Re: [MLS] Blocking Update messages for breaking post-compromise security
Alexander Sherkin <Alexander.Sherkin@darkmatter.ae> Thu, 18 April 2019 18:55 UTC
Return-Path: <prvs=004460946=Alexander.Sherkin@darkmatter.ae>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D829B120187 for <mls@ietfa.amsl.com>; Thu, 18 Apr 2019 11:55:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MZdDaKg-Se9 for <mls@ietfa.amsl.com>; Thu, 18 Apr 2019 11:55:03 -0700 (PDT)
Received: from smtpext3.darkmatter.ae (smtpext3.darkmatter.ae [185.180.84.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE7C11203F1 for <mls@ietf.org>; Thu, 18 Apr 2019 11:55:01 -0700 (PDT)
IronPort-SDR: eA/Iytu4H/K0qf71GbPODU59fSC7Q4eH8WYMiI8N11di8NFeQLEMoaBkic6VZoaLY5ZrvSNnNR Wmb5cG/0PFZXrPwaaINtHUGPgON+TJI6uXGFJADiPUspvFvQZwxuxXOnVo6siSX+ZMU0qibWND HCqIKJIi5hfBUYSBe48QUOXqb7uOeYK0rYPAN4+QbPL9jR1P0xoecfj93/PC8VFpHW2YvV3+z1 II7tY6l9/aC0wtEh1pXkceWak00uKJECGSObVRd+uPSQkjnTxCA6lObYIb8ZV1ui8SGt2gsFOk 3bA=
IronPort-PHdr: 9a23:CgJk+RHqQQwIZvwT+w5Xbp1GYnF86YWxBRYc798ds5kLTJ76p8m/bnLW6fgltlLVR4KTs6sC17OP9fu9EjJfqdbZ6TZeKcQKD0dEwewt3CUYSPafDkP6KPO4JwcbJ+9lEGFfwnegLEJOE9z/bVCB6le77DoVBwmtfVEtfre9FYHdldm42P6v8JPPfQpImCC9YbRvJxmqsAndrMYbjZZ/JqorxBbEonREduVUyGh1IV6fgwvw6t2/8ZJ+7yhcoe4t+9JFXa7nY6k2ULtUASg8PWso/sPrrx7DTQWO5nsYTGoblwdDDhbG4h/nQJr/qzP2ueVh1iaUO832Vq00Vi+576h3Uh/oiTwIOCA//WrKl8F/lqNboBampxxi347ZZZyeOfRicq/Be94RWHFMVdhNWSNfHoy8bpMPD+sfMuZes4n9vEYFoR+nCQWxGO/j1jpEi3nr1qM4zushCxnL0gw+EdwTrHTaotb7NKYdXu+p16TI1ynPb/FM1Dvh9ITFcBYsquyMU7JqdsrRzFEiGh/BjlqOpo3qJTWV2fkTvGiB8uFuSOKvhHA9qwFyozivwNonh47Vi4IR1F/F+j92wIAoKtKmUk53e8OqEJtOuCGANIt2Q8UiTnp1tykg0L0Gupu7czIWyJQ72RHfceaLfJKW7R/6UuuaPDl2hHVgeL2lhhay91Ctyun9Vsmy01ZFsDdKktjKtnwXyxPT7c2HRuNh/kav2DaPyxzT5f9eIUwuiaXbLJshzqYxlpUNrUTDEDX6mELsjK+Zbkkr5/Kn6/7kYrXjvJCcK5N0hR/kMqg0gMOwH+I1ORUNUWiD4emwyaHv8VfnTLlUgfA6iLTVvIreKMgHvqK1HhNZ3pw95xqhADqqytYVkHYdIF9BZB6KiZXiNUvUL/DiF/i/hkyhkDJsx//bILLsGo7NLn3fkLf5erZ99lJcxBIzzd9B45JUDakMIPHtVU7xr9zUFwE2MgOow+r5Etlyy5kRWXiMAq+cKqzSrUOI6fw1I+WWfoAapi7xK/kj5/HwkX80gUIRcbWz0ZcJdny1Ee5qL1iDbXfontsNCWIKsRA/TOzuhl2CSzlTZ3OqUq8g4jE0Fo2nAp3FRo+wnrOBxj23EIBWZm9YEFCMEnbod4OfVvgRci2SOMxhkjkeWri9V48uywuuuBXgxLV5NubU4DEXtYr/1Nhp4O3ejQ899TluAMuA1GGNSnt7nnkSSDIt06B/pkt9yliH0admmfBXCdtT5/ZRWAcgKZHc1/B6C8z1Wg/Ze9eJTE2mT86nAT4vUtIxzcUCY0FnG9Wt3Vj/2H+HBrYZ35uODYY9uvbR2nH9IMN00X/u264mgF0rBMBIMDv1qLR48l36A4PZmkOVmrziTqQRxi3M8i/X5G6DrEheXANqF57FUGocZ03+od3j5UbLU6OjE/IuP10Smoa5NqJWZ4ix3h19T/D5NYGbOjrplg==
X-IPAS-Result: A2nPAABcx7hc/1oB4ApiAxoBAQEBAQIBAQEBBwIBAQEBgWWBDwFXgRKBLAqEBJU1ghlxSoddjS2BKxcdAwULARwBCgyBSYJ1AheGJjgTAQMBAQEEAQEBAQIBAQEBgQUMgjopARAEMRwvCwQBAQEBAQEBAQEkAQEBAQEBAQEBAQEBAQEBAQEBAQEBFAIzCAkDKQEBAQEDAQEDAR0CCAElEwgCCRIBCA0EBAEBBgEBARgHAwIEBRAPAR8JCQEEDgQBCAaDFYIXqQSBL4VHhFcQgTKEYV2DQnYQgxs/hCM+gmEBAQKBLAESAQ0ZBwkKFQIGCYJDglcEilAHASUkggmEPYdqhE+CMoV2BwKCCFSEPAEqUYQnhUWCJCOCC16FQ4xbimaCMIRLSpAHVzBaDwgzGnOCbAmBDYEEF4EBAQJFggOFFIU/co4vgSKBIQEB
X-IronPort-AV: E=Sophos;i="5.60,367,1549915200"; d="png'150?scan'150,208,217,150";a="3118136"
Received: from ForcepointDLP ([10.224.1.90]) by keys-ext2.darkmatter.ae (PGP Universal service); Thu, 18 Apr 2019 22:54:54 +0400
X-PGP-Universal: processed; by keys-ext2.darkmatter.ae on Thu, 18 Apr 2019 22:54:54 +0400
Received: from PassiveEmail (PassiveEmail [127.0.0.1]) by PassiveEmail.localdomain (Service) with ESMTP id 248E61800099; Thu, 18 Apr 2019 22:54:15 +0400 (+04)
Received: from email.darkmatter.ae (unknown [10.224.74.12]) by PassiveEmail.localdomain (Service) with ESMTPS id ED59C1800098; Thu, 18 Apr 2019 22:54:14 +0400 (+04)
From: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae>
To: Emad Omara <emadomara@google.com>
CC: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: [MLS] Blocking Update messages for breaking post-compromise security
Thread-Index: AdT2Fq8EwGQ6z+aDQLeq2OeQXxI1ZA==
Date: Thu, 18 Apr 2019 18:54:53 +0000
Message-ID: <f57fdfc23287463cb3ad3713faaf25b4@darkmatter.ae>
Accept-Language: en-CA, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.224.74.90]
x-exclaimer-md-config: 77ff947c-8af8-48f1-8d81-f67dcf75dbee
MIME-Version: 1.0
Content-Language: en-US
Content-Type: multipart/related; boundary="_009_f57fdfc23287463cb3ad3713faaf25b4darkmatterae_"; type="multipart/alternative"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/2pa8W_GWeJ7tRjIg6IuBRo-_zh0>
