Re: [MLS] External Commits - Resync
Raphael Robert <raphael@wire.com> Mon, 23 November 2020 13:59 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4663A0B6B for <mls@ietfa.amsl.com>; Mon, 23 Nov 2020 05:59:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qF1sniBVJaUY for <mls@ietfa.amsl.com>; Mon, 23 Nov 2020 05:59:31 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EBCA3A0B5D for <mls@ietf.org>; Mon, 23 Nov 2020 05:59:31 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id y4so17174946edy.5 for <mls@ietf.org>; Mon, 23 Nov 2020 05:59:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=a8YcdhJ1HtmxlbqFp5Cix1dOdZQFJlCv8CbYNYB37DA=; b=gdLK75E6gDxt1XwiWrQRxoWTkCv95sNTN1QYdOOatZ9/ZUB3+uCxnj7cdkVSNcE+dP cZiCg/PbgC+IJU6syq14aUjB8J7N+DDIz/sf0rzcY2rOXRg9NsqySY4vwlmOLLGitVEZ hpz1+eT4EfcAmUvMwFLDSyau5Yp+0EvyoFoSUMw71FAH3nZ7c1T6e7+QZj3mS75aX5OJ A0MJON7Wor7uo2/xdnIwRnXHgX57FvZi6gpW6ovfA7tiD9ctn6XPUUUB1AemQjnp9oP8 Ck+lSr7vlrJz9sRp4xXHRPijsQGMv8xySVmHkbruZK09A5NHQjnTr2Z2hV1gek3funDM znhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=a8YcdhJ1HtmxlbqFp5Cix1dOdZQFJlCv8CbYNYB37DA=; b=T754CY0LuXcTzk6qMx4Fe3TFYf6NWQ3tnN5AjiD7pehXHEArlxSXEw25AWLGL0Tnm1 l6TBtV7TW9yqyUED4/arx5w0vQbE9dHDMiwRhc7bgRdFuxi6DUupAfgLN0ZbNyBXXx5R WRy6qj1JXNX8qoat2TXLc/mk5YD9/e050ADVC4q6OSyP/RShrYumcEQRFoSe5+dlfKfv EZ4EdEJxWyWaY2OvHJQu8ajTRDQFsFQcxt0bsmh4ckejHuvD9h0en6G29+cyQRi5uVNa lP8iX5+LWmVTFM+5UHYybYY/x+tRQ5i6oRXPU+ciuY+WoZrfU0Pa0yWKy46zt5ngYPSp ueCw==
X-Gm-Message-State: AOAM533byTef3Xu/Q3ey5LDqjmLOMgpBEK1IYccTo+YDGAuN9zeA9qZk cZcEjXn4GiRL5AJxR+JkPoayuQ==
X-Google-Smtp-Source: ABdhPJxriS/BG6H8H+Zf6QhwkWh7X/ljZN3vtvTir1xWglNI8LJvq3LK5lQ6gTmKDMZQ5VQKuB3zVg==
X-Received: by 2002:a50:d784:: with SMTP id w4mr48043010edi.201.1606139969800; Mon, 23 Nov 2020 05:59:29 -0800 (PST)
Received: from rmbp.fritz.box ([134.3.30.253]) by smtp.gmail.com with ESMTPSA id n1sm5074238ejb.2.2020.11.23.05.59.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Nov 2020 05:59:28 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Message-Id: <D0C2B87B-3425-4618-B23E-176E091E81E4@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_605D3A5E-32CC-46A0-B70C-B20E6C71C6BA"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.20.0.2.21\))
Date: Mon, 23 Nov 2020 14:59:25 +0100
In-Reply-To: <44D1D4F7-9F82-4D46-AF26-D4ECCFB14D13@nps.edu>
Cc: "mls@ietf.org" <mls@ietf.org>
To: "Hale, Britta (CIV)" <britta.hale@nps.edu>
References: <44D1D4F7-9F82-4D46-AF26-D4ECCFB14D13@nps.edu>
X-Mailer: Apple Mail (2.3654.20.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/6tjSWyAesfU125IFRDfMhRLtsPM>
Subject: Re: [MLS] External Commits - Resync
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 13:59:34 -0000
Hi Britta, That’s definitely an interesting question. The way the spec is written right now, Alice could just re-sync like you described and that raises a few questions (in no particular order): - The status quo with messaging apps is that you can typically join a session by only controlling the identity key. This is the case for messengers based on the Signal protocol. While a session gives you certain well-understood guarantees, it’s up to the apps to define how seamlessly you can initiate a new session (https://github.com/signalapp/Signal-iOS/issues/4138 <https://github.com/signalapp/Signal-iOS/issues/4138>). While that’s the status quo, it doesn’t mean we shouldn’t aim higher with MLS. - You mention the proof of past participation and I think the resumption secrets we already have could be used for that (https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#name-resumption-secret <https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#name-resumption-secret>). Provided other members keep them around for long enough, Alice could prove that was indeed a member in the past. - What is the exact threat model? An attacker that compromises a device will not only get the signature key, but most