Re: [MLS] question about group contexts and deriving epoch secrets

Hubert Chathi <hubertc@matrix.org> Wed, 17 March 2021 23:53 UTC

Return-Path: <hubertc@matrix.org>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC8F3A1844 for <mls@ietfa.amsl.com>; Wed, 17 Mar 2021 16:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_FAIL=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fq8QTyUicsAa for <mls@ietfa.amsl.com>; Wed, 17 Mar 2021 16:53:10 -0700 (PDT)
Received: from wforward3-smtp.messagingengine.com (wforward3-smtp.messagingengine.com [64.147.123.22]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44F0B3A1843 for <mls@ietf.org>; Wed, 17 Mar 2021 16:53:10 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailforward.west.internal (Postfix) with ESMTP id 6378E2089 for <mls@ietf.org>; Wed, 17 Mar 2021 19:53:05 -0400 (EDT)
Received: from imap22 ([10.202.2.72]) by compute1.internal (MEProxy); Wed, 17 Mar 2021 19:53:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=O+6U8M nZt0UujwHH8Ww6jNt2P7V1Ahr/1YaLZLGc0o0=; b=H6m1e2oBz1yh4M9KCEn/Q/ w20xKH3nHAx1DHODtiVIYpvGeR5Lo/Z0tQyVCwZrPrWLxbuZa0gqmueEXFqSuhGb YQYqp1R7fUynLcXyXdABckTEc70mOiSu9mjEFqHiD1ldx82uohyoYcoK4i//yh87 O5hoKbfDwc91iSizHA+5IejTRSMMKKZxK7I+jtpdlGUccK+FIQ1tfSZFCwvlW+ko +n7e0qe8xmdXGey8e8o7IHHQOcY1Y/CkFDj8BPndHvPbdMTpMVsVEOxehPxWVL/d 2LDqjZ2BAVhqqieSjvc1K3XIUUwArW7RuAOgkTu79lRk8U4J510sminFzmN4dl6A ==
X-ME-Sender: <xms:YJZSYBMwROl1Yk8qPuYAPKnZ1KN3sp8cUEkMY5PYp41CaUWNZKgiSA> <xme:YJZSYD-ms6ixMIF2mTvPGduPgAiq8M8PGUHAT_e0MxX5NsgI6T50RGEduEdLuaQ4Z DKaOFXUXn9oAOdpR_A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefhedgudegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerreejnecuhfhrohhmpedfjfhusggvrhhtucevhhgrthhhihdfuceohhhusggvrhht tgesmhgrthhrihigrdhorhhgqeenucggtffrrghtthgvrhhnpeehvdetfefgjeejffffke etvdfhuedtgfdviedvvedtgeehgeevfedvuedthfeujeenucffohhmrghinhepihgvthhf rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh ephhhusggvrhhttgesmhgrthhrihigrdhorhhg
X-ME-Proxy: <xmx:YJZSYAS7The0MLjEOUU47ae2BWde-WZ4ybXkEj3CGhGseE1mqD7M1w> <xmx:YJZSYNukHs03Q98EcIXRsspj0Jr2gw8OTCMJljP2_qu16ooYGM9JWw> <xmx:YJZSYJe3UP7pWIU4aORpZwzad8nvnEuDoHotKjWPRxtXrE2vbQjYkw> <xmx:YZZSYKqADPm63PMK263itznMHDZNMWMT95eU89KXXf3Nl5MAUtASfY3isVk>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 2139B62C0062; Wed, 17 Mar 2021 19:53:04 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-206-g078a48fda5-fm-20210226.001-g078a48fd
Mime-Version: 1.0
Message-Id: <882bde7a-57ce-45e1-ba17-8c50868eb8b7@www.fastmail.com>
In-Reply-To: <4f956d6b-87c4-44ad-b9d4-1a810c9c0170@www.fastmail.com>
References: <107abb03-e620-43ed-ac75-034ab6ed1ff4@www.fastmail.com> <8E3FEF5E-F5B5-4B58-A5BD-2464383C245A@wire.com> <924f2f66-795c-4149-b5bf-dd61bf99e678@www.fastmail.com> <CAL02cgS_feKFwkarCQ=M649KAZSGznVnAF0OoRw20FBE4f5+Vw@mail.gmail.com> <4f956d6b-87c4-44ad-b9d4-1a810c9c0170@www.fastmail.com>
Date: Wed, 17 Mar 2021 19:52:43 -0400
From: "Hubert Chathi" <hubertc@matrix.org>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary=c63274b97f114c96a11d2501e7dfcc0f
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/HmwcJ6PKS_lPAVyzoLOBDoJTSTg>
Subject: Re: [MLS] question about group contexts and deriving epoch secrets
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 23:53:12 -0000

I've managed to re-read the sections in question.  I think the issue is that the current draft says that when you ratchet forward the key schedule, you use the provisional GroupContext (Line 2638 and 2664), whereas in your email, you say you should use the GroupContext for the new epoch.  Using the provisional GroupContext is problematic because AFAICT, new users don't have enough information to derive the provisional GroupContext, but using the "new" GroupContext should be fine.  So if it is indeed supposed to be the "new" GroupContext that is used, I can prepare a PR to fix it (or just tack it on to my currently-open #454).

