Re: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)
Konrad Kohbrok <konrad.kohbrok@datashrine.de> Mon, 10 August 2020 05:57 UTC
Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA053A13F5 for <mls@ietfa.amsl.com>; Sun, 9 Aug 2020 22:57:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pITpLx-M2ROl for <mls@ietfa.amsl.com>; Sun, 9 Aug 2020 22:57:53 -0700 (PDT)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [IPv6:2001:67c:2050::465:101]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D97FF3A13F7 for <mls@ietf.org>; Sun, 9 Aug 2020 22:57:52 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4BQ4xn4zbCzKmtQ for <mls@ietf.org>; Mon, 10 Aug 2020 07:57:49 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp2.mailbox.org ([80.241.60.241]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id XK3LHyR37CDQ for <mls@ietf.org>; Mon, 10 Aug 2020 07:57:45 +0200 (CEST)
To: mls@ietf.org
References: <CAL02cgTxm+OMRHvXk_34MAxk5bgit_kpkW81wigGPZriKFtebw@mail.gmail.com> <BFD5B4F7-3617-41AD-811F-C6C49A803983@nps.edu> <710ba832-c77c-58d2-a7b4-b8dc8eaf09e3@datashrine.de> <d3c4ca24-504b-f167-f733-bf8ae5bb1d00@datashrine.de> <CAL02cgS_xVANTvYn+pHq69CZUi4nJPgnayRp6OORXmt+k2Kn0w@mail.gmail.com> <CAL02cgRMtZgc6vfcSjMzWQ1wguXB-764BaRn6X8qBa=gB9iLdA@mail.gmail.com> <CAL02cgStRwiFpZ8A6-puRFW+C8u6FyMod1oTesntyGQryS8vjw@mail.gmail.com>
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Message-ID: <3e2aeaba-4413-9545-f49d-2266d9b08f3b@datashrine.de>
Date: Mon, 10 Aug 2020 07:57:44 +0200
MIME-Version: 1.0
In-Reply-To: <CAL02cgStRwiFpZ8A6-puRFW+C8u6FyMod1oTesntyGQryS8vjw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-MBO-SPAM-Probability:
X-Rspamd-Score: -6.66 / 15.00 / 15.00
X-Rspamd-Queue-Id: 345B217B0
X-Rspamd-UID: 6200aa
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/GMmzNCUCb6iDHISC4S1tVKqUV4M>
Subject: Re: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 05:57:58 -0000
I think the question Extension vs. Proposal will come up again at some point in the future, for example when we introduce the next generation of TreeKEM-like primitive. So maybe it would be worth taking a more methodical approach and tackle the problem now rather than later, when we already have a bunch of extensions that would better fit as proposals. But I don't have too strong an opinion on this and if the rest of the group would prefer getting on with finalizing the spec, then that is ok by me. I just think that that complexity will come sooner or later. Konrad On 07.08.20 18:05, Richard Barnes wrote: > Konrad, Britta and I just sync'ed up and drafted a plan of action on these issues: > > - For Commit Extensions (#366), PR#369 is fine, we'll focus on landing that > - Konrad/Britta are going to draft a new PR for how PSK are signaled and > included in the key schedule, using a Commit extension (#367) > - For simplicity given that PSKs are optional, injection will be in two > phases: (1) combine the PSKs into a derived_psk and (2) inject the derived_psk > into the key schedule > - So some of the nPRF stuff might get pulled in for that first stage > - PR#336 will get refocused on defining how resumption is done using the PSK > mechanism (#368) > - Konrad/Britta will either make a new PR for Authentication Codes (or whatever > we call them) or keep them in #336 > > One significant design question for the group: Should we have a Proposal that > allows group members to request that a PSK be injected? > > On the one hand: > - Having a Proposal would bring the full PSK lifecycle within the scope of MLS. > In particular, the request would be authenticated within the group and included > in the transcript. > - If the DS wants to instruct the group to inject a PSK, they could re-use the > proposal-from-outside machinery that already exists > > On the other hand: > - It's not clear that including the request for a PSK in the transcript is all > that useful (as opposed to just the instruction to use it) > - We would probably want to solve the general problem of new proposals (#383) if > we do this, which is a nontrivial amount of complexity > > Overall, my inclination is to not have a Proposal, since the benefits of extra > authentication don't seem to merit the complexity. But feedback from others > would be useful here. > > --Richard > > On Tue, Jul 28, 2020 at 1:37 PM Richard Barnes <rlb@ipv.sx> wrote: > > Actually, noticed one thing that isn't accounted for in that list: > > Derive an "authentication secret" > https://github.com/mlswg/mls-protocol/issues/374 > > A fun question for the list is what we should call these things, since there > are a bunch of terms in the prior art, for example: > > - Authentication secret [PR#336] > - Short authentication string [ZRTP, TLS] > - Safety numbers [Signal] > - Security codes [Zoom security whitepaper] > > Personally, I'm inclined against things that include "authentication", since > the thing we're defining here is a backstop to the primary Authentication > Service. Among the above list, "Security Codes" might be my favorite. > Otherwise, maybe something like "group state verifier"? > > > On Fri, Jul 24, 2020 at 6:39 PM Richard Barnes <rlb@ipv.sx> wrote: > > Picking this thread back up: > > I tried to encapsulate my approach to the issues here in a few GitHub > issues and one PR: > > Reorder key schedule inputs > https://github.com/mlswg/mls-protocol/issues/362 > > Add extensions to the Commit message > https://github.com/mlswg/mls-protocol/issues/366 > > Negotiate PSKs > https://github.com/mlswg/mls-protocol/issues/367 > > Proof of prior membership in the group / Resumption > https://github.com/mlswg/mls-protocol/issues/368 > > Konrad / Britta - I think those combine to cover the cases you were > trying to address in #366, but tease the issues apart a bit more > clearly. Does that make sense to you? What have I missed here? If > this general plan looks good, I think we can get the details arranged > and agreed fairly quickly, as these are each pretty self-contained > pieces of work. > > Thanks, > --Richard > > On Tue, Jul 14, 2020 at 12:37 PM Konrad Kohbrok > <konrad.kohbrok@datashrine.de <mailto:konrad.kohbrok@datashrine.de>> wrote: > > We just briefly touched upon this PR in the virtual interim on July > 14th and I > think we agreed that the discussion should be continued on the > mailinglist and > then tied up at the IETF 108 meeting. > > I think continuing the discussion on the mailinglist is a good idea, > however, > neither Britta nor myself are going to be present at the IETF 108 > meeting. Maybe > we can push the discussion to the next virtual interim meeting instead? > > Cheers, > Konrad > > > On 18.06.20 16:29, Konrad Kohbrok wrote: > > Hi, > > > > Just a small addition to Britta's response: > > > > For #3: We already mandate that the parent group must not be used > anymore if a > > Re-Init proposal is included in a commit in lines 2341-2342 of the > PR (although > > "to send messages" might as well be removed). We could also get > rid of the > > proposal and simply have the intent to re-initialize be implicit > in sending a > > Welcome message with a corresponding PSK Id. The idea behind the > Proposal was to > > make that intent explicit such that the intent, as well as the target > > ciphersuite and MLS version are all entered into the transcript > and thus agreed > > upon. Even though the group is terminated after the proposal is > received, this > > agreement can be verified by using the authentication key > technique that Britta > > proposed, i.e. each party can check that their authentication key > corresponds to > > the one the committer uploaded. > > > > I'm also ok with splitting it into multiple individual PRs if that > makes it > > easier to review and discuss. > > > > Cheers, > > Konrad > > > > > > On 18.06.20 04:07, Hale, Britta (CIV) wrote: > >> Hi Richard, > >> > >> > >> > >> Thank you for the comments and careful read of the PR. > >> > >> > >> > >> For #1/#2: I am amicable to the idea of adding an extension field > to the commit > >> message. As a general comment, we may want to consider if there > are other types > >> of commit extensions worth adding or, alternatively, how the > field may be abused > >> (e.g. treated as AD by an application). > >> > >> It terms of objection to the current form though, your argument > is not clear. > >> PSKIds should uniquely identify PSKs, and a joiner (or anyone) > should be able to > >> identify the correct PSK given the PSKId, if they are in > possession of it. PSKs > >> must only be used in an Add if the joiner is a past group member > (line 2055) and > >> therefore has the correct PSKId/group_id/psk_epoch, although this > is nullified > >> if we make the change discussed in #4. In that case, the issue > for Adds goes away. > >> > >> The PR already allows for a PSK in the Welcome message. > >> > >> > >> > >> For #3: Currently, in the PR, there is a recovery_secret derived > per-epoch. When > >> a member wants to re-initialize, they issue a Re-Init proposal. > They may then > >> re-initialize the group by sending a Welcome message (see lines > 1923, 1948, and > >> 2349) with the PSKId for the parent group/epoch and a psktype > that indicates > >> that they are re-initializing the group with the stated PSKId. So > this seems to > >> already be what you describe below as “have the initiator of the > child send a > >> Welcome that has a pointer back to the parent”. However, you are > right that more > >> detail can be added; in particular a requirement should be added > to terminate > >> the parent group and that the terminating member/re-init proposer > must also > >> create the new group. > >> > >> > >> > >> For #4: There was a discussion at the first virtual interim in > late April > >> (Interim #11-2020) wherein some expressed a desire for this > feature. Namely, > >> instead of re-syncing the entire group, there were use cases for > re-syncing the > >> odd member when necessary. Its inclusion in the PR arises from > that later > >> request. I am favorable to removing it since, from security > standpoint, it is > >> not ideal. However, the motivation for this was pushed from the > implementation > >> standpoint. Consequently, now is a good time for anyone to speak > up who wants to > >> push for this. > >> > >> > >> > >> > >> > >> One item: you made point of specifically requesting – a few times > – at the > >> virtual interims #11 and #12 in April/May that this PSK PR and as > many other key > >> schedule-related PRs be combined into a single one. Raphael made > a similar > >> request under git issue #325. In fact, the authors of this PR had > pushed back on > >> that insistence to limit the current PR down to the items it > currently covers, > >> instead of merging in other key schedule changes as well. Are you > saying that > >> you have changed your mind? > >> > >> We can, of course, accommodate a revised preference if needed. > >> > >> > >> > >> > >> > >> Britta > >> > >> > >> > >> > >> > >> > >> > >> *From: *MLS <mls-bounces@ietf.org <mailto:mls-bounces@ietf.org>> > on behalf of Richard Barnes <rlb@ipv.sx> > >> *Date: *Wednesday, June 17, 2020 at 3:54 PM > >> *To: *Messaging Layer Security WG <mls@ietf.org > <mailto:mls@ietf.org>> > >> *Subject: *[MLS] PSK Injection, Group recovery, Re-Init, > Sub-group Branching (#336) > >> > >> > >> > >> Hey all, > >> > >> Sorry for the late review on this PR, I have finally gotten a > chance to really > >> dig into it, and ... I have some concerns. My current thinking > is consistent > >> with my earlier comments that the general thrust of this PR is > OK. But I think > >> the actual approach needs to change a fair bit. > >> > >> As its title implies, this PR is trying to do several things at > once, which seem > >> to me to be fairly separable: > >> > >> 0. Update the key schedule so that PSKs are injected at the right > point and > >> multiple PSKs are supported > >> 1. Signal that a PSK should get injected into a given epoch > >> 2. Request injection of PSK at join / in Welcome > >> 3. Re-initialize the group with different parameters > >> 4. Re-sync group members that have lost state > >> > >> For the most part, I think these are worthwhile goals, but they > should be > >> accomplished in different ways than the PR proposes. Detailed > thoughts by > >> objective: > >> > >> > >> # 0. Update the key schedule so that PSKs are injected at the > right point and > >> multiple PSKs are supported > >> > >> This part of the PR is fine, but I think is ultimately done a bit > more elegantly > >> with the n-PRF stuff in #337. > >> > >> > >> # 1. Signal that a PSK should get injected into a given epoch > >> # 2. Request injection of PSK at join / in Welcome > >> > >> (These go together) > >> > >> The PR proposes (heh) an EPSK proposal or an Add proposal, but > then requires > >> that only one EPSK be used. I actually don't the proposal for > including PSKs in > >> Adds actually works. The joiner would have to know all of them > plus the EPSK, > >> and there's not even any syntax in the PR to tell the joiner > which ones to include. > >> > >> I would propose that instead we add an extensions field to the > Commit message, > >> then add a Commit extension that specifies the PSK ID for the PSK > to be added. > >> That extension can then also go in the Welcome message > corresponding to the > >> commit, so that joiners know to add the PSK. > >> > >> This change actually doesn't make a difference in terms of what > ends up in the > >> transcript -- either way, only the PSK ID selected by the > committer goes in the > >> transcript. It seems better not to deliberately have proposals > floating around > >> that never get included in the transcript. > >> > >> > >> # 3. Re-initialize the group with different parameters > >> > >> The PR proposes another proposal type for reinitialization, but > it's really > >> under-specified what you do to re-init. For example, what goes > in the ratchet > >> tree? Clearly you need a brand new tree, since the one you have > might be tied > >> to the wrong ciphersuite. What you really need is something like > a Welcome message. > >> > >> And that's how I think we should actually arrange things. > Instead of having the > >> parent group do something to spawn, have the initiator of the > child send a > >> Welcome that has a pointer back to the parent. So we have > another Welcome > >> extension (`parent_group`, say) that has a pointer to the parent > group by group > >> ID and epoch, and instructs the joiner to take a secret from that > group/epoch's > >> key schedule and add it into the new group's key schedule. > >> > >> > >> > >> # 4. Re-sync group members that have lost state > >> > >> We should not do these. At the January interim, we decided not > to drop the > >> resync issue (#93) given that there were some subtleties > depending on exactly > >> what state had been lost, and that it could be cleanly done in a > separate spec. > >> > >> > >> # Conclusions > >> > >> Given the above, I would propose we break this into separate > issues to be closed > >> with individual, smaller PRs. Assuming that (0) will get > addressed by the n-PRF > >> PR, that leaves us with: > >> > >> #XXX Add Extensions to the Commit message > >> #XXX Signal use of external PSKs in Commit/Welcome (=> extension to > >> Commit/Welcome messages) > >> #XXX Allow Welcome to signal the inclusion of information from a > prior group (=> > >> Welcome extension) > >> > >> Happy to write those up, and contribute to PRs. Sorry again for > the slow > >> progress here. > >> > >> --Richard > >> > >> > >> _______________________________________________ > >> MLS mailing list > >> MLS@ietf.org <mailto:MLS@ietf.org> > >> https://www.ietf.org/mailman/listinfo/mls > >> > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org <mailto:MLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/mls > > > > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls > > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] PSK Injection, Group recovery, Re-Init, Sub… Richard Barnes
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Hale, Britta (CIV)
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Konrad Kohbrok
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Konrad Kohbrok
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Richard Barnes
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Richard Barnes
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Richard Barnes
- Re: [MLS] PSK Injection, Group recovery, Re-Init,… Konrad Kohbrok