likely also the resumption secrets. The intuition here is that it is unlikely that the resumption secrets are better protected on the device than the signature key itself (but I might be wrong). We also recommend that signature keys should not be re-used between devices, which lowers the chance that they leak when they are copied (they probably don’t have to be copied ever if they are not re-used). Given the above, I’m wondering if you had a particular scenario in mind? - Let’s say we wanted to address this. The practical problem I see is that it might be impossible for other members to determine if Alice is trying to re-sync. There was some discussion on this now closed PR: https://github.com/mlswg/mls-protocol/pull/439 <https://github.com/mlswg/mls-protocol/pull/439>. If we don’t have a way to uniquely distinguish between members (other than by their position in the tree), how can we detect that they are trying to re-sync? I’m all for continuing the discussion though! Maybe we won’t find a satisfying solution, but we should try at least. Thanks Raphael > On 21. Nov 2020, at 00:17, Hale, Britta (CIV) <britta.hale@nps.edu> wrote: > > Hi all, > > A good point was raised by Jonathon Hoyland during the MLS IETF 109 meeting regarding possible concerns in using external commits for resync, particularly in the case of Alice adding/removing herself. Richard noted that this is a feature in the case that Alice is no longer synchronized with the group and therefore can use an external commit to add herself back in, removing the previous version. > > As opposed to any newcomer joining with an external commit, the case of Alice re-joining presents a potential security issue. Namely, as currently specified (in my reading of the draft), an existing group member, Bob, has no means to distinguish between the following cases: > Alice needs to resync and therefore performs an external commit and removes her prior version. > Alice’s signature keys are compromised (it is not necessary for the adversary to compromise any group state). The adversary performs an external commit in Alice’s name, and then removes her prior version and impersonates her to the group. > > One might hope that Alice notices that she is removed and communicates this to the group members OOB, but it is also possible that that she assumes some other reason for the removal, is offline, or simply is not active enough to take action for a fairly long compromise window. Even if she tries to use an external commit to get back into the group and then removes the adversary-as-Alice, there is no means for other group members distinguish the real Alice from the adversary-as-Alice and the process could be circular (until new valid identity keys are issued). > > While a newcomer is a fresh source to be trusted or not, Alice has been “healing” along with the group and the above option (2) allows the adversary to bypass all of that. > > The source of the problem is that when Alice re-syncs, she is not providing any validation of being the same/previous identity, so it is easy for other group members to accept that nothing more than a resync has taken place. Thus, a fairly straightforward solution is to require PSK use in cases where an external commit is used for resync. By enabling a PSK derived from a previous epoch during which Alice was part of the group to be injected with the external commit, Alice provides some proof of prior group membership and we avoid the total reset. > > What does everyone think about this? Is it a problem that we want to address, or let it fall out-of-scope? > (Also, if I missed something in the draft that already fixes this, please point it out.) > > - Britta > > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
- [MLS] External Commits - Resync Hale, Britta (CIV)
- Re: [MLS] External Commits - Resync Raphael Robert
- Re: [MLS] External Commits - Resync Hale, Britta (CIV)