IETF Logo Mail Archive

Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

"Hale, Britta (CIV)" <britta.hale@nps.edu> Tue, 18 August 2020 15:15 UTC

Return-Path: <britta.hale@nps.edu>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7C93A0C7A for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 08:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxh5MhD_yCim for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 08:15:57 -0700 (PDT)
Received: from mule.nps.edu (mule.nps.edu [205.155.65.106]) by ietfa.amsl.com (Postfix) with ESMTP id 0730B3A0C78 for <mls@ietf.org>; Tue, 18 Aug 2020 08:15:56 -0700 (PDT)
X-ASG-Debug-ID: 1597763755-0e39454aed16860001-bGA3T6
Received: from mail.nps.edu (skywalker.ern.nps.edu [172.20.4.117]) by mule.nps.edu with ESMTP id EaGEmsLArd9opIBm; Tue, 18 Aug 2020 08:15:55 -0700 (PDT)
X-Barracuda-Envelope-From: britta.hale@nps.edu
Received: from synergos.ern.nps.edu (172.20.4.116) by skywalker.ern.nps.edu (172.20.4.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3; Tue, 18 Aug 2020 08:15:55 -0700
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.36.51) by synergos.ern.nps.edu (172.20.4.116) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3 via Frontend Transport; Tue, 18 Aug 2020 08:15:55 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kqarKBhaGrk3SN0ob2Uw2mr3LB3MdQrTOpq8FPmzecTpxaOjRwF32gofodwwPfn8gtlJpPbNbEzq9On61ef3g6lJcRu8wysgI0P9o7fsdIpk2Mv3+X9P6HAdOEniP/q1JxgTXJSwM7tT+kwRT1TPHAXwo3EK/9XHAJms9ceCfJQXE7XkC3Yc4KpzC6rDZfVwLV7utD4GIbyiJmp5/+kj4IcRHlyLYWmTPXjFLPBCC0HftLqo4PlvztZtBFh/G14TtyR/ieoAINR0Ma5cQJvPsE6gEAEXScF4EtfkJADo3mmV08e6b1Cdd4ggSj0z3Zrr8KBNVbLBTrq5L9M3EiV9Fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uom4JzL2QKScRJZHpqou/UJ9sncLiqVwxHyMTcEZC3Y=; b=Q2tQgn0BPtLEqHFldmf2IMshRK0JjRObqrIpy3WZi2VN4knyGdlFm+pWRCKkqyJ1KWftQj7p1FgKW6rDh8h9hYl7N8WPTTwZmKMX7gVmaLsRmNYeEifPioGK+unMVJZ8HKBTOQqkBkr6o4lNdA820vjFoX+ooA2D34k9BmUEv84Rk+ccREifGT7prLcjKSaGzVrmMBMTx4pZUhOh/sU7ZQS5Bt+c/LbrygRiho1llRmIwHl0J9mh4c/RbIJ6EacqRWD3qA4qZ9twK5daVKBBgi4y23Q3EqjlY6evX0AHCUvU+1jNM5kd4OrftQ4rKVzw81uxsMPx5JHlUdgAJSunAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nps.edu; dmarc=pass action=none header.from=nps.edu; dkim=pass header.d=nps.edu; arc=none
Received: from BY5PR13MB3348.namprd13.prod.outlook.com (2603:10b6:a03:1aa::23) by BYAPR13MB2760.namprd13.prod.outlook.com (2603:10b6:a03:fa::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.14; Tue, 18 Aug 2020 15:15:53 +0000
Received: from BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::65b1:6350:343d:c101]) by BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::65b1:6350:343d:c101%7]) with mapi id 15.20.3305.017; Tue, 18 Aug 2020 15:15:53 +0000
X-Barracuda-Effective-Source-IP: UNKNOWN[2603:10b6:a03:fa::29]
X-Barracuda-Apparent-Source-IP: 2603:10b6:a03:fa::29
From: "Hale, Britta (CIV)" <britta.hale@nps.edu>
To: Raphael Robert <raphael=40wire.com@dmarc.ietf.org>, Joel Alwen <jalwen@wickr.com>
CC: Messaging Layer Security WG <mls@ietf.org>
Thread-Topic: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-ASG-Orig-Subj: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
Thread-Index: AQHWdWz00GMqSfzrNUeLjUcYEIMnS6k99GYA//+QUwA=
Date: Tue, 18 Aug 2020 15:15:53 +0000
Message-ID: <F3B66925-9E40-4162-B802-85E888816ABF@nps.edu>
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <F5B1E029-D8B4-4BEA-BF7A-CDD531D662BD@wire.com>
