Re: [MLS] Key confirmation - Extra MAC needed?
Russ Housley <housley@vigilsec.com> Tue, 23 October 2018 13:34 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80CA130F59 for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 06:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULzuegT2OF38 for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 06:34:10 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27701130FA5 for <mls@ietf.org>; Tue, 23 Oct 2018 06:34:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id BAAAB300A49 for <mls@ietf.org>; Tue, 23 Oct 2018 09:34:04 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IBqPyDCKfoy8 for <mls@ietf.org>; Tue, 23 Oct 2018 09:34:02 -0400 (EDT)
Received: from [5.5.33.215] (vpn.snozzages.com [204.42.252.17]) by mail.smeinc.net (Postfix) with ESMTPSA id 4E861300523; Tue, 23 Oct 2018 09:34:01 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <58A76FA7-6A4B-4E78-8631-A20CD20AE533@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A51D4B3B-A145-4744-9789-42630026A6F7"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 23 Oct 2018 09:33:58 -0400
In-Reply-To: <CAL02cgTk+mBNi8jDicN8jmpGZkixTOu541MVEFj7SSgroL8DHg@mail.gmail.com>
Cc: mls@ietf.org
To: Richard Barnes <rlb@ipv.sx>
References: <CAL02cgTk+mBNi8jDicN8jmpGZkixTOu541MVEFj7SSgroL8DHg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/8WTlluoZFUAU_3sdyU78gSVPPGo>
Subject: Re: [MLS] Key confirmation - Extra MAC needed?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 13:34:18 -0000
> Hey all, > > In the just-released -02 draft of MLS, I've added a key confirmation step to the handshake authentication process. Important question after "=====" below... > > In the previous draft, there was an authentication mechanism that ensured that if two group members ended up with different GroupState objects, then they would have different keys. However, it did not provide any way for group members to recognize that this was the case, except for AEAD checks on encrypted messages failing. With explicit key confirmation, the recipient of a Handshake message knows that if processing of the handshake message succeeds, then the recipient has the same GroupState as the sender. > > This provides a degree of protection against malicious insiders that send different TreeKEM values to different parts of the tree. Namely, only the subset of the tree that got the key matching the key confirmation will accept the Handshake message; the others will be locked out. (Assuming a broadcast channel; if the sender can send different key confirmations to different recipients, then this is no help.). This isn't complete protection, but at least the locked-out members know they've been locked out, and can complain about it. > > ===== > > The major question here is whether it's sufficient to derive a key confirmation value from the key schedule and publish it, or whether the value derived in the key schedule should be used as a MAC key to generate a MAC over the message transcript. I've posted PRs for both; the latter is what I merged in -02 > > Derive: https://github.com/mlswg/mls-protocol/pull/72 <https://github.com/mlswg/mls-protocol/pull/72> > MAC: https://github.com/mlswg/mls-protocol/pull/71 <https://github.com/mlswg/mls-protocol/pull/71> > > On the one hand, the MAC-based approach is what is done in TLS. It feels safer, because we never publish anything that's in the key schedule diagram. > > On the other hand, the Derive-Secret operation used to create the key confirmation value in the key schedule is **already** based on HMAC. So it doesn't seem like the extra MAC step is adding that much value. > > If we can convince ourselves that the Derive approach (without the extra MAC) is sufficient, I would prefer to do that, since it's simpler. But feedback on this point would be very much appreciated. The Derive approach is straightforward. If this leaks in any surprising way, then draft-ietf-tls-exported-authenticator has a problem too, right? Russ
- [MLS] Key confirmation - Extra MAC needed? Richard Barnes
- Re: [MLS] Key confirmation - Extra MAC needed? Russ Housley
- Re: [MLS] Key confirmation - Extra MAC needed? Richard Barnes
- Re: [MLS] Key confirmation - Extra MAC needed? Katriel Cohn-Gordon
- Re: [MLS] Key confirmation - Extra MAC needed? Richard Barnes
- Re: [MLS] Key confirmation - Extra MAC needed? Katriel Cohn-Gordon