[MLS] AD review draft-ietd-mls-protocol-16
Paul Wouters <paul.wouters@aiven.io> Mon, 05 December 2022 16:45 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D63C1524D6 for <mls@ietfa.amsl.com>; Mon, 5 Dec 2022 08:45:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqUSSyTjcYly for <mls@ietfa.amsl.com>; Mon, 5 Dec 2022 08:45:07 -0800 (PST)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49165C1524D1 for <mls@ietf.org>; Mon, 5 Dec 2022 08:45:07 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id m14so19496577wrh.7 for <mls@ietf.org>; Mon, 05 Dec 2022 08:45:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=udai2bL5sIWV2IZVxYAF0R6PTkUtkgbnLPL8dK7QUbE=; b=LI5UnnX1InhnLTVrEIJNFKJQQenz9VIq1bw8s8s+uSzfhsPNQbKhXn+q/Lp/doWNj/ 47oetPGNzt+vAbbDXbifL+PyT18ua43fIxFrx2BXvfieQBEK/CnlUh+d8KLCbWBmGJJC VL81Eu7hrIaq7tcsof1U+X3moamVmS1NS6AOY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=udai2bL5sIWV2IZVxYAF0R6PTkUtkgbnLPL8dK7QUbE=; b=gBao39ts0KYwJygdWHwJazmnbpNrGZKJBi6BdmCZShWnbXWn9f1iau0ntw/sLSquTd dDLnWuiiLg7OoiO3YcVp2PofNeglOjuTEAc627BoSFVCwsLb9UfRKCtmg+QPkK5duCI4 C0u6c/b1Gn+bKzB0bydmdO0Zk2prhO8Jj8ST1xESdSrlOLSqWdA60kSQyiewyhKjUpO0 FQUS/cklUbfcDYz2DHFg8YIguUkrh4//Zv8xUuOgcjVAGKM26UUYLqJrZK/NjS4o3YW4 P/lmitc77PAPBhk6cFUCYkISOZeOG6HeYCd9ewIz1vsHCzJ4Y4LHSf8ZiSY5X0rhQf9F Zu/w==
X-Gm-Message-State: ANoB5pnyrAuoZVGwNSMJ5PHr05Gv27US7pWchrFYgIUcXIXNWruWwdFL aSA64CowsDXCAs2WMnzfBIEDQ2vH5rTsDFTKlZ9teqg7NCUQW7CL
X-Google-Smtp-Source: AA0mqf6ZE34fESYu9/WcC71tNn+FmEJDyjpq94CsUxmDbkzdDzJPtnX8ov635qcMhCxlLTfIL5yphFo4yJvQHFaTPzg=
X-Received: by 2002:a5d:4a85:0:b0:242:2d83:3333 with SMTP id o5-20020a5d4a85000000b002422d833333mr14615529wrq.584.1670258704785; Mon, 05 Dec 2022 08:45:04 -0800 (PST)
MIME-Version: 1.0
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 05 Dec 2022 11:44:54 -0500
Message-ID: <CAGL5yWYmMpZVEBz6hWF8gq=rEHByXbTSt8Ju+jTR05QjZuC_hg@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c8924b05ef1768ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/0GWCcM5nZVwEgaaBwODIXqI3Nvg>
Subject: [MLS] AD review draft-ietd-mls-protocol-16
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 16:45:11 -0000
# Sec AD review of draft-ietf-mls-protocol-15 CC @paulwouters Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. This review uses the format specified in https://github.com/mnot/ietf-comments/ which allows automated tools to process items (eg to produce github issers) ## DISCUSS ### Interaction of MLS and application I find the interaction with the application layer not clear. Not much is mentioned in this document. How can a group have an administrator? How is that enforced at the MLS layer? How do ACLs interact with MLS? (How are DoS attacks mitigated (eg spam attempts to join any group). What hooks would be in the authentication service and/or delivery server? How would clients know the properties of these two services? This includes how it is not clear to me how race conditions are handled. What if two members try to expel each other at the same time? What if the group is so large, members always get their epoch wrong for things like Commit messages? ### Security against malicious members? There seems to be no group "owner", so inviting one member X, could that member than delete members from the group until the group is empty? Apparently, there is ACLs for this, but the document doesn't describe how ACLS would work or how these would be implemented. ### Should B receive its own Commit back? Figure 4 shows: ``` Group A B ... Z Directory Channel | | | | | | | Update(B) | | | | +------------------------------------------->| | | | | Update(B) | |<----------------------------------------------------------+ | |<-------------------------------------------+ | | |<----------------------------+ ``` Does the Group channel really send Update(B) back to B ? Same for the following "Commit(Upd)" from A that is sent back to A? ### Section 6.3 use of "member" ``` Each member of a group presents a credential that provides one or more identities for the member, ``` I am unsure if "one or more identities for the member" refers to identies for a single client or was meant as "a user can have multiple clients". The way it reads now is that it would be a single client that can have multiple identities. But then could a user have multiple identities on one client that do not match multiple identities on other clients. ### ENUMs limited to 1 octet? ``` enum { reserved(0), mls10(1), (255) } ProtocolVersion; ``` Would it really do harm to turn this into two octets? I don't think message size is a real concern here. Same for ContentType and SenderType. Note: thank you for skipping 0 as a valid entry!! Implementers applaud you :) ### Epoch rollover? What happens if members maliciously create huge amounts of epochs and it hits 2^64 ? ### Padding with zeros While I appreciate the zeros only for padding to avoid side channel communications, wouldn't it be too late if the if there were non-zeros in the padding? Since this message could be encrypted to multiple parties in the part of the tree, wouldn't it make sense to send a kind of alert message to everyone? That way, at least two people in the tree couldn't work together ? So instead of "MUST be rejected as malformed" do something that MUST send a message to everyone with "some content warning" ? ### XOR guard Should there be text saying that if the "reuse guard" random returns four zero bytes, it should be run again? Maybe add this to 7.3.2 where MLSSenderData has additional constrains. ### KDF.Nh ``` The key and nonce provided to the AEAD are computed as the KDF of the first KDF.Nh bytes of the ciphertext generated in the previous section. ``` I don't think I understand the security model here? What happens if the previous ciphertext has 00's for the first KDF.Nh bytes? ### Time is not on our side? ``` measured in seconds since the Unix epoch (1970-01-01T00:00:00Z) ``` Why use a time format that dies in 2038 already? IRC is older than the time given to MLS to survive :P ### lifetime field ``` it is RECOMMENDED that the client verifies that the current time is within the range of the lifetime field. ``` Why RECOMMENDED and not MUST ? ### Section 8.4 ``` path_secret[0] is sampled at random ``` What does this mean? What is sampling? What is the sample used for ? Similar in Section 8.5: ``` Set the encryption_key to the public key of a freshly sampled key pair ``` ### Section 13/14 Race conditions ? In Section 13.4.3.2, but also elsewhere, I am confused how race conditions are handled. In this section, if two clients try to each add a a new member for an External Commit join, one of them will fail on the epoch being wrong. Isn't there a similar race with removing? And any other operation that changes the epoch? How are all these race conditions handled? Section 14 does not really clarify this to me. ### Section 15.1 Why not at least always pad to a length of like 1000 bytes to avoid some of the very obvious information leaks by length? It would cover most "single line" conversation sentences. Maybe a SHOULD pad to a minimum of X ? ### NOOPs ? As stated before, I miss a defined NOOP command that allows for a continuous IPTFS like constant stream of data that would hide better when a member is conversing at all or not. ### Section 17 Algorithm entries use two octets (65535) but only allow 255 Private Use entries. I think that might be a little low. Maybe allow 0xf000 - 0xffff or something ? ### Section 17.6 ``` This document registers the "message/mls" ``` Why not use "mls/message" and keep everything within one namespace? ## COMMENTS ### memberlist unavailble before joining ``` When a client A wants to establish a group with B and C, it first initializes a group state containing only itself and downloads KeyPackages for B and C. For each member, A generates an Add and Commit message adding that member, and broadcasts them to the group. ``` So if A joins before B, A cannot tell B will become a group member ? eg the fact that A invited B and C is not visible to C or B and might come as a surprise. ### Prospective member or member ? ``` It also generates a Welcome message and sends this directly to the new member ``` Should this be "prospective member" or "invitee" ? They haven't joined yet, have they? ### "server" is ambiguous here ``` Only after A has received its Commit message back from the server ``` What server? The Delivery Service ? ### Can? ``` The set of members involved in the group can change from one epoch to the next ``` Isn't it the definition of epoch that there is a change in members? Paul: i think members refreshing their keys also means a new epoch? ### May implement correctly :-) ``` An implementation MAY use any tree representation and associated algorithms, as long as they produce correct protocol messages. ``` This MAY is super weird. Is it allowed to implement in such a way that they to NOT produce correct protocol messages? :-) Remove the entire sentence or lowercase the MAY? ### 7 or 8 members Figure 10 claims to have seven members, but I count 8, namely Y,T,X,A,B,E,F and G (not counting W, the root) ### Setion 8.7 MAY ``` An implementation MAY use any algorithm that