IETF Logo Mail Archive

Re: [MLS] AD review draft-ietd-mls-protocol-16

Richard Barnes <rlb@ipv.sx> Mon, 05 December 2022 17:56 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1DAC1522AE for <mls@ietfa.amsl.com>; Mon, 5 Dec 2022 09:56:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDJdU9Fq7xeP for <mls@ietfa.amsl.com>; Mon, 5 Dec 2022 09:56:49 -0800 (PST)
Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5565C1522A2 for <mls@ietf.org>; Mon, 5 Dec 2022 09:56:49 -0800 (PST)
Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-1322d768ba7so14368177fac.5 for <mls@ietf.org>; Mon, 05 Dec 2022 09:56:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5loPzTs1At3AJaQZpW7lGZxX+FzD9sJXo7qV/LHLJkE=; b=5IVtNPpajDqAEKa/qgEDZdO+Qk+Uxg+CHG3mImaP97H+T/ZUSl5S5mioxeQkHTVDWR 7Hgs8WotpmwaQ1ljxf4TuzqqqoPCgrpeaMWnODr0BkXE4JmtmhuKYWZaw+Wm2hJ0mHjg 8u0cmQTOmOMdcQUmknUS/0tlgSn92RBXsOERUlmpUBpX5yzeWp9CwWJ92jqiWko089FE c5OsQywdQmagEfJZdv5J0peGAYfvhSY6el3oK7uv6oD9vrk7Et/TVvXw8P0mBJrj17W3 zy6U0mFfgyPAvT10qP9bfjXJeEZMpXqcT5EuA3sSsAUc2Mt0/o6c22klpGJ7AeGSWbYk LVBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5loPzTs1At3AJaQZpW7lGZxX+FzD9sJXo7qV/LHLJkE=; b=L5dmjPtYd3gtyEaoArZ/CnwqpXOT8lsbGNbvby/EQGr32J00rBDufoyIKd4w2ocQ4O zJ8FYmgl6v6S+kLrMPB7ePFVdVWkX9z/Uts1ONGubb44ct64t6E1HqaNPpX3tTS1PmaA op3yMAhtfi8qKw66g1owowfMjCqUlnjD95r2Xg3lmkMoD2kQbwF8RL5QFDPdcT+jzHYM XMsQgiBIT20maYfiZciVu/Wpi8OyRxZk3YzO+jZ39Xne8tbOZ0SOGwKNDFiwqSNXyvJo BFn36rMH5PB/SmiYZaxFoLCJlre15xdqk/2ve38AuSGL4hU4Q+WDN/9kvIOxHG4LXzHl egtg==
X-Gm-Message-State: ANoB5pmYLtrjJgcvEx5zlo6bgzPXnpdnIDsZKAMe65QyOIW57LMrLl39 8E6LpegPTc7aqShKw6cSWKpgyeRyCBhqGhCuOTpF36LADVU34Ft0
X-Google-Smtp-Source: AA0mqf6aCFsvpB+gScDoHz0QZQAQRF8qWmsopA34y9D9sBOw2BUk410+73m5tCZpfDLYEn9mjb3hjtMIP8AX45NFVXs=
X-Received: by 2002:a05:6870:be9b:b0:144:6585:780e with SMTP id nx27-20020a056870be9b00b001446585780emr5651699oab.85.1670263008684; Mon, 05 Dec 2022 09:56:48 -0800 (PST)
MIME-Version: 1.0
References: <CAGL5yWYmMpZVEBz6hWF8gq=rEHByXbTSt8Ju+jTR05QjZuC_hg@mail.gmail.com>
In-Reply-To: <CAGL5yWYmMpZVEBz6hWF8gq=rEHByXbTSt8Ju+jTR05QjZuC_hg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 05 Dec 2022 12:56:37 -0500
Message-ID: <CAL02cgQZ4wfrz_tg-uh2-ujJwZYntD1O2D3a7JUN89BWvUS3dg@mail.gmail.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000050804405ef18691b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/43Rn7-fThFb5SC4bhC9Wn4UdHSI>
Subject: Re: [MLS] AD review draft-ietd-mls-protocol-16
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 17:56:53 -0000

Thanks, Paul!  I'll take a look and generate some Issues/PRs for discussion
on Thursday.