Hubert

On Fri, 5 Mar 2021, at 17:52, Hubert Chathi wrote:
> Hi Richard,
> 
> Thanks for responding.  I think that more-or-less matches my understand of how it was supposed to work, which means that I think that the joiner is missing some information.  But it's been a while since I've looked at it, and I'll have to double-check.
> 
> Hubert
> 
> On Wed, 3 Mar 2021, at 14:32, Richard Barnes wrote:
>> Thanks for raising this, Hubert, I agree that it's ambiguous in the  current text, but I think there is a solution here that we just need to clarify :)  Basically, I think the "provisional" GroupContext morphs into the "new" GroupContext over the course of generating / applying a commit.  Let me try to articulate my theory of how things work here, then if that makes sense, we can try to turn it into spec text.
>> 
>> The joiner side seems unambiguous.  The joiner gets the GroupContext for the epoch in which they're added -- in fact, the GroupInfo carried in a Welcome is basically just a signed GroupContext.
>> 
>> When creating / verifying a Commit, you need a GroupContext at three points:
>> 1. When you encap/decap the UpdatePath
>> 2. When you ratchet forward the key schedule
>> 3. When you sign the MLSPlaintext of the Commit
>> 
>> All three of these need to be different:
>> * Case (3) uses the GroupContext from the old epoch, i.e., the one that corresponds to MLSPlaintext.epoch, so that recipients can verify the signature before processing the message
>> * Case (2) uses the GroupContext for the new epoch, after the proposals and UpdatePath have been applied, so that joiners can compute the epoch_secret
>> * Case (1) uses a "provisional" GroupContext that  captures the state of the tree at the time the UpdatePath is computed:
>>     * epoch = old_group_context.epoch + 1
>>     * tree_hash reflects the tree with proposals applied
>>     * group_id, confirmed_transcript_hash, and extensions stay the same
>> 
>> Looking at this in chronological order for the Commit generator:
>> * Cache the old GroupContext for use in signing later
>> * Apply proposals to the tree
>>     => provisional GroupContext
>>     => compute UpdatePath using provisional GroupContext
>> * Sign Commit using old GroupContext 
>>     => update confirmed_transcript_hash
>>     => new GroupContext
>>     => epoch_secret
>>     => confirmation_tag
>> 
>> Does that make sense to you?
>> 
>> --RLB
>> 
>> 
>> On Tue, Feb 9, 2021 at 6:46 PM Hubert Chathi <hubertc@matrix.org> wrote:
>>> On Tue, 9 Feb 2021, at 04:56, Raphael Robert wrote:
>>> > I think “new GroupContext” and “provisional GroupContext” are synonyms.
>>> 
>>> I'm not so sure about this.  The "provisional GroupContext" is created after applying the proposals (line 2532), but before the UpdatePath is applied to the tree (line 2559).  Whereas, from what I understand, new members are only given the tree after the UpdatePath is applied, which would give a different tree_hash and hence GroupContext.  I don't know if I'm just misunderstanding something.
>>> 
>>> > Creating the Commit:
>>> >  - Use the confirmed transcript hash (old intermediate transcript hash 
>>> > combined with new commit content from current MLSPlaintext)
>>> >  - Create new provisional GroupContext with new provisional epoch (old 
>>> > epoch  + 1), new tree hash (after proposals were applied to old tree) 
>>> > and confirmed transcript hash from above
>>> > 
>>> > Applying a Commit as an existing member:
>>> >  - Same as creating a Commit
>>> > 
>>> > Joining a group from a Welcome message:
>>> > - Create GroupContext with epoch from GroupInfo, tree hash from 
>>> > GroupInfo and confirmed transcript hash from GroupInfo
>>> > 
>>> > Does that answer the question?
>>> > 
>>> > If you think the spec is wrong/confusing feel free to file a PR.
>>> 
>>> Yes, once I manage to understand what's going on, I plan on filing a PR.
>>> 
>>> > 
>>> > Raphael
>>> > 
>>> > > On 9. Feb 2021, at 00:45, Hubert Chathi <hubertc@matrix.org> wrote:
>>> > > 
>>> > > When deriving the epoch secret, you do "ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh)", so you need a GroupContext.  As far as I can tell, there appears to be a contradiction about which GroupContext to use: in the "Key Schedule" section (Line 1404), it says to use "The GroupContext object for current epoch", but in the "Commit" section under the part talking about a group member who applies a Commit message (Line 2660), it says to use the provisional GroupContext.  (The part talking about the group member who creates the Commit message doesn't say which GroupContext to use.)  If we are supposed to use the "new" GroupContext (after applying both the proposals and the update), but if we are supposed to use the provisional GroupContext, then I don't think that a new member has access to the tree_hash or confirmed_transcript_hash to create the GroupContext needed to derive the epoch secret.  So it seems like the "new" GroupContext should be correct, but Line 2660 is pretty expli
>>> > > cit about using the provisional GroupContext.
>>> > > 
>>> > > _______________________________________________
>>> > > MLS mailing list
>>> > > MLS@ietf.org
>>> > > https://www.ietf.org/mailman/listinfo/mls
>>> > 
>>> > _______________________________________________
>>> > MLS mailing list
>>> > MLS@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/mls
>>> >
>>> 
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS%40ietf.org>
> https://www.ietf.org/mailman/listinfo/mls
>