Re: [MLS] Use Cases for avoiding Forward Secrecy

Dennis Jackson <dennis.jackson@cs.ox.ac.uk> Wed, 28 February 2018 23:41 UTC

Return-Path: <dennis.jackson@cs.ox.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0205412711A for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 15:41:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TAYDeISlkdYA for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 15:41:07 -0800 (PST)
Received: from relay15.mail.ox.ac.uk (relay15.mail.ox.ac.uk [163.1.2.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F947127023 for <mls@ietf.org>; Wed, 28 Feb 2018 15:41:07 -0800 (PST)
Received: from smtp5.mail.ox.ac.uk ([163.1.2.207]) by relay15.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1erBLN-0003hu-na for mls@ietf.org; Wed, 28 Feb 2018 23:41:05 +0000
Received: from sth-1.gradacc.ox.ac.uk ([192.76.28.109] helo=T-200) by smtp5.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1erBLN-0007TI-GV for mls@ietf.org; Wed, 28 Feb 2018 23:41:05 +0000
Date: Wed, 28 Feb 2018 23:41:04 +0000
From: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
To: mls@ietf.org
Message-ID: <20180228234104.14fde460@T-200>
In-Reply-To: <CAMm+LwjGfQj2K1krkKMfL3ZwBj0XCXK7VTkfmRDTt4d18MOk3w@mail.gmail.com>
References: <CAKHUCzxOwmPrpUUj6HSRMcxiXtRmT05OapeBQdRA49bSWum6yQ@mail.gmail.com> <f10d4e2c-7b4c-b841-eadf-056e1729c713@cs.tcd.ie> <CAMm+LwjJxdTJcPBCNh3JsjDeWODFuS3FwUPz_ztvzKpkU7X8DA@mail.gmail.com> <20180228222800.0a978ded@T-200> <CAMm+LwjGfQj2K1krkKMfL3ZwBj0XCXK7VTkfmRDTt4d18MOk3w@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Oxford-Username: exet4027
X-Oxmail-Spam-Status: score=-0.0 tests=T_RP_MATCHES_RCVD -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/6P_7kGxhMxWHk677TaeUBXJukB4>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 23:41:10 -0000

> ​The cost of this shared state is far from trivial at the protocol
> level as both the sending and receiving device have to be in
> synchronization. What happens when Alice and Bob have a dozen
> devices? Then we have 144 sets of shared state.​

Phillip, it's clear you've read neither the MLS draft, nor the paper it
is based on. For example: one of the key contributions is a reduction in
the amount of shared state from O(n^2) to O(log n).

> If this group is not interested in open discussion, it might be in
> the wrong standards organization.
> Trying to shut down discussion of other requirements is a REALLY BAD
> predictor of success in IETF.
> Go talk to the DANE folk and see how that worked for them. 

The discussion on PFS has been done to death, both on the TLS mailing
list and in numerous other places and I would hate to see us repeat it
for little gain. In the end, TLS 1.3 mandates that PFS be used in
every connection. I find it hard to imagine that MLS will aspire 
to a weaker security goal than TLS, but as you say, it is for the
group to decide. 

On Wed, 28 Feb 2018 18:03:31 -0500
Phillip Hallam-Baker <phill@hallambaker.com> wrote:

> On Wed, Feb 28, 2018 at 5:28 PM, Dennis Jackson
> <dennis.jackson@cs.ox.ac.uk> wrote:
> 
> > > If however we are working at the message layer, we will often
> > > want to support an asynchronous mode in which one party sends
> > > some data and another picks it up later. That does not prevent us
> > > working end to end but it does prevent us using PFS.
> >
> > This is incorrect. You may want to review the design of Signal, or
> > indeed the current MLS draft.
> 
> 
> ​No it is completely correct. The P in PFS stands for Perfect .
> 
> If Alice creates a message for Bob using only her knowledge of Bob's
> public key then it is not going to be PFS because a compromise of
> Bob's private key is a breach.
> 
> What Signal is doing is sending messages based on Bob's key plus
> state from previous communications that Alice and Bob have stored.
> Now that is providing some form of Forward Secrecy but only a
> marketing person would claim it was 'Perfect'.
> 
> ​The cost of this shared state is far from trivial at the protocol
> level as both the sending and receiving device have to be in
> synchronization. What happens when Alice and Bob have a dozen
> devices? Then we have 144 sets of shared state.​