Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

[Raphael Robert <raphael@wire.com>]

I thought about this some more and now I’m not sure that the membership_token should only be implicit:

The whole reason for HS messages to not be encrypted is that they can be inspected along the way by an external party (e.g. the Delivery Service). If this is not a requirement, MLSCiphertext should really be used instead.
Hiding the membership_token from external inspector means the inspector can not verify the signature anymore. I think that defies the point of HS messages being inspectable.

The obvious fix is to include the membership_token in MLSPlaintext as well.

Raphael

> On 18 Aug 2020, at 21:01, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Here ya go: https://github.com/mlswg/mls-protocol/pull/396 <https://github.com/mlswg/mls-protocol/pull/396>
> On Tue, Aug 18, 2020 at 1:30 PM Joel Alwen <jalwen@wickr.com <mailto:jalwen@wickr.com>> wrote:
> > Joël, do you want to write a PR?  If not, I could probably get to it in the
> > next couple days.
> 
> Thanks. :-) If you could that would be really nice.
> 
> - Joël
> 
> On 18/08/2020 19:20, Richard Barnes wrote:
> > Sounds like we're converging here.  The only question in my mind is what goes in
> > the MAC -- seems like the easy option is probably "the remainder of the
> > MLSPlaintextTBS", i.e., everything from group_id to the end.  That seems like it
> > minimizes multiple serialization:
> > 
> > tbs_content = serialize(group_id, ...)
> > membership_token = KDF.Extract(confirmation_key, tbs_content)
> > tbs = group_context || membership_token || tbs_content
> > 
> > So the PR would be to basically pop the context off of MLSPlaintextTBS and add
> > the three lines above (with the switch for internal/external in prose).
> > 
> > Joël, do you want to write a PR?  If not, I could probably get to it in the next
> > couple days.
> > 
> > --Richard
> > 
> > On Tue, Aug 18, 2020 at 12:24 PM Raphael Robert <raphael@wire.com <mailto:raphael@wire.com>
> > <mailto:raphael@wire.com <mailto:raphael@wire.com>>> wrote:
> > 
> >     I think what you just described is indeed a combination of option 1 & 2.
> >     It’s a MAC over the payload we want to authenticate, but it’s implicit and
> >     we only include it in the MLSPlaintextTBS. Or in other words, we stripped it
> >     from MLSPlaintext because it is implicitly known to any valid member of the
> >     group.
> > 
> >     Raphael
> > 
> >>     On 18 Aug 2020, at 18:16, Joel Alwen <jalwen@wickr.com <mailto:jalwen@wickr.com>
> >>     <mailto:jalwen@wickr.com <mailto:jalwen@wickr.com>>> wrote:
> >>
> >>     Yeah, I like Option 2 here. I like that it avoids growing packet size.
> >>
> >>     One caveat though: I'd go for the MAC(...) version rather than the
> >>     confirmation_key. For starters thing including confirmation_key doesnt
> >>     authenticate the contents of the packet. But even if it did, signatures aren't
> >>     meant to hide the contents of what was signed. (Amend you favorite sig
> >>     scheme to
> >>     tack on the message at the end a signature and you've still got a secure
> >>     signature scheme. But clearly not a message hiding one.) That means that AFAIK
> >>     neither ECDSA nor EdDSA etc. were designed or analyzed for such a property. So
> >>     this would amount to a very non-standard use of a signature schemes by
> >>     MLS. Not
> >>     saying it doesn't work for the particular sig schemes in our ciphersuite. But
> >>     its def. not how signatures are "meant" to be used.
> >>
> >>     But that leaves Option 2 with, say, including tag = MAC(conf_key,
> >>     conf_trans_hash || MLSPlaintext.content) into whats being signed which I like
> >>     and think gets the job done. Both conf_* values are taken from the current
> >>     epoch. By MLSPlaintext.content I mean whats now called MLSPlaintextTBS.
> >>
> >>>     I would propose that we do need something additional on Commit messages as
