Re: [MLS] Async Add
Richard Barnes <rlb@ipv.sx> Wed, 23 September 2020 14:10 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60AE3A0FC2 for <mls@ietfa.amsl.com>; Wed, 23 Sep 2020 07:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zC43XA39es8C for <mls@ietfa.amsl.com>; Wed, 23 Sep 2020 07:10:10 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF1B73A0995 for <mls@ietf.org>; Wed, 23 Sep 2020 07:10:09 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id c18so18738922qtw.5 for <mls@ietf.org>; Wed, 23 Sep 2020 07:10:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e6OrC7fWNPT8HNf/36iE+OJIwuxKbRPS1yoIj8yvCVM=; b=T0HOhlXvdzeYFQieLMnjbPvDVvKn3+bRhyTArKw9rorcwoP3SYiXwhSRKFzCAat6y5 esCPmqTOKQ/FUYCdZREj0lkPMm1m0XbJgDS6uuhJEk2MESQxJxWg7qc7Wm4vp/ukJ3NV FL/DN4Vm3uHQVkpz/jQ/5dMyiRkw2zcrTon8UBLxDOjl7yKzIlUqg8ooDqkc9gWsLxwO vKKduXRsS6Yk/vEPaov8B5lkcrvMBg6ajldBPqrSr9Sz/YsY8dp1TKjmhy+4qlIhZWA5 hZHWOnk4+6XUhSdStvVNOdtFg9pajhs7Y7x0rUcNkfIqqOZBDcIM3UNtSgDjLU1ATuTP dCKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e6OrC7fWNPT8HNf/36iE+OJIwuxKbRPS1yoIj8yvCVM=; b=bJnUYLOjzOLMygM9T2usbvwNsjiuQpjrQ43fkmN//SRGNZwTZW1w21MyZRU69TuGBR rYUvps8Qn+9HV4lmY2ES9G+mMMmI1lylVvutVB5eT9lIUJ9AEHOCToXSWheFfW1JwChg 9djwj/2abevF0xhQ+cKR7T+gnCdwPpvCdWdeNJCD3ZMP+9o0WLmHEoQ3MgBXx0O8Ip+L fzba7NXzxzyJwBDCr5MZHL8tzgl7JV2/z8czz8/GQViiNmhzsdqasaOWeEPYeJXNkElP ePloHr4HomyT4zN3S7znnTaDWShhaYXfDK+YIB+Gv6FlkIAJytchsG+ToFAuEWVGVh1A EzUg==
X-Gm-Message-State: AOAM530bo2Z8JUGU8ccO+/xLNJ6wIeLFfFkrcBKwvODkCEXG9czV2cLi LM/7/3lqDGvo2AJSUbH/WDJ6Iepwr7dQUR/dPaXqXA==
X-Google-Smtp-Source: ABdhPJwRR48AMoDhvY+eIe6N4CNq0K8gFnJLlPHbhFhCKmhX93UkmpCuTLT5qG3loNK8nmEj5FFlPTfioGLsn/osqZg=
X-Received: by 2002:ac8:1b92:: with SMTP id z18mr141658qtj.265.1600870208039; Wed, 23 Sep 2020 07:10:08 -0700 (PDT)
MIME-Version: 1.0
References: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com> <52db4542-ed98-a10b-ac55-e49594504ded@wickr.com> <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com> <CABP-pSR5k=ahwS108iJA6qy-gG-PRHj2x3sRjLzWwQY9gTMyHg@mail.gmail.com> <CAL02cgT7vSnm9XPuN_6pDo4dMnkcxqgjCZgxSFXHbZ6fQ1Rf8A@mail.gmail.com> <a4acba90-79cb-b4ba-1b8e-21c312b4c474@wickr.com>
In-Reply-To: <a4acba90-79cb-b4ba-1b8e-21c312b4c474@wickr.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 23 Sep 2020 10:09:32 -0400
Message-ID: <CAL02cgT2aR9VFixjai+Hr0KAyNjKyJ+PdHyoO_oU7xLOixnKkw@mail.gmail.com>
To: Joel Alwen <jalwen@wickr.com>
Cc: Brendan McMillion <brendan@cloudflare.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001504b905affba4d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/F4VL6z8qXEKaz7q-4TdBFPh94WA>
Subject: Re: [MLS] Async Add
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 14:10:13 -0000
Glad you like it!
I think your point about not doing it all the time is pretty good.
Everything else aside, it's a lot more computation. The main drawback to
not doing it all the time is that we need extra syntax for the AEC case,
and switching logic. So you're trading all-the-time computation for the
logic to switch between the AEC and non-AEC cases.
