IETF Logo Mail Archive

Re: [MLS] Deniability -> "recording"?

Dave Cridland <dave@cridland.net> Thu, 23 January 2020 15:36 UTC

Return-Path: <dave@cridland.net>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84CB212083E for <mls@ietfa.amsl.com>; Thu, 23 Jan 2020 07:36:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38UHt1fEb3a0 for <mls@ietfa.amsl.com>; Thu, 23 Jan 2020 07:36:01 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D13512083D for <mls@ietf.org>; Thu, 23 Jan 2020 07:36:01 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id l18so2642699lfc.1 for <mls@ietf.org>; Thu, 23 Jan 2020 07:36:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/57Yi9akjFf+EQYQ1nSASh9G+DmfbjUabxMvbb7Bdk4=; b=NGFvizWRu1S/jQwOo6VMKpI4fBxjASaw1rPEITpymrbdDwujp5nTztqW2bAyql77PL eEAdorHWfIlR7dRD49Az7ZS9O4VfFDYnI30FuOXovskDFUhk8vcwfvwSXKWZZNBZODF+ ZRt0mPM/lvHZhLgmqOlKl5LseEeGZolT444a0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/57Yi9akjFf+EQYQ1nSASh9G+DmfbjUabxMvbb7Bdk4=; b=ffa0rM6B5NKjwlx9Osbvi0em5XB+5uJRRGs44JK/wGsvMN8WYU1pKIsyBJBgCGxL7/ BCy2QUXQhFWcOhjJi6kSRQYgvCOe+2g7oMNhkPy8mCAL3EMu8C6O7P06bVSE9knoBSFf k36/lRtWnWu2/4CYbRtwghd8Ko5zd7tzLnDRnHGfbUxjVhIGpo8jR03hyBnSXVmycDKF 2equ2KXgDlOYPcSLCIbg/eHwO56cQg59RE9vEI7pbTVQ1e5AS32KS/L4IV7JIy/h/Unc +doPq4ASOaxUwDdJTZAtQRH5t64SzM8hl0fWrwMsGGoDk0wSHEhIwaeB4CIHir9VrewR +Urw==
X-Gm-Message-State: APjAAAVnmAKLPeP8WeK/PEOMvVWz+f7BatqSDsPBsJ/KxrtNypGk7etD Ksef5EaH/Fa5uyzRXT1LmEE8+T2+yLu9GFgPXHHAKf9Q+JU=
X-Google-Smtp-Source: APXvYqzVAeU9CSiwuHP385duVvbfiRPVNGbvxoE7/JyL/OQitPJjG0xQKwzCMfPoNh1O5JSPqX5L7rMghL9VruHyTfQ=
X-Received: by 2002:ac2:5549:: with SMTP id l9mr5006349lfk.53.1579793759278; Thu, 23 Jan 2020 07:35:59 -0800 (PST)
MIME-Version: 1.0
References: <2060195243.218290.1579787145340.ref@mail.yahoo.com> <2060195243.218290.1579787145340@mail.yahoo.com> <eefe9673-37e0-d244-14c5-dd34e4256cf7@gmail.com> <CAKHUCzzV1Rs+iVUYpXt7kjn+ockynCpw72Erwp3FE391Rt6VMQ@mail.gmail.com> <be7679c1-ec38-f878-98ab-b8ba4eb8f198@datashrine.de>
In-Reply-To: <be7679c1-ec38-f878-98ab-b8ba4eb8f198@datashrine.de>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 23 Jan 2020 15:35:48 +0000
Message-ID: <CAKHUCzyQ9N1179j0OZX9HQiYwqKwt2TJoZBpo0YfO-WDB8OdPA@mail.gmail.com>
To: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d738e3059cd06523"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/-nS11tCmIiPxiDRPJILdgZ7aQYo>
Subject: Re: [MLS] Deniability -> "recording"?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 15:36:03 -0000

On Thu, 23 Jan 2020 at 14:55, Konrad Kohbrok <konrad.kohbrok@datashrine.de>
wrote:

> Hi Dave,
>
> I'm not sure, I understand your use-case here.
>
>
I work for Pando, doing clinical messaging within the NHS in the UK, and
elsewhere. Quite happy for the NHS to read doctors' and nurses' messages
about patients, less happy for us to be exposed or for anyone who picks up
a nurse's phone.


> Regarding FS: Any participant is free to just keep a log of the
> plaintexts, thus
> circumventing any FS guarantee. If you want to log the keys, any party can
> do
> that as well. If I'm not mistaken could also simply opt not to use an
> RTreeKEM
> ciphersuite and never update the recording party's leaf key.
>
>
We can't, actually, but as I say we can export a stable key for message
encryption at each epoch so we're covered.

(We cannot keep a log of the plaintexts since that would place persistent
plaintext data on the user devices which would be problematic for us, since
it's patient data).


> Regarding deniability: Similarly, any member of a group can simply sign
> their
> messages using their static identity key at the application layer. This
> would
> effectively destroy deniability, but it is up to the application to make
> that
> decision.
>

Yes, that would probably work.

I guess my point is that destroying deniability (and FS) at the application
> layer is easier then getting it if it is not built into the protocol in the
> first place.
>

Almost certainly; though this is an ever-increasing number of hoops to jump
through. My concern is that baking in a very particular definition of
"security" runs the risk that it either outright prevents the use in some
cases, or simply prices people out of the market in technical knowledge
terms.

I am already going to end up writing much more cryptographic code than I'd
like to use MLS. Writing more doesn't fill me with confidence.


>
> Cheers,
> Konrad
>
> On 23.01.20 15:30, Dave Cridland wrote:
> >
> >
> > On Thu, 23 Jan 2020 at 13:59, Cas Cremers <cas.cremers@gmail.com
> > <mailto:cas.cremers@gmail.com>> wrote:
> >
> >     We're aiming for security first, I think.
> >
> >
> > If we mandate deniability and mandate PFS, then the risk is that the
> threat
> > model ends up less applicable.
> >
> > We can work around the PFS by (in effect) using MLS as a groupwise key
> exchange
> > protocol and exporting a longer term key for message encryption, but if
> we
> > destroy cryptographic integrity post-facto, as I assume we mean by
> deniability,
> > then that makes life increasingly unpleasant for the cases where people
> actually
> > want different properties.
> >
> > In short, preventing various groups making use of MLS is not security
> first.
> >
> > Dave.
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
> >
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email