IETF Logo Mail Archive

Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

Brendan McMillion <brendan@cloudflare.com> Tue, 18 August 2020 17:37 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF143A088C for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 10:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5vxcXG4x_op for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 10:37:05 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9024C3A088A for <mls@ietf.org>; Tue, 18 Aug 2020 10:37:05 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id j10so9915504qvo.13 for <mls@ietf.org>; Tue, 18 Aug 2020 10:37:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=q4YfoYK+bD8WyG0Ib8J342bEBZjmhz8Afu+Kawkt5HQ=; b=CoVCuAbjTtyj8ESGTv0j5OflRq9+pPXRtom2292lRs+l6evk4sWzOV76B9115vCdlp 0kxXqzBixl5ySjDhQuz/1AbRO5hV8/JTxTu7amTLt9AhF7uh97FrtJPC2XWgsKgE4eLM ip00eojjclltEWaZ411eCuEvJAK4X16vsm3+8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=q4YfoYK+bD8WyG0Ib8J342bEBZjmhz8Afu+Kawkt5HQ=; b=Bo9Onl3iyc6EAEN1KdHPVmBpk1y6pkRSRlXb6MHWN8akXqwhl/ldfxVDSVlR70SwIv FXrlAh3XnQQSwbTVx9ZcleO0jBlmg/+e9x8obGC76DYscpa+LlZvSbC+92Xupu9mahse jdFBzTCUWHEp3JOvAX3QdGRA+rBOZJzbGwpsrw+gEakuI9O/sA1zrII7f3PxEFJywaKG 1WVQIMv2Upi+PBl6br/L/TpNAnZINC6d8PfY223p8CkZvzXSiVdg36FXXt9B9y9Oa+ys /BVWxQrZGz8r9iGLioL70he5udmLjrNkizerAk2QuMxvod7PlF5gywAlXx0bxT/InFCN fIwQ==
X-Gm-Message-State: AOAM5305px7/U0LFbuMzF4zMYAFpzKEfC0xIiI6iUvD9H5nzPppYTrl7 M2WxPos8tNhUEWxyprtBtio2mA4VnxWMLCIc7G3WjQdy3IaJsQ==
X-Google-Smtp-Source: ABdhPJzIQ0DttwiuWTnr/8OaTYuCWOuomul2o1AjwmhbaD1PU/sp7/cGkDX7WbnETNUcq/mQL4iuibgZc5e18AO3x8s=
X-Received: by 2002:ad4:41c9:: with SMTP id a9mr19951427qvq.171.1597772224471; Tue, 18 Aug 2020 10:37:04 -0700 (PDT)
MIME-Version: 1.0
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <CABP-pSSBcf_BUXPp=uxWMpBviBday8-utGzo=ksPG4Ei=_x3ag@mail.gmail.com> <7abf555f-a266-f62f-2a22-8b0f389304d5@wickr.com>
In-Reply-To: <7abf555f-a266-f62f-2a22-8b0f389304d5@wickr.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Tue, 18 Aug 2020 10:36:53 -0700
Message-ID: <CABP-pSSzZnqaB95RreekLJ2Fx_HZP4X4CuL0RU6_wRqNEVO+3w@mail.gmail.com>
To: Joel Alwen <jalwen@wickr.com>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dfdd9d05ad2a5522"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/F_KXbwh1WgdyTjnRrLGWddUIitw>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 17:37:08 -0000

I actually describe in the thread I linked how to take a standard FS
signature and turn it into a PCS signature. While it's baked into the
primitive, essentially what's happening is that every time Alice sends an
Update, she generates a new signing key and certifies it with her old
signing key before discarding the old signing key. So if Alice's Update is
accepted by the group, anyone who compromised the old signing key can't
sign new messages because they don't have the private key of the *new*
signing key.

On Tue, Aug 18, 2020 at 9:55 AM Joel Alwen <jalwen@wickr.com> wrote:

> > My objection to this is that Alice can still be impersonated by members
> in the group, if we only have symmetric forward-secure authentication.
>
> I'm missing how FS sigs (or any other FS auth primitive) helps. My
> understanding
> is FS auth primitives prevent leaked keys from being used to authenticate
> messages in *past* time periods. But the attack involves signing messages
> for
> time periods (epochs) after the leak occurred not before the leak. Imagine
> we
> could deterministically ratchet sig key pairs forward much like we can MAC
> keys.
> We'd have an FS sig scheme but I dont see how this fixes the problem.
>
> Which is not to say that FS sigs dont solve an auth problem for MLS. Just,
> AFAIK, not this one. (Rather they help prevent forgeries in bygone epochs.)
>
> What I do agree with is that other group members (that know Alice's sig
> key) can
> still impersonate her in future epochs till she updates the key. The same
> is
> true when sending MLSCiphertexts.
>
> Unfortunately, for epochs between when Alice's state is leaked and when
> Alice
> finally updates her (authentication specific) asymmetric key material I
> see no
> way around this. It seems inherent to the adversarial model since other
> group
> member know and can do everything Alice can during those epochs.
>
> One thing we could look at are PCS signatures. Something like the
> Updateable PKE
> scheme in the RTreeKEM work. Namely every time you sign you also
> re-randomize
> your signing key (or simply sample new ones). That way leaking your old key
> doesnt let me sign under your re-randomized new key just like in UPKE
> leaking
> your old decryption key doesnt let me read ciphertexts encrypted to your
> re-randomized new key. Make sense?
>
>
> - Joël
>
>
> On 18/08/2020 18:34, Brendan McMillion wrote:
> >     So to that end, how
> >     about we modify MLS such that MLSPlaintext packets coming from group
> members
> >     must also be authenticated using something from the application key
> schedule.
> >
> >
> > My objection to this is that Alice can still be impersonated by members
> in the
> > group, if we only have symmetric forward-secure authentication.
> >
> > There's been some discussion in the past about using forward-secure
> signatures
> > that might be worth looking into instead, which would fully address this
> attack
> > vector:
> https://mailarchive.ietf.org/arch/msg/mls/o3fmIul_4s6STmnqmz514cjADpw/
> >
> >
> > On Tue, Aug 18, 2020 at 7:36 AM Joel Alwen <jalwen@wickr.com
> > <mailto:jalwen@wickr.com>> wrote:
> >
> >     Hey everyone,
> >
> >     Something thats been bugging Marta Mularczyk and Daniel Jost and me
> for a bit
> >     now is that handshake messages sent out as MLSPlaintext packets are
> only
> >     authenticated using signatures, but not using the group's key
> schedule. For
> >     non-members that makes sense but for group members that's weaker
> than need be.
> >
> >     Suppose Alice is in a group using signing key pair (spk, ssk). I
> corrupt her to
> >     learn ssk. Now I loose access to her device again. Later she
> generates a fresh
> >     key package with her same spk but a new HPKE key for her leaf. She
> sends out and
> >     update proposal for her new key package and someone commits to the
> update.
> >
> >     Expected result: she (and the group at large) has achieved PCS again.
> >
> >     Actual result: using her stolen ssk I can still forge a new
> proposal's (sent as
> >     MLSPlaintext packets) coming from Alice. Some things I could do with
> this power:
> >      - I can generate a new key package kp for Alice using her spk and
> some HPKE key
> >     she doesn't know. Then I forge an update proposal for Alice with kp.
> If it gets
> >     committed I've effectively kicked her out of the group.
> >      - I could forge Add's and Remove's coming from Alice, so I could
> trick the
> >     group into thinking Alice is trying to Add my account to the group
> or remove
> >     some other group member.
> >
> >     Lemme know if I've missed something here in that scenario...
> >
> >
> >     If I didn't miss anything and the attacks really work as advertised
> then IMO
> >     this is kinda weak sauce and worth avoiding if possible. So to that
> end, how
> >     about we modify MLS such that MLSPlaintext packets coming from group
> members
> >     must also be authenticated using something from the application key
> schedule.
> >     Now the above attacks fail. As soon as Alice's update is gets
> committed I no
> >     longer know the group's key schedule and so can't forged packet from
> Alice. More
> >     generally, this brings the PCS guarantees when using MLSPlaintexts
> frameing in
> >     line with what we're getting from MLSCiphertext packets.
> >
> >     Any thoughts?
> >
> >     - Joël
> >
> >
> >
> >     PS. For concreteness, we could probably extend the current mechanism
> for getting
> >     concistancy (the confirmation_tag) to also provide symmetric key
> authentication.
> >     E.g. include most of the MLSPlaintext content into whats being
> tagged by
> >     confirmation_tag. That would cover the case of a commit packet and
> doesn't even
> >     grow the size of MLSPlaintext packets over the current design.
> >
> >     For a proposal packet we could also have a confirmation_tag but this
> one is
> >     computed using the *current* epoch's confirmation_key and
> >     confirmed_transcript_hash.
> >
> >     _______________________________________________
> >     MLS mailing list
> >     MLS@ietf.org <mailto:MLS@ietf.org>
> >     https://www.ietf.org/mailman/listinfo/mls
> >
>

v2.23.0 | Report a Bug | By Email