Hopefully that won't be too complex. As I mentioned on the call, I think
we can just do this with a new proposal, something like:
struct {
opaque encapsulated_key<0..2^16-1>;
} ExternalInit;
On receiving a commit with this proposal type, you would change from using
the normal init_secret to deriving it from the encapsulated key. The
bigger complexity comes from expressing how this proposal is used -- you
would really only want it in the specific case that (a) it comes with an
Add proposal and a Commit, (b) all three are signed with the new joiner's
key, and (c) the Commit covers only the Add and ExternalInit.
W.r.t. the erstwhile_init_secret -- yeah, definitely agree that we should
derive a separate secret for this (external_init_secret?). So the bottom
of the key schedule diagram will basically have a loop on it, where one
path is epoch->init, and the other is
epoch->external_init->external_init_key_pair->init.
GroupContext_[n] -> KDF.Extract = epoch_secret
|
+--> DeriveSecret(., "ext init") --+
| = external_init_secret |
| |
V V
DeriveSecret(., "init") DeriveKeyPair(.)
| | =
external_init_key_pair
| |
| V
| HPKE.SetupBaseS(enc, .)
| |
| V
| CTX.Export("mls 1.0 ext init",
{})
| |
|<---------------------------------+
|
V
init_secret_[n]
On Wed, Sep 23, 2020 at 6:43 AM Joel Alwen <jalwen@wickr.com> wrote:
> Unfortunately, I missed the call so I hope I'm not repeating /
> misunderstanding
> anything you've all figured out already.
>
> I think Richards extension to Raphael's suggestion is super sweet for
> external
> commits! To save space (and for lack of better terminology) I'll call that
> version of a commit AEC for "asymmetric external commit".
>
> > if this is good enough, we should just do it all the time.
>
> If by "all the time" you mean replacing our normal internal commits with
> AEC I'm
> not following.
>
> AEC (necessarily) doesn't ensure the committer knows the old epoch's key
> schedule. In other words it doesn't ensure committer is part of the group.
> However for "internal" commits it make sense to require this as a security
> property. As it stands now MLS does provide that guarantee via the
> confirmation_tag. (And we have a PR in the works to guarantee the same
> thing for
> Proposals via a membership_tag.) But if we switch to AEC also for internal
> commits we loose that guarantee. Maybe I just misunderstood what "all the
> time"
> means...
>
> I'm also not sure why we'd want to switch from a few calls to symmetric
> primitives (HMAC) to 2 asymmetric ones (DH in HPKE) if we don't have to.
> Whats
> would we be buying at the cost of increased computation (and bandwidth for
> commit packets)?
>
> > So the scheme you would end up with would be something like:
> >
> > init_priv = KEM.DeriveKeyPair(erstwhile_init_secret)
> > enc, ctx = SetupBaseS(init_priv.public_key, "") // on the send side
> > ctx = SetupBaseR(enc, init_priv, "") // on the receive side
> > init_secret = ctx.Export("mls 1.0 init", secret_size)
>
> I'm not a fan of using (erstwhile_)init_secret both as coins (i.e. random
> bits)
> for generating HPKE keys and as input to HKDF to derive
> (new_)joiner_secret.
> More key/coins separation would be "healthy" at least from a provability
> perspective.
>
> Thing is, no standard security notion for PKE would allow reusing the
> coins from
> keygen this (or any other) way. So if MLS does that it would make proving
> security for MLS impossible based on some standard security of HPKE (say
> IND-CCA). Normally, such a proof would turn an MLS attacker into an HPKE
> attacker. But MLS would give the attacker extra data about the coins used
> in
> keygen not available in the HPKE security game. So I dont see how to turn
> the
> MLS attacker in to an IND-CCA attacker for HPKE.
>
> We might consider deriving init_priv in a similar way as we do node keys.
> Namely
> by having separate coins (node_secret) and a secret used for further
> derivation
> purposes (path_secret). How about this?
>
> init_coins = DeriveSecret(erstwhile_epoch_secret, "coins")
> init_priv = KEM.DeriveKeyPair(init_coins)
>
> - Joël
>
>
>
> > That "enc" value is the additional data that needs to be conveyed from
> the
> > sender to the receivers. I'm sympathetic to Brendan's argument that if
> this is
> > good enough, we should just do it all the time. What is missing for me
> is an
> > understanding of how the following two transformations relate:
> >
> > epoch_secret --DeriveSecret-> init_secret
> > epoch_secret --DeriveSecret-> erstwhile_init_secret --DeriveKeyPair->
> init_priv
> > --SetupBase{skE},Export-> init_secret
> >
> > (Aside from the latter involving a lot more steps!) Either way you have
> > transformed one secret to another; in the latter case, it is also
> available to
> > whomever holds skE.