produces the correct tree in its internal representation. ``` Another weird MAY here. Again, I would just lowercase it as this is just a pointer to a human decision, not a 2119 based protocol enforcement. ### Section 9.5 MLS Exporter I assume the export is always available to ALL members of the group ? For example for use as PSK to authenticated a TLS video stream? ### Section 10.1 encryption size ``` Each key/nonce pair MUST NOT be used to encrypt more than one message. ``` Isn't there technically also limits to how much one AEAD key and one nonce can be used to encrypt a (very very) large message? I guess this could not happen, but is there some formal message size limit in MLS ? (looking at the vectors at the start, limits could be higher than 2^64 ?) ### Section 10.2 ``` Members MAY keep unconsumed values around for some reasonable amount of time to handle out-of-order message delivery. ``` Why is this MAY and not SHOULD? ### Section 12 What happens if on the same Delivery Service, two groups with the same group id are created? Why doesn't the protocol split the group id, so one part (prefix) is always created by the DS ? ### Section 13.2 ``` For a regular, i.e. not external, commit the list is invalid if any of the following occurs: [...] ``` Why not list the requirements instead of what makes it invalid ? ### Section 13.4.3.2 That is quite some information that must be publicly available to allow external Add requests. This leaks information, eg same epoch means the group membership did not change, etc etc. I hope this will appear in the Security Considerations later :) ### Section 15.3 ``` This is in addition to ensuring that these nonce and key pairs are promptly deleted when the epoch ends. ``` This sentence with a hidden MUST is stuck between a sentence with MAY and a sentence with SHOULD. Perhaps make the MUST explicit ? ### Section 16 ``` though a complete security analysis is outside of the scope of this document. ``` Hmmm :P ### Section 16.2 ``` The second form of authentication is that group members can verify a message originated from a particular member of the group. This is guaranteed by a digital signature on each message from the sender's signature key. ``` Maybe add a sentence saying this means there is no repudiation of messages? ### Section 17.1 ``` Additionally clients that run predominantly on mobile processors can choose ChaCha20Poly1305 over AES-GCM for performance reasons. ``` Citation needed? I think most phones have AES(_GCM) in hardware too ? Also compared to HPKE operations and the times for epoch/group reinit, does this performance really matter? (eg waking up from sleep to increment the epoch would make the symmetric encryption cost pretty irrelevant. I would remove this sentence. ### Section 17.2 What is the logic to make MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 the only MTI? It contains both FIPS and not FIPS items, pleasing no one. ### NITS I personally don't like the _underscored_ words in the html rendering of the document It "blank" the new American spelling of "blanc" ? ``` has a corresponding _hash_ that summarizes the contents ``` I find "summarizes" a strange word here. It is not the hash contains a summary one can read. [SECG] has no IETF equivalent? Should it? proposaland -> proposal and ``` Figure 13: Cleaning up after removing the third member ``` I would say "after removing member C" (avoid ambiguity about "every third") ``` This section defines _tree hashes_, and _parent hashes_ are defined in Section 8.9. ``` I read this wrong the first way, the "," vanishes due to the _unscores_. Maybe: This section defines _tree hashes_, the next section defines _parent hashes_. Or alternatively, leave onlthe the first sentence in 8.8, then put the remainder and next section in two subsections (so 8.8.1 and 8.8.2) ``` For example, a malicious group member could send ``` Maybe: For example, a malicious group member could otherwise send ``` to previously compromised public keys. ``` Maybe: to public keys whose private key was previously compromised. ``` Post-compromise security is also provided for new groups ``` This reads a little odd as "new groups" would have no history and thus no previous compromise.
- Re: [MLS] AD review draft-ietd-mls-protocol-16 Rohan Mahy
- [MLS] AD review draft-ietd-mls-protocol-16 Paul Wouters
- Re: [MLS] AD review draft-ietd-mls-protocol-16 Richard Barnes
- Re: [MLS] AD review draft-ietd-mls-protocol-16 Paul Wouters
- Re: [MLS] AD review draft-ietd-mls-protocol-16 Richard Barnes
- Re: [MLS] AD review draft-ietd-mls-protocol-16 Ted Hardie