IETF Logo Mail Archive

Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

Richard Barnes <rlb@ipv.sx> Tue, 18 August 2020 17:20 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DFDA3A079F for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 10:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-CXI9atfnG1 for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 10:20:42 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CC273A0788 for <mls@ietf.org>; Tue, 18 Aug 2020 10:20:42 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id n129so18972973qkd.6 for <mls@ietf.org>; Tue, 18 Aug 2020 10:20:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YFEnYxFmK/+VdV9hQq0inKGQCXyumB4cCj9Pj0OQvls=; b=GtgP20+LOR7DJw/DbBP8YVovxL3yh3kWp+hmkyistnohrc1XBdcQ25BOkLy55lcaw1 R48b8aNAiXfOMf6N4nctzqgkt/MTD8OLSeXFJbj2AsC3F16lOsFOFDISZSd9qz4XawaL e8cLGFyNlbm1ANeDn+1uPfyxVuCi46ROE26VE+yULzcdTA4IxXPasOBPFjMVfkuM3QGT NHVgrEuKneV+WweLFm3aIIsqVMx/1cIM6qvMJHYsmIqZ/Y2fkd8sbdnvNWXE2H+ouhqY Ojo2F7jQNYoCYatZ+V08+tSAQNUOhhFORw3CFc9WffudikiMi1ozwhd55Nbzh6BnLYH5 qtYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YFEnYxFmK/+VdV9hQq0inKGQCXyumB4cCj9Pj0OQvls=; b=qRPmPqW8Zq/3OGsBVg9imtWpBG7J8w5YWf1frls7lLqKpxZ1WPYDEomdr8IUoTORGf G2TzaDkg5r6EMpbOPe90SZmuqBpdcBh2nfZniv5+IcqD7uI5/lvwqP1qH3kvNuZ+fboZ QfTN9RXQMYJKbAHJuhrlAHQWiZDOOBLdvMrTqtwo+T5IRrTcnjFeB1APzMdP4yv8bKve 9H3Ry6tXsxGgIMy8LCBJLZDg8WHEMjQICU6F597NhP3pROlto4hx8JnanLKvm3SqYVNe EXnMAW93kW24FYGyH55hClzXeskT8BNMmCJUosGo+gFiWJryA5YGrfMk4OY8f0zXcIc6 8roA==
X-Gm-Message-State: AOAM532ho2ae0aAEFII8YFarxZ9O6yiqNZERrCAS7vh9ZBiob9WATR58 hO+PqvufArcsQmfDEwuGya7KosIsUkdSSjUcKil5cw==
X-Google-Smtp-Source: ABdhPJz7s5ih8QjkhfJDlVSyZQw1FAZ3wqUHelHOUYHbFPO0UN0uMgWg3EPYCD/AItlA1V4WJmQFnELf1l0VTKee2T8=
X-Received: by 2002:a05:620a:132c:: with SMTP id p12mr17900611qkj.159.1597771240893; Tue, 18 Aug 2020 10:20:40 -0700 (PDT)
MIME-Version: 1.0
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <F5B1E029-D8B4-4BEA-BF7A-CDD531D662BD@wire.com> <CAL02cgRTtZp+gHKA0hXxxEn_L6SWRRTJa-U+bhQUhpvM8qZ+Cg@mail.gmail.com> <87d72ad5-dce9-18f7-f1c4-7a8317fd0739@wickr.com> <30DD617C-A8A8-4801-A62A-43A722B1B597@wire.com>
In-Reply-To: <30DD617C-A8A8-4801-A62A-43A722B1B597@wire.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 18 Aug 2020 13:20:20 -0400
Message-ID: <CAL02cgTo8CXNt26XKGrMo1vU-n6M88YtoJ4cqdxrvpyWaX1VNA@mail.gmail.com>
To: Raphael Robert <raphael@wire.com>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f1a1005ad2a1b05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/DBBkZJBbks8lodKVwuW7uoDGU2Y>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 17:20:45 -0000

Sounds like we're converging here.  The only question in my mind is what
goes in the MAC -- seems like the easy option is probably "the remainder of
the MLSPlaintextTBS", i.e., everything from group_id to the end.  That
seems like it minimizes multiple serialization:

tbs_content = serialize(group_id, ...)
membership_token = KDF.Extract(confirmation_key, tbs_content)
tbs = group_context || membership_token || tbs_content

So the PR would be to basically pop the context off of MLSPlaintextTBS and
add the three lines above (with the switch for internal/external in prose).

