IETF Logo Mail Archive

Re: [MLS] Unpredictable epochs?

Richard Barnes <rlb@ipv.sx> Tue, 23 April 2019 15:03 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D463112008C for <mls@ietfa.amsl.com>; Tue, 23 Apr 2019 08:03:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Az1bdhE_6WcS for <mls@ietfa.amsl.com>; Tue, 23 Apr 2019 08:03:42 -0700 (PDT)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F5AA120033 for <mls@ietf.org>; Tue, 23 Apr 2019 08:03:42 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id v84so11548046oif.4 for <mls@ietf.org>; Tue, 23 Apr 2019 08:03:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G6i6Jw9Yc6o9decvm+LaSoRqDsseXKvUDOO8iXcFhjg=; b=VWs//Ik0fv5xvWVdutqOdHfMnTOEWS9CrVnrsYveuWe8jF4SXV3H4Dgnu3C/ZFtXuy dvIOi1QRtVcDdLuwNmjWW1WI3L/mOtXbQ6mPu4aFQGElKnKreAe1SK0ClQjyqLiE2/lO fzuPgNgkzePg4X+rX2xgLeYZP4P3O2TLM4r3O4Ob4qGpJ52mV4lD7pswAh/5cew4ZCPA WuNlo7iwcCkQw96poutEFjTYcuISFcQ7+ZTR14Nbb9hje6ZiykG/syoYMMpnsCEGZIFl 1uY6bVZRBuWD3a6VzR7nJrpBwy/f3BSA0yRIvakH4C9hUFJSy4Cg6D78qgjNt7H1Hgit aeWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G6i6Jw9Yc6o9decvm+LaSoRqDsseXKvUDOO8iXcFhjg=; b=qii20Im4wbY4/LAj7+SJsjddh+lG7aAvwWWgvlUX2/VY3gN2Sxf+ziPpjhUIPQ7apR 5qwkbuwW8VlHELpmXn86HiX8nGioBbVW/YucQwtKfrnrFHcBjA/hM2FOSoIeSRSQp52k gRhmyUgYV+rdbtE2hH2Gxp8E4NTFc6P+n+bKGWoKM6fHqcfZ9GCtEPkYZEh2UlurpLhR Zw26aZHhzFqkM/Zs6qwVY9fpl7NgIE51WVxRiUEqjybuo4Qv7u3evPXyTAbX9mLRuXFp 1DPgY+CNWIarzrr651C1FlB4iBQ7bbw5Y7irvdotta9zUyM7LBePTF+na5V6HbomVQCi Ju/Q==
X-Gm-Message-State: APjAAAW2gLHXLFOBfFyJ99DfiLUlCrxJ5x0W3CGpKZmc0ZOlkpsD2Xrm OdX+HRhQVFvykFhjZLcrXY+rDEHPtdDM9PfSDk14tA==
X-Google-Smtp-Source: APXvYqwJbtJFAg35as0ZZizGdqee95IYwkbRBJd/fYstU7bwBcpr+rLEGmhlnt3ZbGgNMH0mBEuYre92BKV8ICSi3S8=
X-Received: by 2002:aca:d614:: with SMTP id n20mr1971928oig.135.1556031821142; Tue, 23 Apr 2019 08:03:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSE1xTF2Wsq-u=BCu2Z_4UzMzqMPi=D_H7_7hbRpUMVVA@mail.gmail.com> <2D195D14-9F9A-4D64-92EF-35C601C52C01@inria.fr> <CAL02cgR8gQ6cH_QXd_9v46aJ5aeo=b=1GiYu9YxCNYzJb0tOFQ@mail.gmail.com> <B36BF8F5-EAE9-4C96-A867-82CDFBF830C0@inria.fr>
In-Reply-To: <B36BF8F5-EAE9-4C96-A867-82CDFBF830C0@inria.fr>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 23 Apr 2019 11:03:20 -0400
Message-ID: <CAL02cgQ7-JMQsG6sq6YBB3G-5tmCVQoo07nvW63tzBzHPQ0ZWw@mail.gmail.com>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f57086058733e332"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/DfIcylYeETcFxpDb00kpMVHTydM>
Subject: Re: [MLS] Unpredictable epochs?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 15:03:45 -0000

Here's a PR:

https://github.com/mlswg/mls-protocol/pull/152/files

On Mon, Apr 22, 2019 at 6:52 PM Benjamin Beurdouche <
benjamin.beurdouche@inria.fr> wrote:

> +1
>
> On Apr 23, 2019, at 12:49 AM, Richard Barnes <rlb@ipv.sx> wrote:
>
> True, you could have one unpredictable identifier that identifies both the
> group ID and the epoch.  I like how that looks on the wire, but would
> require a bit more bookkeeping in clients.  I might be inclined to go ahead
> and land an unpredictable-epoch PR in -05 (since that's a pretty small
> change), then look at folding in the group ID later.
> --RLB
>
>
> On Mon, Apr 22, 2019 at 6:42 PM Benjamin Beurdouche <
> benjamin.beurdouche@inria.fr> wrote:
>
>> Side note before I forget. After merging the common framing, the only two
>> things potentially remaining in the clear will be the group identifier and
>> the epoch number (because we need those to pick the group key necessary to
>> decrypt the sender info). Raphael and I talked about adopting a similar
>> approach but generating an ephemeral Group Id at the same time. That could
>> help a bit on the meta data protection side by making it harder for an
>> adversarial DS to be able to correlate messages in delivery queues across
>> groups and across epochs. The fact that this might be useful or not depends
>> a lot on architecture assumptions though....
>>
>> B.
>>
>> On Apr 23, 2019, at 12:11 AM, Richard Barnes <rlb@ipv.sx> wrote:
>>
>> Hey all,
>>
>> As I've been working with Benjamin on updating and landing the common
>> framing PR, I noticed that the epoch is still exposing more information to
>> the DS than it needs to.
>>
>> Right now, the epoch just increments by one every time the epoch
>> changes.  This lets the DS track epochs statelessly -- it can take any two
>> messages and see which was before the other, without the need for any
>> ongoing tracking.
>>
>> However, the epoch only needs to be intelligible to members of the group,
>> so we could generate epoch values in a way that would only be intelligible
>> to members.  For example [1]:
>>
>> epoch_[n] = HKDF-Expand-Label(some_secret_for_epoch_[n], epoch_[n-1],
>> "epoch", 4)
>>
>> That way, the DS could observe epoch changes, and observe how many
>> messages were sent within each epoch.  But it wouldn't be able to
>> understand the sequence unless it tracked things all along.
>>
>> A side benefit of this is that it allows the group to have forks in its
>> history more cleanly, since different forks will have different epoch
>> numbers.  That could allow some softness in the ordering requirement, as
>> long as the group can eventually figure out which branch is the right one
>> [2].
>>
>> Does this seem worthwhile to people?  The cost is a few extra hashes.  To
>> me, the completeness/consistency seems like a marginal benefit, but the
>> clean forking seems pretty convincing.  If folks think this worthwhile, I'm
>> happy to write up a PR.
>>
>> Thanks,
>> --Richard
>>
>>
>> [1] I would probably keep epochs at 4 bytes, because any more seems
>> wasteful.
>> [2]
>> http://mycours.es/gamedesign2012/files/2012/08/The-Garden-of-Forking-Paths-Jorge-Luis-Borges-1941.pdf
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
>>

v2.23.0 | Report a Bug | By Email