> >
> > --RLB
> >
> >
> >
> > On Tue, Sep 22, 2020 at 11:09 AM Brendan McMillion <
> brendan@cloudflare.com
> > <mailto:brendan@cloudflare.com>> wrote:
> >
> > b. "Init with KEM" - You could generate a key pair off of the key
> > schedule, use some KEM-based operations to derive the next init
> secret.
> >
> >
> > This is a really smart idea and seems like it wouldn't break PCS of
> the
> > group like the initial proposal or a public init secret would
> >
> > On Tue, Sep 22, 2020 at 7:56 AM Richard Barnes <rlb@ipv.sx
> > <mailto:rlb@ipv.sx>> wrote:
> >
> > Thanks for posting this, Raphael. I agree with Joël that this
> is a
> > feature that is likely to get some use. And the PR is
> pleasantly short
> > (though I think it might need a bit more elaboration).
> >
> > On the topic of entropy from the last epoch, I'm wary of the
> current
> > all-zero approach. It seems like there are at least two other
> > approaches available:
> >
> > a. "Public init secret" - Alongside the regular init secret,
> derive a
> > "public init secret" from the key schedule. Then use this as
> the init
> > secret for external commits.
> >
> > b. "Init with KEM" - You could generate a key pair off of the key
> > schedule, use some KEM-based operations to derive the next init
> secret.
> > In the early days of MLS, we used DH for this. Nowadays, we're
> > KEM-only, but I think the HPKE exporter might be pressed into
> serving a
> > similar purpose.
> >
> > Looking forward to the discussion...
> >
> > --RLB
> >
> >
> > On Tue, Sep 22, 2020 at 9:24 AM Joel Alwen <jalwen@wickr.com
> > <mailto:jalwen@wickr.com>> wrote:
> >
> > My initial 2 cents: this is not just a corner case. MLS
> should
> > specify how to
> > support such functionality but as an optional mode and making
> > explicit the price
> > in security it entails.
> >
> >
> > I believe such a feature would be used quite a bit if it
> where
> > available. E.g.
> > My phone is the only device on my account. It breaks. I get
> a new
> > one and log
> > back in to my account. Now I want my re-join my old groups.
> In most
> > deployments
> > I'd expect that to be permitted by group policies. But how
> can I
> > re-join w/o the
> > help of someone else in the group actively "pulling" me in?
> If I'm
> > not mistaken
> > then this PR provides an answer.
> >
> >
> > The solution does come with a price though. Some things that
> come to
> > mind:
> >
> > - It seems to require storing public group state on the DS
> (or some
> > other
> > server) which isn't great for E2E metadata protection.
> >
> > - An external commit provides weaker security guarantees
> than a
> > normal commit.
> > It throws out the old init_secret. Ergo, if ever an HPKE sk
> to which
> > one of the
> > UpdatePath secrets was encrypted to leaks then the entire
> > application key
> > schedule of the new epoch is compromised. (Not to mention
> that
> > further epochs
> > may also be compromised depending on the particulars of the
> > execution.) For
> > normal commits that's not the case because the adv. also
> needs the
> > old epoch's
> > init_secret.
> >
> >
> > - Joël
> >
> > On 21/09/2020 20:15, Raphael Robert wrote:
> > > Hi all,
> > >
> > > Over the course of the past weeks when assessing how well
> MLS
> > would fit into existing messengers, it became obvious that
> adding
> > new members is still problematic. The operation – while
> technically
> > asynchronous – still requires two parties to be online in
> many cases.
> > >
> > > Rather than writing a lot of prose here, I attached a
> presentation
> > that explains the problem and offers a potential solution.
> > >
> > > I also created the following PR:
> > https://github.com/mlswg/mls-protocol/pull/406
> > > I will bring this up at the interim tomorrow for
> discussion.
> > >
> > > Raphael
> > >
> > >
> > > _______________________________________________
> > > MLS mailing list
> > > MLS@ietf.org <mailto:MLS@ietf.org>
> > > https://www.ietf.org/mailman/listinfo/mls
> > >
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org <mailto:MLS@ietf.org>
> > https://www.ietf.org/mailman/listinfo/mls
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org <mailto:MLS@ietf.org>
> > https://www.ietf.org/mailman/listinfo/mls
> >
>
- [MLS] Async Add Raphael Robert
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Brendan McMillion
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes