Re: [MLS] Async Add
Richard Barnes <rlb@ipv.sx> Wed, 23 September 2020 14:10 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60AE3A0FC2 for <mls@ietfa.amsl.com>; Wed, 23 Sep 2020 07:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zC43XA39es8C for <mls@ietfa.amsl.com>; Wed, 23 Sep 2020 07:10:10 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF1B73A0995 for <mls@ietf.org>; Wed, 23 Sep 2020 07:10:09 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id c18so18738922qtw.5 for <mls@ietf.org>; Wed, 23 Sep 2020 07:10:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e6OrC7fWNPT8HNf/36iE+OJIwuxKbRPS1yoIj8yvCVM=; b=T0HOhlXvdzeYFQieLMnjbPvDVvKn3+bRhyTArKw9rorcwoP3SYiXwhSRKFzCAat6y5 esCPmqTOKQ/FUYCdZREj0lkPMm1m0XbJgDS6uuhJEk2MESQxJxWg7qc7Wm4vp/ukJ3NV FL/DN4Vm3uHQVkpz/jQ/5dMyiRkw2zcrTon8UBLxDOjl7yKzIlUqg8ooDqkc9gWsLxwO vKKduXRsS6Yk/vEPaov8B5lkcrvMBg6ajldBPqrSr9Sz/YsY8dp1TKjmhy+4qlIhZWA5 hZHWOnk4+6XUhSdStvVNOdtFg9pajhs7Y7x0rUcNkfIqqOZBDcIM3UNtSgDjLU1ATuTP dCKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e6OrC7fWNPT8HNf/36iE+OJIwuxKbRPS1yoIj8yvCVM=; b=bJnUYLOjzOLMygM9T2usbvwNsjiuQpjrQ43fkmN//SRGNZwTZW1w21MyZRU69TuGBR rYUvps8Qn+9HV4lmY2ES9G+mMMmI1lylVvutVB5eT9lIUJ9AEHOCToXSWheFfW1JwChg 9djwj/2abevF0xhQ+cKR7T+gnCdwPpvCdWdeNJCD3ZMP+9o0WLmHEoQ3MgBXx0O8Ip+L fzba7NXzxzyJwBDCr5MZHL8tzgl7JV2/z8czz8/GQViiNmhzsdqasaOWeEPYeJXNkElP ePloHr4HomyT4zN3S7znnTaDWShhaYXfDK+YIB+Gv6FlkIAJytchsG+ToFAuEWVGVh1A EzUg==
X-Gm-Message-State: AOAM530bo2Z8JUGU8ccO+/xLNJ6wIeLFfFkrcBKwvODkCEXG9czV2cLi LM/7/3lqDGvo2AJSUbH/WDJ6Iepwr7dQUR/dPaXqXA==
X-Google-Smtp-Source: ABdhPJwRR48AMoDhvY+eIe6N4CNq0K8gFnJLlPHbhFhCKmhX93UkmpCuTLT5qG3loNK8nmEj5FFlPTfioGLsn/osqZg=
X-Received: by 2002:ac8:1b92:: with SMTP id z18mr141658qtj.265.1600870208039; Wed, 23 Sep 2020 07:10:08 -0700 (PDT)
MIME-Version: 1.0
References: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com> <52db4542-ed98-a10b-ac55-e49594504ded@wickr.com> <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com> <CABP-pSR5k=ahwS108iJA6qy-gG-PRHj2x3sRjLzWwQY9gTMyHg@mail.gmail.com> <CAL02cgT7vSnm9XPuN_6pDo4dMnkcxqgjCZgxSFXHbZ6fQ1Rf8A@mail.gmail.com> <a4acba90-79cb-b4ba-1b8e-21c312b4c474@wickr.com>
In-Reply-To: <a4acba90-79cb-b4ba-1b8e-21c312b4c474@wickr.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 23 Sep 2020 10:09:32 -0400
Message-ID: <CAL02cgT2aR9VFixjai+Hr0KAyNjKyJ+PdHyoO_oU7xLOixnKkw@mail.gmail.com>
To: Joel Alwen <jalwen@wickr.com>
Cc: Brendan McMillion <brendan@cloudflare.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001504b905affba4d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/F4VL6z8qXEKaz7q-4TdBFPh94WA>
Subject: Re: [MLS] Async Add
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 14:10:13 -0000
Glad you like it! I think your point about not doing it all the time is pretty good. Everything else aside, it's a lot more computation. The main drawback to not doing it all the time is that we need extra syntax for the AEC case, and switching logic. So you're trading all-the-time computation for the logic to switch between the AEC and non-AEC cases. Hopefully that won't be too complex. As I mentioned on the call, I think we can just do this with a new proposal, something like: struct { opaque encapsulated_key<0..2^16-1>; } ExternalInit; On receiving a commit with this proposal type, you would change from using the normal init_secret to deriving it from the encapsulated key. The bigger complexity comes from expressing how this proposal is used -- you would really only want it in the specific case that (a) it comes with an Add proposal and a Commit, (b) all three are signed with the new joiner's key, and (c) the Commit covers only the Add and ExternalInit. W.r.t. the erstwhile_init_secret -- yeah, definitely agree that we should derive a separate secret for this (external_init_secret?). So the bottom of the key schedule diagram will basically have a loop on it, where one path is epoch->init, and the other is epoch->external_init->external_init_key_pair->init. GroupContext_[n] -> KDF.Extract = epoch_secret | +--> DeriveSecret(., "ext init") --+ | = external_init_secret | | | V V DeriveSecret(., "init") DeriveKeyPair(.) | | = external_init_key_pair | | | V | HPKE.SetupBaseS(enc, .) | | | V | CTX.Export("mls 1.0 ext init", {}) | | |<---------------------------------+ | V init_secret_[n] On Wed, Sep 23, 2020 at 6:43 AM Joel Alwen <jalwen@wickr.com> wrote: > Unfortunately, I missed the call so I hope I'm not repeating / > misunderstanding > anything you've all figured out already. > > I think Richards extension to Raphael's suggestion is super sweet for > external > commits! To save space (and for lack of better terminology) I'll call that > version of a commit AEC for "asymmetric external commit". > > > if this is good enough, we should just do it all the time. > > If by "all the time" you mean replacing our normal internal commits with > AEC I'm > not following. > > AEC (necessarily) doesn't ensure the committer knows the old epoch's key > schedule. In other words it doesn't ensure committer is part of the group. > However for "internal" commits it make sense to require this as a security > property. As it stands now MLS does provide that guarantee via the > confirmation_tag. (And we have a PR in the works to guarantee the same > thing for > Proposals via a membership_tag.) But if we switch to AEC also for internal > commits we loose that guarantee. Maybe I just misunderstood what "all the > time" > means... > > I'm also not sure why we'd want to switch from a few calls to symmetric > primitives (HMAC) to 2 asymmetric ones (DH in HPKE) if we don't have to. > Whats > would we be buying at the cost of increased computation (and bandwidth for > commit packets)? > > > So the scheme you would end up with would be something like: > > > > init_priv = KEM.DeriveKeyPair(erstwhile_init_secret) > > enc, ctx = SetupBaseS(init_priv.public_key, "") // on the send side > > ctx = SetupBaseR(enc, init_priv, "") // on the receive side > > init_secret = ctx.Export("mls 1.0 init", secret_size) > > I'm not a fan of using (erstwhile_)init_secret both as coins (i.e. random > bits) > for generating HPKE keys and as input to HKDF to derive > (new_)joiner_secret. > More key/coins separation would be "healthy" at least from a provability > perspective. > > Thing is, no standard security notion for PKE would allow reusing the > coins from > keygen this (or any other) way. So if MLS does that it would make proving > security for MLS impossible based on some standard security of HPKE (say > IND-CCA). Normally, such a proof would turn an MLS attacker into an HPKE > attacker. But MLS would give the attacker extra data about the coins used > in > keygen not available in the HPKE security game. So I dont see how to turn > the > MLS attacker in to an IND-CCA attacker for HPKE. > > We might consider deriving init_priv in a similar way as we do node keys. > Namely > by having separate coins (node_secret) and a secret used for further > derivation > purposes (path_secret). How about this? > > init_coins = DeriveSecret(erstwhile_epoch_secret, "coins") > init_priv = KEM.DeriveKeyPair(init_coins) > > - Joël > > > > > That "enc" value is the additional data that needs to be conveyed from > the > > sender to the receivers. I'm sympathetic to Brendan's argument that if > this is > > good enough, we should just do it all the time. What is missing for me > is an > > understanding of how the following two transformations relate: > > > > epoch_secret --DeriveSecret-> init_secret > > epoch_secret --DeriveSecret-> erstwhile_init_secret --DeriveKeyPair-> > init_priv > > --SetupBase{skE},Export-> init_secret > > > > (Aside from the latter involving a lot more steps!) Either way you have > > transformed one secret to another; in the latter case, it is also > available to > > whomever holds skE. > > > > --RLB > > > > > > > > On Tue, Sep 22, 2020 at 11:09 AM Brendan McMillion < > brendan@cloudflare.com > > <mailto:brendan@cloudflare.com>> wrote: > > > > b. "Init with KEM" - You could generate a key pair off of the key > > schedule, use some KEM-based operations to derive the next init > secret. > > > > > > This is a really smart idea and seems like it wouldn't break PCS of > the > > group like the initial proposal or a public init secret would > > > > On Tue, Sep 22, 2020 at 7:56 AM Richard Barnes <rlb@ipv.sx > > <mailto:rlb@ipv.sx>> wrote: > > > > Thanks for posting this, Raphael. I agree with Joël that this > is a > > feature that is likely to get some use. And the PR is > pleasantly short > > (though I think it might need a bit more elaboration). > > > > On the topic of entropy from the last epoch, I'm wary of the > current > > all-zero approach. It seems like there are at least two other > > approaches available: > > > > a. "Public init secret" - Alongside the regular init secret, > derive a > > "public init secret" from the key schedule. Then use this as > the init > > secret for external commits. > > > > b. "Init with KEM" - You could generate a key pair off of the key > > schedule, use some KEM-based operations to derive the next init > secret. > > In the early days of MLS, we used DH for this. Nowadays, we're > > KEM-only, but I think the HPKE exporter might be pressed into > serving a > > similar purpose. > > > > Looking forward to the discussion... > > > > --RLB > > > > > > On Tue, Sep 22, 2020 at 9:24 AM Joel Alwen <jalwen@wickr.com > > <mailto:jalwen@wickr.com>> wrote: > > > > My initial 2 cents: this is not just a corner case. MLS > should > > specify how to > > support such functionality but as an optional mode and making > > explicit the price > > in security it entails. > > > > > > I believe such a feature would be used quite a bit if it > where > > available. E.g. > > My phone is the only device on my account. It breaks. I get > a new > > one and log > > back in to my account. Now I want my re-join my old groups. > In most > > deployments > > I'd expect that to be permitted by group policies. But how > can I > > re-join w/o the > > help of someone else in the group actively "pulling" me in? > If I'm > > not mistaken > > then this PR provides an answer. > > > > > > The solution does come with a price though. Some things that > come to > > mind: > > > > - It seems to require storing public group state on the DS > (or some > > other > > server) which isn't great for E2E metadata protection. > > > > - An external commit provides weaker security guarantees > than a > > normal commit. > > It throws out the old init_secret. Ergo, if ever an HPKE sk > to which > > one of the > > UpdatePath secrets was encrypted to leaks then the entire > > application key > > schedule of the new epoch is compromised. (Not to mention > that > > further epochs > > may also be compromised depending on the particulars of the > > execution.) For > > normal commits that's not the case because the adv. also > needs the > > old epoch's > > init_secret. > > > > > > - Joël > > > > On 21/09/2020 20:15, Raphael Robert wrote: > > > Hi all, > > > > > > Over the course of the past weeks when assessing how well > MLS > > would fit into existing messengers, it became obvious that > adding > > new members is still problematic. The operation – while > technically > > asynchronous – still requires two parties to be online in > many cases. > > > > > > Rather than writing a lot of prose here, I attached a > presentation > > that explains the problem and offers a potential solution. > > > > > > I also created the following PR: > > https://github.com/mlswg/mls-protocol/pull/406 > > > I will bring this up at the interim tomorrow for > discussion. > > > > > > Raphael > > > > > > > > > _______________________________________________ > > > MLS mailing list > > > MLS@ietf.org <mailto:MLS@ietf.org> > > > https://www.ietf.org/mailman/listinfo/mls > > > > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org <mailto:MLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/mls > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org <mailto:MLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/mls > > >
- [MLS] Async Add Raphael Robert
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Brendan McMillion
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes