IETF Logo Mail Archive

Re: [MLS] Hiding content type

Brendan McMillion <brendan@cloudflare.com> Mon, 13 July 2020 16:37 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED833A157B for <mls@ietfa.amsl.com>; Mon, 13 Jul 2020 09:37:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvyWcbI3oman for <mls@ietfa.amsl.com>; Mon, 13 Jul 2020 09:37:40 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE9E3A1578 for <mls@ietf.org>; Mon, 13 Jul 2020 09:37:40 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id b4so12785490qkn.11 for <mls@ietf.org>; Mon, 13 Jul 2020 09:37:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=49ydJxFPbJ4iRNcKSxAHwYXIQP2eLP4eX8N1OxaIXw4=; b=HoxTE1q93SZ3LsBkfBJnXX/1oMGhn3xdNaGolCi3fdHaBAEZE/GGyMTOJRoRlxIjcJ 21s3N3UAtnhE6TqzlPnVGHQEHeRaK/KsVU73mMU0Ymc3o3q/8qvGPsBO7PwC0UeSPKUD 5IDrcLLBTQhkHhrqAl7u+Ea/nPH9Gg921579U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=49ydJxFPbJ4iRNcKSxAHwYXIQP2eLP4eX8N1OxaIXw4=; b=SzVu9e/19HJUGYKeakCTYocu0dNYH5EIX+6KSC4CddvgXiZNhENNp3gz0KDYOeaECr YteZAheqQxcmjiLEL2e4OkwsrChBe7xViyKWZYVzZNanwtAH+Zo7JLBG8FsY/yD9z5Uj QCM0dByyg3NJD/Rhvy7ElbGRFbHiwmsTsppo8BK0d71UfvQWGpaXFI+73JrjMSGTvekh I4675vtQKZUM3VIhAbjGjKwy/ZdSSdEkXxjnBq1GBSbAl8FcQ0VLlGi+FeJkaflHSJ8t mlds7CmywfHlubAtRLuTPeMtDc7qiAd8EUFHVvix/zg903T/LU1uzmLkXsUF7a52rOW9 JOTA==
X-Gm-Message-State: AOAM530g64fepir2J5GBqigAWvBEkXypyajTC8nljMnKpOsJdOpgumN/ 0WHmp2WfTOG0Gcs2R0jjer5OI/G1tIct6rfQBPby+m0RRzXdxA==
X-Google-Smtp-Source: ABdhPJyjI2FunbR4ZIVseRdOWFGK+saOWIWtj2FvnVkH/xGwU5C4zShGUSVNIigUVpFRm59PzeR8H2lU/h/eAswBZew=
X-Received: by 2002:a05:620a:1007:: with SMTP id z7mr403609qkj.443.1594658259482; Mon, 13 Jul 2020 09:37:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgT4jBiJNCoRBsBc7hRWBX0qzmZjC8B8XmJnGcZXgEiCdg@mail.gmail.com> <CABP-pSTW=7jK2hRHLYwydOyrfimfqti0Rih=BoBpqBJDfqf4QQ@mail.gmail.com> <CAL02cgT0KWJ21m70q5cL7NKBB+-Cjvb63YpgnBGoisScNqQchQ@mail.gmail.com>
In-Reply-To: <CAL02cgT0KWJ21m70q5cL7NKBB+-Cjvb63YpgnBGoisScNqQchQ@mail.gmail.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Mon, 13 Jul 2020 11:37:28 -0500
Message-ID: <CABP-pSR2UxWkKk6a_T9vN4cv89zCchNbN4YN=dS_qm5Ye4AjJA@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000185a8b05aa554f23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/6hLCBrpHN0fhtltKvP-m079Pwsk>
Subject: Re: [MLS] Hiding content type
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 16:37:43 -0000

>
> As far as collision resistance, I'm not too worried about collisions among
> 64-bit random values, especially as the scope for collision is fairly
> small, arguably just one epoch.
>

The issue isn't with accidental collisions, it's with malicious ones. An
attacker can purposefully (and quickly) generate commits that create
duplicate epoch ids, and send them to a client to corrupt their group state.

I think the idea here is to be conservative by default.  There are systems
> in which you can hide the metadata you're talking about with things like
> mixnets and dropboxes.
>

It's not just being more conservative, you're making changes specifically
for very niche use-cases where I don't think the security of the whole
system has been thought through. Maybe you have an example in mind, but I
can't think of a system where this change provides any additional privacy.

On Mon, Jul 13, 2020 at 10:56 AM Richard Barnes <rlb@ipv.sx> wrote:

> On Mon, Jul 13, 2020 at 10:57 AM Brendan McMillion <brendan@cloudflare.com>
> wrote:
>
>> With respect to using an opaque epoch id, I believe this was proposed in
>> #245 <https://github.com/mlswg/mls-protocol/pull/245> and consensus was
>> against it because it makes it more difficult to implement the DS. It's
>> also not clear to me what security properties you want from an opaque epoch
>> id, because the current PR doesn't provide collision resistance and I'd
>> expect this to be a source of confusion and bugs.
>>
>
> I think the discussion on #245 got derailed a bit by the focus on
> non-linear epochs.  The point here is that even in a case where you have
> linear history, I think there's intrinsic value in the epoch ID being
> opaque because it gives intermediaries less opportunity for ossification.
>
> As far as collision resistance, I'm not too worried about collisions among
> 64-bit random values, especially as the scope for collision is fairly
> small, arguably just one epoch.
>
>
>
>> With respect to encrypting the content type, it also seems to me that
>> this would cause issues because different content types have different
>> delivery guarantees. Specifically: messages are allowed to be unordered and
>> lossy, proposals are allowed to be unordered but not lossy, and commits are
>> both ordered and not lossy. In the deployment scenarios we've talked about,
>> the DS essentially always needs to know the content type to provide this.
>> Conversely, you don't get much additional privacy from encrypting the
>> content type because an eavesdropper can see the epoch id change and infer
>> which message was a commit, or see a dropped message getting re-sent and
>> infer it was a proposal.
>>
>
> I don't disagree that there are different guarantees you need, but like I
> said, I think the idea here is to be conservative by default.  There are
> systems in which you can hide the metadata you're talking about with things
> like mixnets and dropboxes.  Keeping the ciphertext as opaque as possible
> keeps the door open to running MLS over those systems without MLS's own
> metadata undermining their privacy properties.
>
> FWIW, in the systems I'm looking at building, this PR does not make any
> difference, because clients use separate channels for Proposals/Commits vs.
> application data and the server doesn't check.
>
> --Richard
>
>
>
>>
>> On Mon, Jul 13, 2020 at 8:56 AM Richard Barnes <rlb@ipv.sx> wrote:
>>
>>> Hi all,
>>>
>>> Recall that PR#349 does two things (1) use an opaque epoch ID, and (2)
>>> encrypt the content type of the message (application / proposal / commit)
>>> [1].
>>>
>>> There was some discussion on the call last week that encrypting the
>>> content type might not be that useful, since an application that relies on
>>> a server to assure ordering of commits will need to at least be able to
>>> tell commits from other things.  Of course, even if the content type is
>>> encrypted by default, the application can add it back in authenticated
>>> data, or in some unauthenticated wrapper.
>>>
>>> Net of those considerations, I'm personally still inclined to merge the
>>> PR, to have a conservative baseline.  But those on the call thought it
>>> would be useful to pose this to the group, so please speak up if you have
>>> concerns.
>>>
>>> --Richard
>>>
>>> [1] https://github.com/mlswg/mls-protocol/pull/349
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>>>
>>

v2.23.0 | Report a Bug | By Email