In-Reply-To: <F5B1E029-D8B4-4BEA-BF7A-CDD531D662BD@wire.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.17.200615
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=nps.edu;
x-originating-ip: [2601:647:cb00:2941:7484:2acb:d3b3:22bf]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9b8928c9-ad38-4d61-f655-08d843899943
x-ms-traffictypediagnostic: BYAPR13MB2760:
x-microsoft-antispam-prvs: <BYAPR13MB276064E3D609CA03732CE623FB5C0@BYAPR13MB2760.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Rzd94mkf13tDRJ4w47c/JQQZRu+6YV11rim+WVswBC6IjhCoszBmyad6VZoClS63fskEWGavuCK2xyre2uXVQUy/CcaT8aRzXmB51LFin7x75z4mchwXm7F/Vp4bFfrpMM4sJr1u9kFtVil1tKY5SVGEsAQODr/EHqSpomcYlgQEgrmyvVeBAvYL4cVkbqLnsWrorb1n5fTguIdC6bkOf67+nzzkhfr01WFBX+y5ij2vJ7XkcQ8Djsj3GjcvR9JwfbI59Tp2faU/UIfILXs61OtOlKszAC9N+6zMGoUGoCNbpo4bxo4PoBV55waeCAzJ/7l8Vn1wunBFriBu85gpSegElOeXlCRFIdEgZzqW78qv1bAEV/0RW3+z4B35azEBWLlVggfW+zbWv+n88kOFLw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR13MB3348.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(76116006)(6512007)(498600001)(66446008)(66476007)(33656002)(66946007)(64756008)(66556008)(71200400001)(86362001)(75432002)(5660300002)(8676002)(110136005)(53546011)(6506007)(6486002)(66574015)(8936002)(966005)(83380400001)(2616005)(2906002)(4326008)(36756003)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tmtoslxXkyMc6KxD/a3tMIJMrsV+xxMglt7LkUIBryto2cRpeCahUiBaCbyvOSF5sIV8DFV29AkDDj7HKFa79U2QynT5Flqgz/+8/1SmC+e7c+mL2B4SBZEZn4IiANJcXw7OLd4DAD1jENLCOTHudstGsXPuVlcYEZQY1TAmhjbZzX4JdyR7xjq4OGMBy6AVkFvddAbVlRix8bhoRyEqIIZjYrwuZfJU60ruWOtaZNr+2O3kDmEDkdmhJb369eAYFkwJsFF1pT+e22Oe7Y2pY6oVmAxP5CeTP2fuiD3mxOmvWxD7bHkSk8b0niVDMiqQEmFDX8h6kEGgcsNekCYpbpd6eMiv3C2B8n3r7HgPzamH7iBX4nLVTBCCr9DobjmBKWQ6N8j5PHBB30pdLMMl0CnNToLDq0dpKUxOpFIonvLzv2qAUKgeYRLEnbSbjVeGq7PsaJQp0k5lwpEGg7scy+4pfLrMB2iM+5Id9A94skGOLpt/GzTkFldwxHSLcmB0FGDxNmcWeST+21/RJ5uhF+Snowlw9CkLnegy0W8ofZxY+KJ9iXH++bEPF78CoN0XGUmEEk1gSxDjX6jFL4ALu0yz+Wa3xBkLOcslhFtpML/lpepR62BTjlqnCq/3HwWgN02cY1utVkEiWKBwsjvojq/tqdywGFOUJqUwqN7LHyXzBgLtlT4pLGuxP0bY6dykjEEkkMhr+xe5oEdLrVdi0g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2CC78B3DCAF3564392E3F71EFEA501B9@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR13MB3348.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b8928c9-ad38-4d61-f655-08d843899943
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2020 15:15:53.2014 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d936231-a517-40ea-9199-f7578963378e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QDD5cY9x2YF9sbFhjPMQqKpCl7McprXAK5JqkSOWkZ8OZzIJ1nc49GoYnOi4jHpT4U2x5OqmrAHllBe/k5NNOw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR13MB2760
X-OriginatorOrg: nps.edu
X-Barracuda-Connect: skywalker.ern.nps.edu[172.20.4.117]
X-Barracuda-Start-Time: 1597763755
X-Barracuda-URL: https://205.155.65.106:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at nps.edu
X-Barracuda-Scan-Msg-Size: 4557
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=BSF_SC5_SA210e
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.83987 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 BSF_SC5_SA210e Custom Rule SA210e
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/8nMMlIPoQ_nfYzYyHPaMA-PXBLc>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 15:15:59 -0000

Good catch Joël,

This is indeed very problematic against the PCS security goals.