Joël, do you want to write a PR?  If not, I could probably get to it in the
next couple days.

--Richard

On Tue, Aug 18, 2020 at 12:24 PM Raphael Robert <raphael@wire.com> wrote:

> I think what you just described is indeed a combination of option 1 & 2.
> It’s a MAC over the payload we want to authenticate, but it’s implicit and
> we only include it in the MLSPlaintextTBS. Or in other words, we stripped
> it from MLSPlaintext because it is implicitly known to any valid member of
> the group.
>
> Raphael
>
> On 18 Aug 2020, at 18:16, Joel Alwen <jalwen@wickr.com> wrote:
>
> Yeah, I like Option 2 here. I like that it avoids growing packet size.
>
> One caveat though: I'd go for the MAC(...) version rather than the
> confirmation_key. For starters thing including confirmation_key doesnt
> authenticate the contents of the packet. But even if it did, signatures
> aren't
> meant to hide the contents of what was signed. (Amend you favorite sig
> scheme to
> tack on the message at the end a signature and you've still got a secure
> signature scheme. But clearly not a message hiding one.) That means that
> AFAIK
> neither ECDSA nor EdDSA etc. were designed or analyzed for such a
> property. So
> this would amount to a very non-standard use of a signature schemes by
> MLS. Not
> saying it doesn't work for the particular sig schemes in our ciphersuite.
> But
> its def. not how signatures are "meant" to be used.
>
> But that leaves Option 2 with, say, including tag = MAC(conf_key,
> conf_trans_hash || MLSPlaintext.content) into whats being signed which I
> like
> and think gets the job done. Both conf_* values are taken from the current
> epoch. By MLSPlaintext.content I mean whats now called MLSPlaintextTBS.
>
> I would propose that we do need something additional on Commit messages as
> well as Proposals.
>
>
> @Richard: For Proopsals I think this works. Is that about what you had in
> mind
> for commits too?
>
> - Joël
>
>
> On 18/08/2020 17:26, Richard Barnes wrote:
>
> Thanks for pointing this out, Joël.  I agree that the attacks you're
> describing
> should work as things are currently specified.  And they're salient,
> especially
> the "replace Alice in the group" one.
>
> Also agree with Raphael is correct that Commit is not affected by this,
> since
> someone who is not a member won't be able to generate the right
> confirmation
> value.  However, I don't think this is actually the right design to adopt
> for a
> general solution to this problem.  Confirmation verifies group membership
> *after* processing the handshake message; the point here is that we should
> also
> have a membership check *before* processing handshake messages.  In
> particular,
> I would propose that we do need something additional on Commit messages as
> well
> as Proposals.
>
> Thinking about solutions here, a couple of options come to mind:
>
> 1. Use MLSCiphertext, but with an integrity-only encapsulation
> 2. Incorporate in the signature something that is only known to the group
> (e.g.,
> confirmation_key or MAC(confirmation_key; confirmed_transcript_hash ||
> Proposal/Commit))
>
> Option (1) has the appeal that you would only ever send MLSCiphertext,
> though
> switching between encrypted/not could be problematic.  Option (2) seems a
> lot
> more appealing: It doesn't add any overhead, since the group-secret value
> doesn't need to be sent.  And we already switch between the signature
> context
> that is added for group members vs. external.  In fact, I think option (2)
> would
> just amount to a one-line change to include an extra, secret value in the
> context at the top of the MLSPlaintextTBS struct.
>
> https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md#content-signing-and-encryption
>
> The only thing that seems odd about (2) is overloading signature
> verification in
> that way, i.e., using the ability to generate a signature over a secret
> thing to
> prove you know the secret thing.  That doesn't seem obviously flawed to
> me, but
> worth thinking about.
>