> >>>     well as Proposals.
> >>
> >>     @Richard: For Proopsals I think this works. Is that about what you had in mind
> >>     for commits too?
> >>
> >>     - Joël
> >>
> >>
> >>     On 18/08/2020 17:26, Richard Barnes wrote:
> >>>     Thanks for pointing this out, Joël.  I agree that the attacks you're
> >>>     describing
> >>>     should work as things are currently specified.  And they're salient,
> >>>     especially
> >>>     the "replace Alice in the group" one.
> >>>
> >>>     Also agree with Raphael is correct that Commit is not affected by this, since
> >>>     someone who is not a member won't be able to generate the right confirmation
> >>>     value.  However, I don't think this is actually the right design to adopt
> >>>     for a
> >>>     general solution to this problem.  Confirmation verifies group membership
> >>>     *after* processing the handshake message; the point here is that we
> >>>     should also
> >>>     have a membership check *before* processing handshake messages.  In
> >>>     particular,
> >>>     I would propose that we do need something additional on Commit messages
> >>>     as well
> >>>     as Proposals.
> >>>
> >>>     Thinking about solutions here, a couple of options come to mind:
> >>>
> >>>     1. Use MLSCiphertext, but with an integrity-only encapsulation
> >>>     2. Incorporate in the signature something that is only known to the group
> >>>     (e.g.,
> >>>     confirmation_key or MAC(confirmation_key; confirmed_transcript_hash ||
> >>>     Proposal/Commit))
> >>>
> >>>     Option (1) has the appeal that you would only ever send MLSCiphertext, though
> >>>     switching between encrypted/not could be problematic.  Option (2) seems a lot
> >>>     more appealing: It doesn't add any overhead, since the group-secret value
> >>>     doesn't need to be sent.  And we already switch between the signature context
> >>>     that is added for group members vs. external.  In fact, I think option
> >>>     (2) would
> >>>     just amount to a one-line change to include an extra, secret value in the
> >>>     context at the top of the MLSPlaintextTBS struct.
> >>>     https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md#content-signing-and-encryption <https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md#content-signing-and-encryption>
> >>>
> >>>     The only thing that seems odd about (2) is overloading signature
> >>>     verification in
> >>>     that way, i.e., using the ability to generate a signature over a secret
> >>>     thing to
> >>>     prove you know the secret thing.  That doesn't seem obviously flawed to
> >>>     me, but
> >>>     worth thinking about.
> >>>
> >>>     Does that make sense to folks?
> >>>
> >>>     --Richard
> >>>
> >>>
> >>>     On Tue, Aug 18, 2020 at 10:55 AM Raphael Robert
> >>>     <raphael=40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org>
> >>>     <mailto:raphael <mailto:raphael>=40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org>> <mailto:40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org>>>
> >>>     wrote:
> >>>
> >>>        Hi Joel,
> >>>
> >>>        For context: this would only apply when applications use cleartext
> >>>        MLSPlaintext for HS messages. The recommendation is still to encrypt them
> >>>        and send them around as MLSCiphertext.
> >>>        That being said, we said we would like to support scenarios where HS
> >>>        messages are not necessarily encrypted.
> >>>
> >>>        Question: would this attack work with Commit messages? I’m thinking that
> >>>        they would be rejected because the attacker cannot compute the
> >>>     confirmation_tag.
> >>>
> >>>        As you mention in the PS, the easy target would be Proposal messages.
> >>>
> >>>        I’d be interested to see what exactly you would propose as a mitigation
> >>>        mechanism.
> >>>
> >>>        Raphael
> >>>