Subject: Re: [MLS] Blocking Update messages for breaking post-compromise security
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 18:55:13 -0000
Hi Emad,
Could there be a setup where each A’s point of presence (device) participates as a separate leaf in the ratchet tree? The advantage of such approach may be to avoid the key synchronization problem between points of presence.
Do you see the mechanism of removing users who did not send Updates recently should be part of the protocol or should it be driven by the app?
Thank you.
Alex.
Alexander Sherkin
Software Architect
[cid:image53017f.PNG@6b191aba.42ae383e]<http://www.darkmatter.ae>
2 Robert Speck Parkway, Suite 1610
Mississauga ON L4Z 1H8
Canada
MT+1 416 414 7117<tel:+1%20416%20414%207117>
EMAlexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>
darkmatter.ae<http://darkmatter.ae>
[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
From: Emad Omara [mailto:emadomara@google.com]
Sent: April 17, 2019 5:12 PM
To: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae>
Cc: mls@ietf.org
Subject: Malware[SUSPICIOUS MESSAGE] It may trick victims into clicking a link and downloading malware. Do not open suspicious links.Re: [MLS] Blocking Update messages for breaking post-compromise security
Hi Alex,
I think the attack makes sense, however it assumes the attacker has some sort of control for the network of all A's devices in order to perform the DoS. One mitigation we discussed before that could help in this attack is to force the max update window, so if a client has issued any update in the last N days, the app can decide to kick it out of the group, ot at least issue a warning to other users.
Emad
On Wed, Apr 17, 2019 at 1:58 PM Alexander Sherkin <Alexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>> wrote:
Hello,
I think we briefly discussed this problem in the context of “inactive users”, but I want to bring this up again for discussion.
Let’s assume an attacker compromises user A and recovers user A’s cryptographic state including the leaf secret. After user A is compromised, the attacker no longer controls user A. User A will eventually send an Update message, and the attacker will no longer have access to the root key. We get post-compromise security property.
However, let’s assume that after compromising user A and recovering user A crypto state, the attacker performs a denial of service attack on user A Update messages (or all messages from user A). The attacker then observes the traffic. The attacker will be able to decrypt Update messages from other participants and decrypt data-carrying messages as long as other participants include user A in their ratchet trees.
As an interesting thought experiment, we can try to apply the same attack to one-on-one use case when double ratcheting is used. To prevent ratcheting, the attacker has to block messages from one of the participants. Practically, this means that the attacker destroys the possibility of two participants having a conversation; hence, data collected by the attack will be one participants’ monologue and may not be as valuable. In contrast, when 1 out of 1000 users is isolated, 999 remaining users will continue having productive conversation creating valuable data that the attacker may intercept and decrypt.
If the above attack vector makes sense, should we consider excluding users who did not send Update messages recently enough from the ratchet tree?
Thank you.
Alex.
Alexander Sherkin
Software Architect
[cid:image001.png@01D4F5C7.2D8B06D0]<http://www.darkmatter.ae/>
2 Robert Speck Parkway, Suite 1610
Mississauga ON L4Z 1H8
Canada
MT+1 416 414 7117<tel:+1%20416%20414%207117>
EMAlexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>
darkmatter.ae<http://darkmatter.ae>
[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls
- [MLS] Blocking Update messages for breaking post-… Alexander Sherkin
- Re: [MLS] Blocking Update messages for breaking p… Emad Omara
- Re: [MLS] Blocking Update messages for breaking p… Alexander Sherkin
- Re: [MLS] Blocking Update messages for breaking p… Emad Omara
- Re: [MLS] Blocking Update messages for breaking p… Alexander Sherkin