Re: [MLS] Hiding content type
Brendan McMillion <brendan@cloudflare.com> Mon, 13 July 2020 16:37 UTC
Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED833A157B for <mls@ietfa.amsl.com>; Mon, 13 Jul 2020 09:37:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvyWcbI3oman for <mls@ietfa.amsl.com>; Mon, 13 Jul 2020 09:37:40 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE9E3A1578 for <mls@ietf.org>; Mon, 13 Jul 2020 09:37:40 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id b4so12785490qkn.11 for <mls@ietf.org>; Mon, 13 Jul 2020 09:37:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=49ydJxFPbJ4iRNcKSxAHwYXIQP2eLP4eX8N1OxaIXw4=; b=HoxTE1q93SZ3LsBkfBJnXX/1oMGhn3xdNaGolCi3fdHaBAEZE/GGyMTOJRoRlxIjcJ 21s3N3UAtnhE6TqzlPnVGHQEHeRaK/KsVU73mMU0Ymc3o3q/8qvGPsBO7PwC0UeSPKUD 5IDrcLLBTQhkHhrqAl7u+Ea/nPH9Gg921579U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=49ydJxFPbJ4iRNcKSxAHwYXIQP2eLP4eX8N1OxaIXw4=; b=SzVu9e/19HJUGYKeakCTYocu0dNYH5EIX+6KSC4CddvgXiZNhENNp3gz0KDYOeaECr YteZAheqQxcmjiLEL2e4OkwsrChBe7xViyKWZYVzZNanwtAH+Zo7JLBG8FsY/yD9z5Uj QCM0dByyg3NJD/Rhvy7ElbGRFbHiwmsTsppo8BK0d71UfvQWGpaXFI+73JrjMSGTvekh I4675vtQKZUM3VIhAbjGjKwy/ZdSSdEkXxjnBq1GBSbAl8FcQ0VLlGi+FeJkaflHSJ8t mlds7CmywfHlubAtRLuTPeMtDc7qiAd8EUFHVvix/zg903T/LU1uzmLkXsUF7a52rOW9 JOTA==
X-Gm-Message-State: AOAM530g64fepir2J5GBqigAWvBEkXypyajTC8nljMnKpOsJdOpgumN/ 0WHmp2WfTOG0Gcs2R0jjer5OI/G1tIct6rfQBPby+m0RRzXdxA==
X-Google-Smtp-Source: ABdhPJyjI2FunbR4ZIVseRdOWFGK+saOWIWtj2FvnVkH/xGwU5C4zShGUSVNIigUVpFRm59PzeR8H2lU/h/eAswBZew=
X-Received: by 2002:a05:620a:1007:: with SMTP id z7mr403609qkj.443.1594658259482; Mon, 13 Jul 2020 09:37:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgT4jBiJNCoRBsBc7hRWBX0qzmZjC8B8XmJnGcZXgEiCdg@mail.gmail.com> <CABP-pSTW=7jK2hRHLYwydOyrfimfqti0Rih=BoBpqBJDfqf4QQ@mail.gmail.com> <CAL02cgT0KWJ21m70q5cL7NKBB+-Cjvb63YpgnBGoisScNqQchQ@mail.gmail.com>
In-Reply-To: <CAL02cgT0KWJ21m70q5cL7NKBB+-Cjvb63YpgnBGoisScNqQchQ@mail.gmail.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Mon, 13 Jul 2020 11:37:28 -0500
Message-ID: <CABP-pSR2UxWkKk6a_T9vN4cv89zCchNbN4YN=dS_qm5Ye4AjJA@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000185a8b05aa554f23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/6hLCBrpHN0fhtltKvP-m079Pwsk>
Subject: Re: [MLS] Hiding content type
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 16:37:43 -0000
> > As far as collision resistance, I'm not too worried about collisions among > 64-bit random values, especially as the scope for collision is fairly > small, arguably just one epoch. > The issue isn't with accidental collisions, it's with malicious ones. An attacker can purposefully (and quickly) generate commits that create duplicate epoch ids, and send them to a client to corrupt their group state. I think the idea here is to be conservative by default. There are systems > in which you can hide the metadata you're talking about with things like > mixnets and dropboxes. > It's not just being more conservative, you're making changes specifically for very niche use-cases where I don't think the security of the whole system has been thought through. Maybe you have an example in mind, but I can't think of a system where this change provides any additional privacy. On Mon, Jul 13, 2020 at 10:56 AM Richard Barnes <rlb@ipv.sx> wrote: > On Mon, Jul 13, 2020 at 10:57 AM Brendan McMillion <brendan@cloudflare.com> > wrote: > >> With respect to using an opaque epoch id, I believe this was proposed in >> #245 <https://github.com/mlswg/mls-protocol/pull/245> and consensus was >> against it because it makes it more difficult to implement the DS. It's >> also not clear to me what security properties you want from an opaque epoch >> id, because the current PR doesn't provide collision resistance and I'd >> expect this to be a source of confusion and bugs. >> > > I