> >>>>     On 18 Aug 2020, at 16:36, Joel Alwen <jalwen@wickr.com <mailto:jalwen@wickr.com>
> >>>>     <mailto:jalwen@wickr.com <mailto:jalwen@wickr.com>>
> >>>        <mailto:jalwen@wickr.com <mailto:jalwen@wickr.com>>> wrote:
> >>>>
> >>>>     Hey everyone,
> >>>>
> >>>>     Something thats been bugging Marta Mularczyk and Daniel Jost and me for
> >>>>     a bit
> >>>>     now is that handshake messages sent out as MLSPlaintext packets are only
> >>>>     authenticated using signatures, but not using the group's key schedule. For
> >>>>     non-members that makes sense but for group members that's weaker than
> >>>>     need be.
> >>>>
> >>>>     Suppose Alice is in a group using signing key pair (spk, ssk). I corrupt
> >>>        her to
> >>>>     learn ssk. Now I loose access to her device again. Later she generates a
> >>>>     fresh
> >>>>     key package with her same spk but a new HPKE key for her leaf. She sends
> >>>        out and
> >>>>     update proposal for her new key package and someone commits to the update.
> >>>>
> >>>>     Expected result: she (and the group at large) has achieved PCS again.
> >>>>
> >>>>     Actual result: using her stolen ssk I can still forge a new proposal's
> >>>        (sent as
> >>>>     MLSPlaintext packets) coming from Alice. Some things I could do with this
> >>>        power:
> >>>>     - I can generate a new key package kp for Alice using her spk and some
> >>>        HPKE key
> >>>>     she doesn't know. Then I forge an update proposal for Alice with kp. If it
> >>>        gets
> >>>>     committed I've effectively kicked her out of the group.
> >>>>     - I could forge Add's and Remove's coming from Alice, so I could trick the
> >>>>     group into thinking Alice is trying to Add my account to the group or remove
> >>>>     some other group member.
> >>>>
> >>>>     Lemme know if I've missed something here in that scenario...
> >>>>
> >>>>
> >>>>     If I didn't miss anything and the attacks really work as advertised then IMO
> >>>>     this is kinda weak sauce and worth avoiding if possible. So to that end, how
> >>>>     about we modify MLS such that MLSPlaintext packets coming from group members
> >>>>     must also be authenticated using something from the application key
> >>>>     schedule.
> >>>>     Now the above attacks fail. As soon as Alice's update is gets committed I no
> >>>>     longer know the group's key schedule and so can't forged packet from
> >>>        Alice. More
> >>>>     generally, this brings the PCS guarantees when using MLSPlaintexts
> >>>>     frameing in
> >>>>     line with what we're getting from MLSCiphertext packets.
> >>>>
> >>>>     Any thoughts?
> >>>>
> >>>>     - Joël
> >>>>
> >>>>
> >>>>
> >>>>     PS. For concreteness, we could probably extend the current mechanism for
> >>>        getting
> >>>>     concistancy (the confirmation_tag) to also provide symmetric key
> >>>        authentication.
> >>>>     E.g. include most of the MLSPlaintext content into whats being tagged by
> >>>>     confirmation_tag. That would cover the case of a commit packet and doesn't
> >>>        even
> >>>>     grow the size of MLSPlaintext packets over the current design.
> >>>>
> >>>>     For a proposal packet we could also have a confirmation_tag but this one is
> >>>>     computed using the *current* epoch's confirmation_key and
> >>>        confirmed_transcript_hash.
> >>>>
> >>>>     _______________________________________________
> >>>>     MLS mailing list
> >>>>     MLS@ietf.org <mailto:MLS@ietf.org> <mailto:MLS@ietf.org <mailto:MLS@ietf.org>> <mailto:MLS@ietf.org <mailto:MLS@ietf.org>>
> >>>>     https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> >>>
> >>>        _______________________________________________
> >>>        MLS mailing list
> >>>        MLS@ietf.org <mailto:MLS@ietf.org> <mailto:MLS@ietf.org <mailto:MLS@ietf.org>> <mailto:MLS@ietf.org <mailto:MLS@ietf.org>>
> >>>        https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> >