Re: [MLS] Async Add

Joel Alwen <jalwen@wickr.com> Tue, 22 September 2020 13:24 UTC

Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0FF53A074B for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 06:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VhgDr4dkUloT for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 06:24:36 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18BC33A064A for <mls@ietf.org>; Tue, 22 Sep 2020 06:24:36 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id e22so16163067edq.6 for <mls@ietf.org>; Tue, 22 Sep 2020 06:24:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=hEOygO1hFzPRi04cjxb20eWaNjigQGXmorAL6Mnk7zQ=; b=lYaw7c5c2Rc7oolZPN6QtwuMRxsQCAUuXJLGx/DLw73Wxy/TLnoxxHUbr8CJ3ybxuD 3KKXUcYR8BEnaAGEzjSxJkpN3bYZgoL1YYGArWmlISQJ7bZD5U1/XAn7S8G0Ntbu/G7I JS1885sE0MCWDIXXLmXN/CtVdttdHkLr0B43/KPB1//tXaZozf2WH9G1HDmL2jWIM2em YGhn5sVLphpz7QBBmhcWQxsRw5D0uenIN0muS6mnn7MGF508hf96BIBD38gBJXcGvgXj CoSl/PoRKuElmln6KuiQmEr2aFbORjt4yyv+CFrTvhcROGGTQejsLNsV6fcR9+kbTaAa 58Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=hEOygO1hFzPRi04cjxb20eWaNjigQGXmorAL6Mnk7zQ=; b=bGZ4tP0kaAfwOjKcYaR4YvO4CSmoKDgpcMInq1eNXgoLc/eMrtf1V04Xzqg8q57w8W /2ESK0rUeDn8hyAd3sBd17SXN00lLr5kIgVH4++Tm7o4JZeLDqP6jsgKSzIt0uDx0CTZ blZlTdltuHw/TokqtmjkWdRtDbEbq0ty+0vIvR0x8MTRqCSN9gU8CIYYTbxhHzRVPBSZ RIeWi5mOpyNnhU3vuBolSJIbU50e0FSvsfMzEb1G3tVmC7nkSOwvHjwZu+vrDXCzvvIW 3alTZQyXTa+HYEP6hepgMo1MH4Sz4s7Osay0O68eS/tnNlHRof+kL9+4OZF49S/KpYfp WeeA==
X-Gm-Message-State: AOAM532JmUP7MfaIoUIhwC/aaPRdFMOFETzlWalyM+21TJVxOC1DM3dX VwpePpGkBZyYCA6zyyMUHDKTCZzX71v7WSAc
X-Google-Smtp-Source: ABdhPJy8lovbuPMUUn27TOE439EB5wwSK/djFH57oJZCMA57O4usQktjlemKBwqOSp9Lgn8ipcwKyw==
X-Received: by 2002:aa7:dc16:: with SMTP id b22mr3861130edu.252.1600781074069; Tue, 22 Sep 2020 06:24:34 -0700 (PDT)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id l21sm11742795ejg.124.2020.09.22.06.24.33 for <mls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Sep 2020 06:24:33 -0700 (PDT)
To: mls@ietf.org
References: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com>
From: Joel Alwen <jalwen@wickr.com>
Autocrypt: addr=jalwen@wickr.com; keydata= mQENBFyIZvABCAC65JupY1w7gzhhNo41ftIk09n7Lid9p31jDR8Jefv9R5sWL+HZFGDeABAY 1J1JvV6vOaMsfdy9iUFfGS1GhMJ3+mh799SIsB3JSfPq/eq6Jut57D2yPtILmc7ZbuJyBHg0 xuYfKCQQAYikW+v2LJQU1Y+BUDbVldpzxSc8Z3PPSfunWdzhY6qAAhyCv+Y8EzJlQivMwD5B f6737krf8SoBsjsqCHQrRo/r+BSj5Wtd5/K3FkmWLOUAFoYK23+cpoFntGJKZfss27gDPhyS gX9ibXcBGQqBEF4qDPEzEHK8iQmXTxLul5Y7lQ6ADf69xH15WM4GmRBeCvR3Uanxcr2/ABEB AAG0HUpvZWwgQWx3ZW4gPGphbHdlbkB3aWNrci5jb20+iQFUBBMBCAA+FiEEYFNg9IH2SV6e 03O3FR5tDZv8eygFAlyIZvICGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ FR5tDZv8eyjSywgApQNIRcL4IKTJ0I4XwcQRhICu1Bht3c2fUnG2YziJXjGf6DZ49uKKtuIu fk8mNS+vKRLoLZ7+u+Pv/Yjmk8jtrr6Saz1vnfsle3GgmXG5JaKOM5cOfeo5JnlNUP3QonR7 LMZwY1qVKg2mzNmwi0jG1zIGgQ5fiAwqe+YTNFli5bc/H1O9LcSmbrLV9OyucARq11DIiAvU fDknZ17OahQls+9mgfAXH5vZjzo296tYvzkOJQ2A6GPxdMHIXGbJM/vjuMe2QJl6C0zaqOtm JvFcx/HpNhmugYI9OsNAd7846HASDp8BKyfY5FYP7bn0/JBuCpg18Aykru6xyFjG3gv0Lw==
Message-ID: <52db4542-ed98-a10b-ac55-e49594504ded@wickr.com>
Date: Tue, 22 Sep 2020 15:24:35 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/9USSIBkt2rL2RRwOJPqthJ79YL8>
Subject: Re: [MLS] Async Add
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 13:24:38 -0000

My initial 2 cents: this is not just a corner case. MLS should specify how to
support such functionality but as an optional mode and making explicit the price
in security it entails.


I believe such a feature would be used quite a bit if it where available. E.g.
My phone is the only device on my account. It breaks. I get a new one and log
back in to my account. Now I want my re-join my old groups. In most deployments
I'd expect that to be permitted by group policies. But how can I re-join w/o the
help of someone else in the group actively "pulling" me in? If I'm not mistaken
then this PR provides an answer.


The solution does come with a price though. Some things that come to mind:

 - It seems to require storing public group state on the DS (or some other
server) which isn't great for E2E metadata protection.

 - An external commit provides weaker security guarantees than a normal commit.
It throws out the old init_secret. Ergo, if ever an HPKE sk to which one of the
UpdatePath secrets was encrypted to leaks then the entire application key
schedule of the new epoch is compromised. (Not to mention that further epochs
may also be compromised depending on the particulars of the execution.) For
normal commits that's not the case because the adv. also needs the old epoch's
init_secret.


- Joël

On 21/09/2020 20:15, Raphael Robert wrote:
> Hi all,
> 
> Over the course of the past weeks when assessing how well MLS would fit into existing messengers, it became obvious that adding new members is still problematic. The operation – while technically asynchronous – still requires two parties to be online in many cases.
> 
> Rather than writing a lot of prose here, I attached a presentation that explains the problem and offers a potential solution.
> 
> I also created the following PR: https://github.com/mlswg/mls-protocol/pull/406
> I will bring this up at the interim tomorrow for discussion.
> 
> Raphael
> 
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>