On Mon, Dec 5, 2022 at 11:45 AM Paul Wouters <paul.wouters=
40aiven.io@dmarc.ietf.org> wrote:

> # Sec AD review of draft-ietf-mls-protocol-15
>
> CC @paulwouters
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
> This review uses the format specified in
> https://github.com/mnot/ietf-comments/ which allows
> automated tools to process items (eg to produce github issers)
>
>
> ## DISCUSS
>
> ### Interaction of MLS and application
>
> I find the interaction with the application layer not clear. Not much is
> mentioned in this
> document. How can a group have an administrator? How is that enforced at
> the MLS layer?
> How do ACLs interact with MLS? (How are DoS attacks mitigated (eg spam
> attempts to join any group). What hooks would be in the authentication
> service and/or delivery server? How would clients know the properties of
> these two services?
>
> This includes how it is not clear to me how race conditions are handled.
> What if two members
> try to expel each other at the same time? What if the group is so large,
> members always get
> their epoch wrong for things like Commit messages?
>
> ### Security against malicious members?
>
> There seems to be no group "owner", so inviting one member X, could that
> member
> than delete members from the group until the group is empty?
>
> Apparently, there is ACLs for this, but the document doesn't describe how
> ACLS would
> work or how these would be implemented.
>
>
>
> ### Should B receive its own Commit back?
>
> Figure 4 shows:
> ```
>
>                                                              Group
>    A              B     ...      Z          Directory        Channel
>    |              |              |              |              |
>    |              | Update(B)    |              |              |
>    |              +------------------------------------------->|
>    |              |              |              | Update(B)    |
>    |<----------------------------------------------------------+
>    |              |<-------------------------------------------+
>    |              |              |<----------------------------+
> ```
> Does the Group channel really send Update(B) back to B ?
> Same for the following "Commit(Upd)" from A that is sent back to A?
>
> ### Section 6.3 use of "member"
> ```
>    Each member of a group presents a credential that provides one or
>    more identities for the member,
> ```
> I am unsure if "one or more identities for the member" refers to identies
> for a single client or was meant as "a user can have multiple clients".
> The way it reads now is that it would be a single client that can have
> multiple identities. But then could a user have multiple identities on
> one client that do not match multiple identities on other clients.
>
> ### ENUMs limited to 1 octet?
> ```
>  enum {
>        reserved(0),
>        mls10(1),
>        (255)
>    } ProtocolVersion;
> ```
> Would it really do harm to turn this into two octets? I don't think message
> size is a real concern here. Same for ContentType and SenderType.
> Note: thank you for skipping 0 as a valid entry!! Implementers applaud you
> :)
>
> ### Epoch rollover?
>
> What happens if members maliciously create huge amounts of epochs and it
> hits 2^64 ?
>
> ### Padding with zeros
>
> While I appreciate the zeros only for padding to avoid side channel
> communications,
> wouldn't it be too late if the if there were non-zeros in the padding?
> Since this
> message could be encrypted to multiple parties in the part of the tree,
> wouldn't
> it make sense to send a kind of alert message to everyone? That way, at
> least two
> people in the tree couldn't work together ? So instead of "MUST be
> rejected as malformed"
> do something that MUST send a message to everyone with "some content
> warning" ?
>
> ### XOR guard
>
> Should there be text saying that if the "reuse guard" random returns four
> zero bytes,
> it should be run again? Maybe add this to 7.3.2 where MLSSenderData has
> additional
> constrains.
>
> ### KDF.Nh
> ```
>    The key and nonce provided to the AEAD are computed as the KDF of the
>    first KDF.Nh bytes of the ciphertext generated in the previous
>    section.
