree from the server.
> 
>> I'm also concerned about the property that, if I'm ever added to even one group with a user, then I learn their connection key. Then I can use their connection key to de-anonymize them in any other group, regardless of whether I've been in that group or not.
> 
> 
> It's a valid concern, just ending up in a group with another member shouldn’t give that member access to you beyond that group. That’s why connection keys must only be shared in 1:1 connections and not in other groups. Obviously the draft is not specific enough in that regard at this point. We need to flesh this out some more.
> 
> Raphael
>  
>> 
>> On Fri, Apr 5, 2024 at 5:34 AM Konrad Kohbrok <konrad.kohbrok@datashrine.de> wrote:
>> Hi folks,
>> 
>> Raphael and I just uploaded an I-D with a proposal that sketches a pseudonym-based MIMI variant that aims to reduce MIMI’s metadata footprint. You can find it here: https://datatracker.ietf.org/doc/draft-kohbrok-mimi-metadata-minimalization/
>> 
>> We have been working on this approach for a while now and have already implemented and run a variant of what’s described in the I-D.
>> 
>> The I-D is quite high-level for now to make the concepts easier to grasp. If people are interested we can fill in gaps and add details in the next iterations.
>> 
>> Looking forward to continuing the discussion around metadata in the context of MIMI and any questions regarding our I-D!
>> 
>> Cheers,
>> Konrad
>> 
>> -- 
>> Mimi mailing list
>> Mimi@ietf.org
>> https://www.ietf.org/mailman/listinfo/mimi
>> -- 
>> Mimi mailing list
>> Mimi@ietf.org
>> https://www.ietf.org/mailman/listinfo/mimi
> 
> -- 
> Mimi mailing list
> Mimi@ietf.org
> https://www.ietf.org/mailman/listinfo/mimi

v2.23.0 | Report a Bug | By Email