IETF Logo Mail Archive

Re: [MLS] Unpredictable epochs?

Richard Barnes <rlb@ipv.sx> Fri, 26 April 2019 13:22 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8CA120072 for <mls@ietfa.amsl.com>; Fri, 26 Apr 2019 06:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXFDC8Knb6ef for <mls@ietfa.amsl.com>; Fri, 26 Apr 2019 06:22:11 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 010F512004B for <mls@ietf.org>; Fri, 26 Apr 2019 06:22:10 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id j10so2640083otq.0 for <mls@ietf.org>; Fri, 26 Apr 2019 06:22:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8AKL/jbUg10rWSrWRwETW+pBmaj8gVQZx2G59MfeYTM=; b=Pw/Lzdn0BCg4bzV1YYMN6xsIUcQes335SYd/zlmdr5y7g9JFP3p6zK2WkdKhaRSmt5 gPRBpkdyFqoRRRZmawnPVB/lU4h1pP5KRWjgKMclWf1IyGQWd5dzmMJjv4UlqDYT56lU 0P7zxZCjjpuNh6sI8wtATK8L18jHsHAodf0EU/7ZerXBFFQfsh/bZNyELNPH0x/Wx86v 6tGLGS702P+Guj4D+5kwCLe9NSFsd69Oe5WN63k1yZVMGpeP1Weuu8R7hzzOtPHaWkWB KNwPF8FlbEptEnezFDE1a5KYSZ3a310sauB5cg397UpjHLuKFf2tqwi3iFao/iHLoaQF W9Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8AKL/jbUg10rWSrWRwETW+pBmaj8gVQZx2G59MfeYTM=; b=UdLEHPGU7PnNnFcp0ANj6+RBw/FUbrgVBhJIu4gY3RJLYCgI/SIT4oMtx8BYjenKGm JObHwS1jIfpqByWKPLB4wB7nAunWNGxz3KnfQQqyHfWeEdPllTi0LaqpRZH18KA3NgRi /jNz8mhMUljWOj2UPGXp4cWH1d2rxA9NxK2mIUs+DO8GEc1zWtMGvtSyCZgyD942BZwN s+O6IEhfVN+SgmTcVBxdG6RTAWH1g32oe5tGBs+YOwnVJJRj6PtC8cf1gBCAQ2uIkUPx N269nSKpaMNf1ASsgqJ3qWLNq0VoA9EYY7dR7M3cV5BUG3GpLofVpLr3l86L1/PGwyut mbCw==
X-Gm-Message-State: APjAAAWU7Gjt6VWxw5VvbcUw4ejX0jRbu8lL16026wkTZZvfgAtEaSE1 R9l6WxvhV1IJLNuZb+DN0VFVoeG/7ncaykaFLEyy3g==
X-Google-Smtp-Source: APXvYqz7Y5CNFhM3YSXl8ch6XfwOQijvfgECDRfXciYUNp806TfKVimK31Y4h2frC6s3ryNnTdWCXdlip1mWFyvNViY=
X-Received: by 2002:a9d:4d07:: with SMTP id n7mr16339003otf.162.1556284930244; Fri, 26 Apr 2019 06:22:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSE1xTF2Wsq-u=BCu2Z_4UzMzqMPi=D_H7_7hbRpUMVVA@mail.gmail.com> <2D195D14-9F9A-4D64-92EF-35C601C52C01@inria.fr> <CAL02cgR8gQ6cH_QXd_9v46aJ5aeo=b=1GiYu9YxCNYzJb0tOFQ@mail.gmail.com> <B36BF8F5-EAE9-4C96-A867-82CDFBF830C0@inria.fr> <CAL02cgQ7-JMQsG6sq6YBB3G-5tmCVQoo07nvW63tzBzHPQ0ZWw@mail.gmail.com> <AC74CACD-541B-49CD-9CC9-63343307A53D@fastmail.com> <CAL02cgR98gpF1HqDn31-xxUC6w3Orec_P=2VZ_5jc3xx6uLWCQ@mail.gmail.com> <E984A4FB-DBA9-4B4D-A0F4-A6A5ABEF8ADD@inria.fr>
In-Reply-To: <E984A4FB-DBA9-4B4D-A0F4-A6A5ABEF8ADD@inria.fr>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 26 Apr 2019 09:21:45 -0400
Message-ID: <CAL02cgQtF4_gAM1dd+3Vrsi+p-1-R3otRHbOTbiLELVxiuyLVg@mail.gmail.com>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Cc: Michael Rosenberg <micro@fastmail.com>, ML Messaging Layer Security <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006fdbc605876ed25b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/FADZ2r_lV_qG4ZreHidKskqS33o>
Subject: Re: [MLS] Unpredictable epochs?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 13:22:14 -0000

On Fri, Apr 26, 2019 at 9:08 AM Benjamin Beurdouche <
benjamin.beurdouche@inria.fr> wrote:

>
>
> > On Apr 26, 2019, at 2:28 PM, Richard Barnes <rlb@ipv.sx> wrote:
> >
> > Well, I don't think we can get rid of the epoch entirely.  For handshake
> messages, you could maybe get by with the theory that if a message doesn't
> apply to the single most recent state, then it's no good, so you don't need
> to explicitly say which state it applies to.  But that seems painful,
> especially if you want to tolerate a degree of partial order / forking
> history.  For application messages, you definitely need it, otherwise you
> have an issue with application messages being out of order with handshake
> messages.
> >
> > That said, it does seem like we could maybe steal the epoch from
> elsewhere and save a few hash invocations.  The question is what value we
> could re-use that wouldn't be leaking information.  The tree hash seems bad
> from that perspective, because it is never transmitted in the clear
> otherwise.  Another option I had pondered was re-using the confirmation MAC
> value.  In any case, as a first effort, it seemed simpler to derive a value
> for the purpose.
> >
> > W.r.t. the transcript hash - I have the same suspicion you do, but I am
> waiting for someone with a security proof in hand to tell me it's OK to
> remove :)
>
> I will do a round of review next week but *from what I remember* about the
> proposal,
> I don’t think you can do that. The transcript hash contains strictly more
> information than
> the tree hash anyway, especially for authentication. I’ll check when
> reviewing but if the tree hash
> doesn’t cover the signatures, for example, then you can’t replace one by
> the other.
>

We might have a problem in any case, then, since the transcript hash
doesn't cover the signatures either.

--Richard


>
> B.

v2.23.0 | Report a Bug | By Email