> ```
> I don't think I understand the security model here? What happens if the
> previous
> ciphertext has 00's for the first KDF.Nh bytes?
>
> ### Time is not on our side?
> ```
> measured in seconds since the Unix epoch (1970-01-01T00:00:00Z)
> ```
> Why use a time format that dies in 2038 already? IRC is older than the
> time given
> to MLS to survive :P
>
> ### lifetime field
> ```
>    it is RECOMMENDED that the
>    client verifies that the current time is within the range of
>    the lifetime field.
> ```
> Why RECOMMENDED and not MUST ?
>
> ### Section 8.4
> ```
>    path_secret[0] is sampled at random
> ```
> What does this mean? What is sampling? What is the sample used for ?
>
> Similar in Section 8.5:
> ```
> Set the encryption_key to the public key of a freshly sampled key pair
> ```
>
> ### Section 13/14 Race conditions ?
>
> In Section 13.4.3.2, but also elsewhere, I am confused how race conditions
> are
> handled. In this section, if two clients try to each add a a new member
> for an
> External Commit join, one of them will fail on the epoch being wrong.
>
> Isn't there a similar race with removing? And any other operation that
> changes
> the epoch? How are all these race conditions handled?
>
> Section 14 does not really clarify this to me.
>
> ### Section 15.1
>
> Why not at least always pad to a length of like 1000 bytes to avoid some of
> the very obvious information leaks by length? It would cover most "single
> line"
> conversation sentences. Maybe a SHOULD pad to a minimum of X ?
>
> ### NOOPs ?
>
> As stated before, I miss a defined NOOP command that allows for a
> continuous IPTFS
> like constant stream of data that would hide better when a member is
> conversing at all
> or not.
>
> ### Section 17
>
> Algorithm entries use two octets (65535) but only allow 255 Private Use
> entries.
> I think that might be a little low. Maybe allow 0xf000 - 0xffff or
> something ?
>
> ### Section 17.6
> ```
> This document registers the "message/mls"
> ```
> Why not use "mls/message" and keep everything within one namespace?
>
> ## COMMENTS
>
> ### memberlist unavailble before joining
> ```
>    When a client A wants to establish a group with B and C, it first
>    initializes a group state containing only itself and downloads
>    KeyPackages for B and C.  For each member, A generates an Add and
>    Commit message adding that member, and broadcasts them to the group.
> ```
> So if A joins before B, A cannot tell B will become a group member ? eg
> the fact that A invited B and C is not visible to C or B and might come
> as a surprise.
>
> ### Prospective member or member ?
> ```
>    It also generates a Welcome message and sends this directly to the
>   new member
> ```
> Should this be "prospective member" or "invitee" ? They haven't joined
> yet, have they?
>
> ### "server" is ambiguous here
> ```
>    Only after A
>    has received its Commit message back from the server
> ```
> What server? The Delivery Service ?
>
>
> ### Can?
> ```
>    The set of members
>    involved in the group can change from one epoch to the next
> ```
>
> Isn't it the definition of epoch that there is a change in members?
> Paul: i think members refreshing their keys also means a new epoch?
>
> ### May implement correctly :-)
>
> ```
>    An implementation MAY use
>    any tree representation and associated algorithms, as long as they
>    produce correct protocol messages.
> ```
> This MAY is super weird. Is it allowed to implement in such a way that
> they to NOT produce correct protocol messages? :-)
>
> Remove the entire sentence or lowercase the MAY?
>
> ### 7 or 8 members
>
> Figure 10 claims to have seven members, but I count 8, namely
> Y,T,X,A,B,E,F and G  (not counting W, the root)
>
> ### Setion 8.7 MAY
> ```
>    An implementation MAY use any
>    algorithm that produces the correct tree in its internal
>    representation.
> ```
> Another weird MAY here. Again, I would just lowercase it as this is just
> a pointer to a human decision, not a 2119 based protocol enforcement.
>
> ### Section 9.5 MLS Exporter
> I assume the export is always available to ALL members of the group ?
> For example for use as PSK to authenticated a TLS video stream?