If the motivation behind this is to provide a cleartext alternative to encrypted HS messages, then a regular message authentication code based on the current group context (to replace the encryption step) would be a simple solution. That binds a level of authentication to the group state while allowing messages to be in the clear if required.

Britta


On 8/18/20, 7:55 AM, "MLS on behalf of Raphael Robert" <mls-bounces@ietf.org on behalf of raphael=40wire.com@dmarc.ietf.org> wrote:

    NPS WARNING: *external sender* verify before acting.
    
    
    Hi Joel,
    
    For context: this would only apply when applications use cleartext MLSPlaintext for HS messages. The recommendation is still to encrypt them and send them around as MLSCiphertext.
    That being said, we said we would like to support scenarios where HS messages are not necessarily encrypted.
    
    Question: would this attack work with Commit messages? I’m thinking that they would be rejected because the attacker cannot compute the confirmation_tag.
    
    As you mention in the PS, the easy target would be Proposal messages.
    
    I’d be interested to see what exactly you would propose as a mitigation mechanism.
    
    Raphael
    
    > On 18 Aug 2020, at 16:36, Joel Alwen <jalwen@wickr.com> wrote:
    >
    > Hey everyone,
    >
    > Something thats been bugging Marta Mularczyk and Daniel Jost and me for a bit
    > now is that handshake messages sent out as MLSPlaintext packets are only
    > authenticated using signatures, but not using the group's key schedule. For
    > non-members that makes sense but for group members that's weaker than need be.
    >
    > Suppose Alice is in a group using signing key pair (spk, ssk). I corrupt her to
    > learn ssk. Now I loose access to her device again. Later she generates a fresh
    > key package with her same spk but a new HPKE key for her leaf. She sends out and
    > update proposal for her new key package and someone commits to the update.
    >
    > Expected result: she (and the group at large) has achieved PCS again.
    >
    > Actual result: using her stolen ssk I can still forge a new proposal's (sent as
    > MLSPlaintext packets) coming from Alice. Some things I could do with this power:
    > - I can generate a new key package kp for Alice using her spk and some HPKE key
    > she doesn't know. Then I forge an update proposal for Alice with kp. If it gets
    > committed I've effectively kicked her out of the group.
    > - I could forge Add's and Remove's coming from Alice, so I could trick the
    > group into thinking Alice is trying to Add my account to the group or remove
    > some other group member.
    >
    > Lemme know if I've missed something here in that scenario...
    >
    >
    > If I didn't miss anything and the attacks really work as advertised then IMO
    > this is kinda weak sauce and worth avoiding if possible. So to that end, how
    > about we modify MLS such that MLSPlaintext packets coming from group members
    > must also be authenticated using something from the application key schedule.
    > Now the above attacks fail. As soon as Alice's update is gets committed I no
    > longer know the group's key schedule and so can't forged packet from Alice. More
    > generally, this brings the PCS guarantees when using MLSPlaintexts frameing in
    > line with what we're getting from MLSCiphertext packets.
    >
    > Any thoughts?
    >
    > - Joël
    >
    >
    >
    > PS. For concreteness, we could probably extend the current mechanism for getting
    > concistancy (the confirmation_tag) to also provide symmetric key authentication.
    > E.g. include most of the MLSPlaintext content into whats being tagged by
    > confirmation_tag. That would cover the case of a commit packet and doesn't even
    > grow the size of MLSPlaintext packets over the current design.
    >
    > For a proposal packet we could also have a confirmation_tag but this one is
    > computed using the *current* epoch's confirmation_key and confirmed_transcript_hash.
    >
    > _______________________________________________
    > MLS mailing list
    > MLS@ietf.org
    > https://www.ietf.org/mailman/listinfo/mls
    
    _______________________________________________
    MLS mailing list
    MLS@ietf.org
    https://www.ietf.org/mailman/listinfo/mls

v2.23.0 | Report a Bug | By Email