> Does that make sense to folks?
>
> --Richard
>
>
> On Tue, Aug 18, 2020 at 10:55 AM Raphael Robert
> <raphael=40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org
> <40wire.com@dmarc.ietf.org>>> wrote:
>
>    Hi Joel,
>
>    For context: this would only apply when applications use cleartext
>    MLSPlaintext for HS messages. The recommendation is still to encrypt
> them
>    and send them around as MLSCiphertext.
>    That being said, we said we would like to support scenarios where HS
>    messages are not necessarily encrypted.
>
>    Question: would this attack work with Commit messages? I’m thinking that
>    they would be rejected because the attacker cannot compute the
> confirmation_tag.
>
>    As you mention in the PS, the easy target would be Proposal messages.
>
>    I’d be interested to see what exactly you would propose as a mitigation
>    mechanism.
>
>    Raphael
>
> On 18 Aug 2020, at 16:36, Joel Alwen <jalwen@wickr.com
>
>    <mailto:jalwen@wickr.com <jalwen@wickr.com>>> wrote:
>
>
> Hey everyone,
>
> Something thats been bugging Marta Mularczyk and Daniel Jost and me for a
> bit
> now is that handshake messages sent out as MLSPlaintext packets are only
> authenticated using signatures, but not using the group's key schedule. For
> non-members that makes sense but for group members that's weaker than need
> be.
>
> Suppose Alice is in a group using signing key pair (spk, ssk). I corrupt
>
>    her to
>
> learn ssk. Now I loose access to her device again. Later she generates a
> fresh
> key package with her same spk but a new HPKE key for her leaf. She sends
>
>    out and
>
> update proposal for her new key package and someone commits to the update.
>
> Expected result: she (and the group at large) has achieved PCS again.
>
> Actual result: using her stolen ssk I can still forge a new proposal's
>
>    (sent as
>
> MLSPlaintext packets) coming from Alice. Some things I could do with this
>
>    power:
>
> - I can generate a new key package kp for Alice using her spk and some
>
>    HPKE key
>
> she doesn't know. Then I forge an update proposal for Alice with kp. If it
>
>    gets
>
> committed I've effectively kicked her out of the group.
> - I could forge Add's and Remove's coming from Alice, so I could trick the
> group into thinking Alice is trying to Add my account to the group or
> remove
> some other group member.
>
> Lemme know if I've missed something here in that scenario...
>
>
> If I didn't miss anything and the attacks really work as advertised then
> IMO
> this is kinda weak sauce and worth avoiding if possible. So to that end,
> how
> about we modify MLS such that MLSPlaintext packets coming from group
> members
> must also be authenticated using something from the application key
> schedule.
> Now the above attacks fail. As soon as Alice's update is gets committed I
> no
> longer know the group's key schedule and so can't forged packet from
>
>    Alice. More
>
> generally, this brings the PCS guarantees when using MLSPlaintexts
> frameing in
> line with what we're getting from MLSCiphertext packets.
>
> Any thoughts?
>
> - Joël
>
>
>
> PS. For concreteness, we could probably extend the current mechanism for
>
>    getting
>
> concistancy (the confirmation_tag) to also provide symmetric key
>
>    authentication.
>
> E.g. include most of the MLSPlaintext content into whats being tagged by
> confirmation_tag. That would cover the case of a commit packet and doesn't
>
>    even
>
> grow the size of MLSPlaintext packets over the current design.
>
> For a proposal packet we could also have a confirmation_tag but this one is
> computed using the *current* epoch's confirmation_key and
>
>    confirmed_transcript_hash.
>
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org <MLS@ietf.org>>
> https://www.ietf.org/mailman/listinfo/mls
>
>
>    _______________________________________________
>    MLS mailing list
>    MLS@ietf.org <mailto:MLS@ietf.org <MLS@ietf.org>>
>    https://www.ietf.org/mailman/listinfo/mls
>
>
>

v2.23.0 | Report a Bug | By Email