IETF Logo Mail Archive

[MLS] Key confirmation - Extra MAC needed?

Richard Barnes <rlb@ipv.sx> Mon, 22 October 2018 14:33 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6361B128A5C for <mls@ietfa.amsl.com>; Mon, 22 Oct 2018 07:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnu6kthk5MJ9 for <mls@ietfa.amsl.com>; Mon, 22 Oct 2018 07:33:37 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CBAD12870E for <mls@ietf.org>; Mon, 22 Oct 2018 07:33:36 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id z15so614143otm.12 for <mls@ietf.org>; Mon, 22 Oct 2018 07:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=vvmmZZEcwYgLOPZjCgEj7/3IGQrufkUPZ5rDGxnXXH0=; b=tqa7fM5JxmouBBpoqHtwolR9QQnnOwn5UkAq7XYcJw7QU76MQH145cttmkyLvwEFOu 1i9ueNPScaoca8OI1nNAS6MwCid9GjUnD0EWjlfS37Xr3qNJtNT2qhDJ+UjDxiILbZC2 XT6rFYUUOCRibfa021k4uEiaZAR1f3F4uRpUDOnkT+kz23lt+PrSCFV2yJ27oYcSXDuD L4WsPDZEGJwssPPbDLzE7DFNADJEzacvWwgxr9HijiKb4i8EkLKULYm242jfSAWRprb5 Wa+azCt/rWv3vdMXMs3JdZEZY+VLBvm2W7OqxG5x4o9fxJ1sAgN9raEl2H4clTXyOTSM 3Gvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vvmmZZEcwYgLOPZjCgEj7/3IGQrufkUPZ5rDGxnXXH0=; b=Is4ctqKztSqU6qB30Lgor6C5AK2v9wFbHOpvvQa/FLcs4Zf/rGkwrruoMk3voLMAuF aKz2p79htfruT/P5VykG7AyZ1IH/WMPJnxQdzzn6oXD5oXuZrJ8X6j/YH02wdDof0wgd 9o+TCTIazP6MRnwGpCaXJlZA91HOl73klE4Nas9MKWE5nQxabFWqKQEH0ttqFmItthwP Hdm+AEmSntFhWIzswWkN3p7XVjT3NUc8xqzv+vhqj8SgrAuZ45TYhFtcWI0alO2oHkKp BMviAJJIvyva+0mKy7CfI4K5sp8yr9uDG6EiP/zNplApdalUvjPZLotn6y5ymjXj8Xdg uVEQ==
X-Gm-Message-State: ABuFfoimK6+sNJgodgdkesfwyzRwHak5UmyhaDk8FLppD+1oM71WdklH SKfLWgIqO+dH7Wo1WEBOtTjybXQPrZFgKtYplBLRroWm/5g=
X-Google-Smtp-Source: ACcGV61b91E0nkaM0ZaWMa8hGojq9POOCDYMqHFA5t1LWv4gAKFVVCyw6Y/5r9l9wxuanh+ej5AyfnU3rsjaICqEQ8E=
X-Received: by 2002:a9d:2377:: with SMTP id k52mr29944054otd.238.1540218815460; Mon, 22 Oct 2018 07:33:35 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 22 Oct 2018 10:33:22 -0400
Message-ID: <CAL02cgTk+mBNi8jDicN8jmpGZkixTOu541MVEFj7SSgroL8DHg@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005f4f270578d2232b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/-KxyDqVb9NVMkKNIWyAjzcGFoWU>
Subject: [MLS] Key confirmation - Extra MAC needed?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 14:33:39 -0000

Hey all,

In the just-released -02 draft of MLS, I've added a key confirmation step
to the handshake authentication process.  Important question after "====="
below...

In the previous draft, there was an authentication mechanism that ensured
that if two group members ended up with different GroupState objects, then
they would have different keys.  However, it did not provide any way for
group members to recognize that this was the case, except for AEAD checks
on encrypted messages failing.  With explicit key confirmation, the
recipient of a Handshake message knows that if processing of the handshake
message succeeds, then the recipient has the same GroupState as the sender.

This provides a degree of protection against malicious insiders that send
different TreeKEM values to different parts of the tree.  Namely, only the
subset of the tree that got the key matching the key confirmation will
accept the Handshake message; the others will be locked out. (Assuming a
broadcast channel; if the sender can send different key confirmations to
different recipients, then this is no help.). This isn't complete
protection, but at least the locked-out members know they've been locked
out, and can complain about it.

=====

The major question here is whether it's sufficient to derive a key
confirmation value from the key schedule and publish it, or whether the
value derived in the key schedule should be used as a MAC key to generate a
MAC over the message transcript.   I've posted PRs for both; the latter is
what I merged in -02

Derive: https://github.com/mlswg/mls-protocol/pull/72
MAC: https://github.com/mlswg/mls-protocol/pull/71

On the one hand, the MAC-based approach is what is done in TLS.  It feels
safer, because we never publish anything that's in the key schedule diagram.

On the other hand, the Derive-Secret operation used to create the key
confirmation value in the key schedule is **already** based on HMAC.  So it
doesn't seem like the extra MAC step is adding that much value.

If we can convince ourselves that the Derive approach (without the extra
MAC) is sufficient, I would prefer to do that, since it's simpler.  But
feedback on this point would be very much appreciated.

--Richard

v2.23.0 | Report a Bug | By Email