>
> ### Section 10.1 encryption size
>
> ```
> Each key/nonce pair MUST NOT be used to encrypt more than one message.
> ```
> Isn't there technically also limits to how much one AEAD key and one nonce
> can be used
> to encrypt a (very very) large message? I guess this could not happen, but
> is there some
> formal message size limit in MLS ? (looking at the vectors at the start,
> limits could be
> higher than 2^64 ?)
>
> ### Section 10.2
> ```
>    Members MAY keep
>    unconsumed values around for some reasonable amount of time to handle
>    out-of-order message delivery.
> ```
> Why is this MAY and not SHOULD?
>
> ### Section 12
>
> What happens if on the same Delivery Service, two groups with the same
> group id are created?
> Why doesn't the protocol split the group id, so one part (prefix) is
> always created by the DS ?
>
> ### Section 13.2
> ```
>    For a regular, i.e. not external, commit the list is invalid if any
>    of the following occurs:
>
>    [...]
> ```
> Why not list the requirements instead of what makes it invalid ?
>
> ### Section 13.4.3.2
>
> That is quite some information that must be publicly available to allow
> external Add requests.
> This leaks information, eg same epoch means the group membership did not
> change, etc etc. I
> hope this will appear in the Security Considerations later :)
>
> ### Section 15.3
> ```
> This is in addition to ensuring that these nonce and key pairs are promptly
>    deleted when the epoch ends.
> ```
> This sentence with a hidden MUST is stuck between a sentence with MAY and
> a sentence
> with SHOULD. Perhaps make the MUST explicit ?
>
> ### Section 16
> ```
> though a complete security analysis is outside of the scope of this
> document.
> ```
> Hmmm :P
>
> ### Section 16.2
> ```
>    The second form of authentication is that group members can verify a
>    message originated from a particular member of the group.  This is
>    guaranteed by a digital signature on each message from the sender's
>    signature key.
> ```
> Maybe add a sentence saying this means there is no repudiation of messages?
>
> ### Section 17.1
> ```
>    Additionally clients that run predominantly on mobile
>    processors can choose ChaCha20Poly1305 over AES-GCM for performance
>    reasons.
> ```
> Citation needed? I think most phones have AES(_GCM) in hardware too ?
> Also compared to HPKE operations and the times for epoch/group reinit,
> does this performance really matter? (eg waking up from sleep to increment
> the epoch would make the symmetric encryption cost pretty irrelevant. I
> would remove this sentence.
>
> ### Section 17.2
> What is the logic to make MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 the
> only MTI? It contains both FIPS and not FIPS items, pleasing no one.
>
> ### NITS
>
> I personally don't like the _underscored_ words in the html rendering of
> the document
>
> It "blank" the new American spelling of "blanc" ?
>
> ```
> has a corresponding _hash_ that summarizes the contents
> ```
>
> I find "summarizes" a strange word here. It is not the hash contains a
> summary one can read.
>
> [SECG] has no IETF equivalent? Should it?
>
> proposaland -> proposal and
>
> ```
>            Figure 13: Cleaning up after removing the third member
> ```
> I would say "after removing member C"  (avoid ambiguity about "every
> third")
>
> ```
>    This section defines _tree
>    hashes_, and _parent hashes_ are defined in Section 8.9.
> ```
> I read this wrong the first way, the "," vanishes due to the _unscores_.
> Maybe:
> This section defines _tree hashes_, the next section defines _parent
> hashes_.
> Or alternatively, leave onlthe the first sentence in 8.8, then put the
> remainder and
> next section in two subsections (so 8.8.1 and 8.8.2)
>
> ```
> For example, a malicious group member could send
> ```
> Maybe: For example, a malicious group member could otherwise send
>
> ```
> to previously compromised public keys.
> ```
> Maybe: to public keys whose private key was previously compromised.
>
> ```
> Post-compromise security is also provided for new groups
> ```
>
> This reads a little odd as "new groups" would have no history and thus no
> previous
> compromise.
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email