think the discussion on #245 got derailed a bit by the focus on > non-linear epochs. The point here is that even in a case where you have > linear history, I think there's intrinsic value in the epoch ID being > opaque because it gives intermediaries less opportunity for ossification. > > As far as collision resistance, I'm not too worried about collisions among > 64-bit random values, especially as the scope for collision is fairly > small, arguably just one epoch. > > > >> With respect to encrypting the content type, it also seems to me that >> this would cause issues because different content types have different >> delivery guarantees. Specifically: messages are allowed to be unordered and >> lossy, proposals are allowed to be unordered but not lossy, and commits are >> both ordered and not lossy. In the deployment scenarios we've talked about, >> the DS essentially always needs to know the content type to provide this. >> Conversely, you don't get much additional privacy from encrypting the >> content type because an eavesdropper can see the epoch id change and infer >> which message was a commit, or see a dropped message getting re-sent and >> infer it was a proposal. >> > > I don't disagree that there are different guarantees you need, but like I > said, I think the idea here is to be conservative by default. There are > systems in which you can hide the metadata you're talking about with things > like mixnets and dropboxes. Keeping the ciphertext as opaque as possible > keeps the door open to running MLS over those systems without MLS's own > metadata undermining their privacy properties. > > FWIW, in the systems I'm looking at building, this PR does not make any > difference, because clients use separate channels for Proposals/Commits vs. > application data and the server doesn't check. > > --Richard > > > >> >> On Mon, Jul 13, 2020 at 8:56 AM Richard Barnes <rlb@ipv.sx> wrote: >> >>> Hi all, >>> >>> Recall that PR#349 does two things (1) use an opaque epoch ID, and (2) >>> encrypt the content type of the message (application / proposal / commit) >>> [1]. >>> >>> There was some discussion on the call last week that encrypting the >>> content type might not be that useful, since an application that relies on >>> a server to assure ordering of commits will need to at least be able to >>> tell commits from other things. Of course, even if the content type is >>> encrypted by default, the application can add it back in authenticated >>> data, or in some unauthenticated wrapper. >>> >>> Net of those considerations, I'm personally still inclined to merge the >>> PR, to have a conservative baseline. But those on the call thought it >>> would be useful to pose this to the group, so please speak up if you have >>> concerns. >>> >>> --Richard >>> >>> [1] https://github.com/mlswg/mls-protocol/pull/349 >>> _______________________________________________ >>> MLS mailing list >>> MLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/mls >>> >>
- [MLS] Hiding content type Richard Barnes
- Re: [MLS] Hiding content type Brendan McMillion
- Re: [MLS] Hiding content type Richard Barnes
- Re: [MLS] Hiding content type Raphael Robert
- Re: [MLS] Hiding content type Brendan McMillion
- Re: [MLS] Hiding content type Hale, Britta (CIV)
- Re: [MLS] Hiding content type Richard Barnes
- Re: [MLS] Hiding content type Brendan McMillion
- Re: [MLS] Hiding content type Richard Barnes
- Re: [MLS] Hiding content type Brendan McMillion
- Re: [MLS] Hiding content type Chelsea Komlo
- Re: [MLS] Hiding content type Hale, Britta (CIV)
- Re: [MLS] Hiding content type Richard Barnes
- Re: [MLS] Hiding content type Richard Barnes
- Re: [MLS] Hiding content type Brendan McMillion
- Re: [MLS] Hiding content type Chelsea Komlo
- Re: [MLS] Hiding content type Brendan McMillion
- Re: [MLS] Hiding content type Chelsea Komlo