Re: [MLS] Encryption vs Masking for the sender information

Richard Barnes <rlb@ipv.sx> Thu, 02 May 2019 21:45 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D02F61205F3 for <mls@ietfa.amsl.com>; Thu, 2 May 2019 14:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMgjN8cxoyvP for <mls@ietfa.amsl.com>; Thu, 2 May 2019 14:45:54 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A67312008C for <mls@ietf.org>; Thu, 2 May 2019 14:45:54 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id g8so3524445otl.8 for <mls@ietf.org>; Thu, 02 May 2019 14:45:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PKQMMwt3RN1mcDQgbBq6brDR02enCHbDScgjHHywGdo=; b=Jfzk53gEILPm4k8BKizECkXN8U4uY2vTsaFg35H+bUs6EkLc3l43PntdQYLWFNPjE5 bIesHdMU8/vF0b6EmN7HlZQG+D7sMyCHTB4rsVAMSY9Syzit51l8t1frj1xqMPsht7Ta LWl8A1NLf6FSnDyIibxnf5sHAL9ENeobFqnb3SGIAdNAvOHfD/lW09iotW+g7HQBBnyF Qkn/3gPNX25er3QMzjHrGkRP6FZafq8nJsM2TKR/2Pw/yWZvA0x9BcE2JpaArys5/c95 lmYa6gffGgfSs5oaunRHxc8qmdTFGf2R4Ln+S7QT1iNBMVW+X0c33OQNmc3i72QLah/D 5nGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PKQMMwt3RN1mcDQgbBq6brDR02enCHbDScgjHHywGdo=; b=dO1A3QwYAle/bZX22b9HDJZtx55aPl8Q/W735bxScCdiniOTRMu45hWFyKt9syeF4O tCpodn++np+3FPm3r3F9Lee+38/Ot5wS9uCu1swO8dGtqENXv6YU6fcLOTGN6SLBUlt7 0ZlMnug3Ul/b6NcoVsex0BH9D4n4oz5T5Jqdx45wUdt3zuNXt89eQ3ysVh+PJz5JWzpt W998vXLOo2ee9xE8p2Vua7q/wc5E0aJS7I5/l5kdfZR7omuNgDOjVqgUVmTJSne5Cc2y ffgEeHPlnPxuZcNcFIZi+XYxcUQd6y5v5VHLRJ7LKkCIcg+4F6FtNO3C0pj6W7KZYdbp FKsQ==
X-Gm-Message-State: APjAAAVyredXCohH0uYv2pJ2YdH1dm9kQ6xCjYQH/2GQbaK/jZ49erPp kkg0s443vLbDa/JzEGVYF1eVwKrKaxLlahy7NMlPXA==
X-Google-Smtp-Source: APXvYqyIDUxiuyA/OydgRO9LbUBngXB3v/ySe/01SAfE2YBgOuECyyXOYYiOhptaSpNNn9of6xikVSLtxvaagoYsTKo=
X-Received: by 2002:a05:6830:2059:: with SMTP id f25mr4360245otp.81.1556833553790; Thu, 02 May 2019 14:45:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAFDDyk-+pC5Q4A=TJ4L0hoj+nY0ZKU_aHesKaVTR_AdSAKopYw@mail.gmail.com> <CAL02cgQixLhetC4hj5KeVDuVbAqM+W2he+HHKdD14Tnt5seFfA@mail.gmail.com> <0DB5B36D-5A31-461A-83DF-94693284B071@gmail.com> <E272B306-A4DB-4762-9CF3-FBBDE94E24D8@inria.fr>
In-Reply-To: <E272B306-A4DB-4762-9CF3-FBBDE94E24D8@inria.fr>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 2 May 2019 17:45:25 -0400
Message-ID: <CAL02cgT6NYFu_L=v9nRBZB2cunTQ97HcenMj1DHaJ+NfQiOTDg@mail.gmail.com>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, ML Messaging Layer Security <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f2cc020587ee8e0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/3uNBsVaLmjmfEqDV3FuYo5hQYH4>
Subject: Re: [MLS] Encryption vs Masking for the sender information
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 21:45:57 -0000

On Thu, May 2, 2019 at 5:05 AM Benjamin Beurdouche <
benjamin.beurdouche@inria.fr>; wrote:

>
> > On May 2, 2019, at 10:02 AM, Karthikeyan Bhargavan <
> karthik.bhargavan@gmail.com>; wrote:
> >
> > Looking at: https://github.com/mlswg/mls-protocol/pull/155
> >
> > I see that there is a change in metadata encryption:
> >
> >>      "sample = ciphertext[:Hash.length]
> >>      mask = HMAC(sender_data_secret, sample)[:8]
> >>      encrypted_sender_data = sender_data ^ mask
> >>      ~~~~~
> >>
> >>      This approach is similar to the one used for protection of header
> >>      information in QUIC (see Section 5.4 of {{?I-D.ietf-quic-tls}}).
> >>      Note that the sender data values are authenticated by the AEAD
> >>      and the signature, while the masked_sender_data is not and only
> >>      benefit from passive security because it depends on the ciphertext
> >
> > I disagree with this change, because it is too early to put in
> optimizations,
> > especially those that rely on non-standard cryptographic constructions.
> > I would prefer that we go back to using plain AEAD for the sender_data,
> > and that we add this kind of optimization once we have a proof that it
> is secure.
>
> Using AEAD was in my original PR (#131), but multiple PRs have been
> opened and merged together over the last few weeks leading to this state.
> I have operationnal control over #155 right now and it is not merged, so
> I would be completely fine with going back to use AEAD for now as it
> provides better protection against active adversaries anyway...
>

We published draft-05 today with AEAD instead of masking.  I have a pretty
strong preference for masking, though, because AEAD imposes a lot of
overhead.  Maybe we could discuss this at the interim?

--Richard