Re: [MLS] All commits = external commit?

[Richard Barnes <rlb@ipv.sx>]

That's a fair point, Brendan.  The thing that still worries me, though, is
that the KEM operation in an AEC effectively introduces a new independent
variable -- who is the sender for purposes of the KEM operation?  In the
DHKEM case, who holds the private key corresponding to the ephemeral public
key?

In the external-join case, you need this independent variable, so that the
new joiner can join the key schedule.  In the internal-commit case, you
don't need it, so it's purely a source of potential mischief.  It's
possible that other mechanisms protect against such mischief, but (a) we
would need more than mailing-list proofs that that was the case, and (b) we
would need to somehow assure that future extensions to the protocol would
interact badly with this mechanism.  It seems more conservative to not have
the additional choice.

Sorry that's not super concrete.  Maybe some of the folks doing proofs here
have thoughts?

--Richard


On Wed, Oct 7, 2020 at 8:24 PM Brendan McMillion <brendan@cloudflare.com>
wrote:

> Unfortunately the attack outlined above doesn't work because if an
> attacker has Alice's state from a previous epoch and Alice has since
> Updated, they're unable to encrypt MLSCiphertext or authenticate
> MLSPlaintext messages. The attacker could use Alice's signing private key
> to send an Add proposal and Commit, but they'd be marked as being from an
> external sender. There's no distinction between Alice being in the group
> already or the attacker adding Alice to groups she was never in to begin
> with -- this is a risk inherent with allowing external joiners, not the
> asymmetric Commit mechanism itself.
>
> On Wed, Oct 7, 2020 at 8:49 AM Richard Barnes <rlb@ipv.sx> wrote:
>
>> Thanks for this analysis, Joël.  This aligns with my intuition as well,
>> and seems like a good rationale for a hard prohibition on AEC /
>> ExternalCommit from group members.  (Something about which I had waffled in
>> a previous email.)
>>
>> Another way to think about this: PCS with regard to a member is about
>> removing an old version of that member (as represented by an HPKE key and
>> signing key).  AEC is designed to allow joins, which means that
>> AEC-from-inside allows the old, compromised version of the member to
>> rejoin, which kills PCS.
>>
>> --Richard
>>
>> On Tue, Oct 6, 2020 at 12:55 PM Raphael Robert <raphael=
>> 40wire.com@dmarc.ietf.org> wrote:
>>
>>> I second that assessment, my idea behind External Commits was to offer a
>>> mechanism where internal Commits couldn’t be used. External Commits should
>>> remain optional (this can easily be achieved by not providing the
>>> ExternalCommitInfo package to new members) and when they are used they
>>> should be used as a last resort mechanism (meaning there really is no way
>>> to add a member with an internal Commit).
>>>
>>> I also think MLS should should remain in the position to cover most
>>> scenarios from mainstream consumer messaging to messaging in high security
>>> environments. External Commits make the former much more accessible but
>>> shouldn’t jeopardise the latter.
>>>
>>> Raphael
>>>
>>> > On 6 Oct 2020, at 18:38, Joel Alwen <jalwen@wickr.com> wrote:
>>> >
>>> > Hey people,
>>> >
>>> > To follow up on the discussion at the end of the Interim about whether
>>> to use
>>> > the new "asymmetric external commit" (AEC) mechanism for internal
>>> commits I
>>> > wanted to summarize my thoughts here. For brevity let SIC be our
>>> current
>>> > "symmetric internal commit" mechanism.
>>> >
>>> > - AEC requires extra asymmetric crypto operations (both for committer
>>> and
>>> > receiver) compared to SIC which I think we should avoid if we can,
>>> even at the
>>> > cost of some code complexity.
>>> >
>>> > - AEC doesn't ensure the committer knows the old epoch's key schedule.
>>> This can
>>> > play a deciding role in several types of attacks.
>>> >
>>> > Consider this execution:
>>> >
>>> > 1. Alice is in a group. Her state leaks (including her signining key).
>>> > 2. Alice commits (to arbitrary propal).
>>> >
>>> > At this point, the adversary can still forge a new AEC from Alice but
>>> not an SIC.
>>> >
>>> > Worse, step 2 could have instead been "Alice sends an update proposal
>>> replacing
>>> > her leaf HPKE but keeping the her sig keys (e.g. because new
>>> credentials are
>>> > costly to come by). Someone commits to the new proposal." At this
>>> point I'd
>>> > expect PCS to have kicked in for Alice (as it does when using SIC).
>>> But not for
>>> > AECs since Alice's signing key is all thats needed to forge a new AEC.
>>> >
>>> > I think it is not worth weakening security this way if we dont have to.
>>> > (Especially, since in some deployments external commits may not be a
>>> supported
>>> > feature at all.)
>>> >
>>> > - As for what may or may not be displaid to users, that's really up to
>>> the
>>> > implementation. IMO our goal should be to make the protocol as secure
>>> as we can
>>> > subject to reasonable costs. Which aspects of the resulting security
>>> properties
>>> > are ultimately communicated to users should, in principle, be left up
>>> to
>>> > implementations. That means we shouldn't be designing away security
>>> features
>>> > only because we think they might be hard to communicate. (Nor does it
>>> seem that
>>> > inconceivable to me that some implementation may end up explicitly
>>> signaling
>>> > whether a commit was external vs internal.)
>>> >
>>> > - Joël
>>> >
>>> > _______________________________________________
>>> > MLS mailing list
>>> > MLS@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/mls
>>>
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
>