IETF Logo Mail Archive

Re: [MLS] Improving entropy in MLS

Brendan McMillion <brendan@cloudflare.com> Tue, 30 March 2021 21:01 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC59E3A0D2E for <mls@ietfa.amsl.com>; Tue, 30 Mar 2021 14:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMfkulS-pOQz for <mls@ietfa.amsl.com>; Tue, 30 Mar 2021 14:01:26 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579CA3A0CFE for <mls@ietf.org>; Tue, 30 Mar 2021 14:01:26 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id y5so17293492qkl.9 for <mls@ietf.org>; Tue, 30 Mar 2021 14:01:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xxxpqNxT8IisyHIqGIXlLT03J/bX4E0u/dV7vYwzZXs=; b=b4ZnFhxx+ADtpI6mnZpGZ3UBB0FJ06smE8MRNeebaD9/p+mWtkXKu4B4cL/2bxD/Xn 0ix4LtGuz1amD4eB+EJPyHQPk7NNpAFClXVTz7iJTEGn1BnELMx6CMfv9xLEfuCofdw9 WBJPSDbgkXiQupcC3jpcUROQQ0++47jJmb/QY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xxxpqNxT8IisyHIqGIXlLT03J/bX4E0u/dV7vYwzZXs=; b=lsSqv1ir4n2THXQKejAWSYWwDI15ChNwd230gpVq02cdB4EvT3XHhkUL+Vx8ulQ2sp b0upIo7SjcbH96+DcFWQ4XjARhRHiRQRLhAd8D3DnkOONLfC1BQvlQCiElxvXrCoe11N RruDWn9w7bCJg0U0cbb8VNHi8yzS8ULvhi1olgSkDaBRrEhn5OUAruAIkbUNZTtvRXQ9 ZNKOTWo7OhkomgGWTyD+CSW+UOEqN7JMhhKpwBFPLVNQ/Cfry15H6PpdYe8CtRj7HS1k M8YOnygijjqfceNIbMmW2aFRlJDhhX3nZAMKefjTd+qwp4xZTM+Rm1+b7tplz9Sn1Cbq Gvbg==
X-Gm-Message-State: AOAM5305ADQGqyrwr3WVqrU09XYLnf10fV0xy2Nt2HC48AvkccEu6cyS 4YzrcpHu3zmXqg5Vi8qmLiZgQ8h5GnrJrsqrU26ShA==
X-Google-Smtp-Source: ABdhPJyK+Ud3enxIHqMZK9YfX/ikFbakjuWd2b9wDvOKumhcuxa6k+37xSajrrnBbd5nqldE5fF9QDK+wn9LcPmcUiI=
X-Received: by 2002:a37:94f:: with SMTP id 76mr194435qkj.222.1617138084142; Tue, 30 Mar 2021 14:01:24 -0700 (PDT)
MIME-Version: 1.0
References: <1529628012.30519.1617089251424@office.mailbox.org> <DBED46A1-F3E3-4C79-B9C5-B13088F7B20D@inria.fr> <965197897.32483.1617096310176@office.mailbox.org>
In-Reply-To: <965197897.32483.1617096310176@office.mailbox.org>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Tue, 30 Mar 2021 14:01:13 -0700
Message-ID: <CABP-pSRLXdiowmd-GO601fj3SLqVJAq92ULOsMCKi-9aVS12Eg@mail.gmail.com>
To: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Cc: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>, ML Messaging Layer Security <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000f001d05bec74d8b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/IDhlxUNhVBHRifNkjiFvbc8lqcQ>
Subject: Re: [MLS] Improving entropy in MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 21:01:31 -0000

Hey Konrad

Thanks for writing this up. However, I feel pretty strongly opposed to this
idea, just as a matter of maintaining proper layers of abstraction. MLS
implementations aren't remotely the only things on a user's system that
require strong randomness, which is why every OS has its own CSPRNG. Those
CSPRNGs are going to be much more robust, better designed, and thoroughly
audited than anything we'd implement. Instead, it's more likely we'd have
MLS implementations do this incorrectly and introduce more
randomness-related vulnerabilities than we prevented.


On Tue, Mar 30, 2021 at 2:25 AM Konrad Kohbrok <konrad.kohbrok@datashrine.de>
wrote:

> Great questions. I really should have included our thoughts on the threat
> model.
>
> We don't assume the entropy pool to be more protected than any other
> secret in MLS.
>
> Functionally, we want the pool to allow the following:
> - a party should be able to accrue entropy over time using the OS's RNG
> - a party should be able to inject entropy from other sources (in
> particular secrets derived from the epoch_secret of any of the party's
> groups whenever a fresh commit comes in)
>
> Assuming the OS's RNG is really bad (e.g. it spits out only zeroes), then
> a party can still have decent entropy once it receives commits from groups
> that it is in. Any party that wants to predict the entropy in the pool
> would have to know every secret that is injected into the pool. That means
> that an adversary would have to compromise all of the party's groups to
> predict secrets extracted from the entropy pool.
>
> Of course, the pool will take some time to accrue entropy from various
> sources, so it doesn't help if the adversary is present from the start, but
> it will help if the adversary compromises a party later on. If that
> happens, then the compromised party can recover if the adversary misses
> (i.e. doesn't intercept and decrypt) any commit from another party after
> the compromise.
>
> Now we have to make sure that the design doesn't give us any disadvantages
> over just sampling from the OS's RNG every time we need fresh randomness.
>
> Let's assume full state compromise. Then
> 1) the adversary can't obtain entropy extracted from the pool in the past
> (because it's essentially a KDF-chain, just as the key schedule)
> 2) the adversary can't predict what entropy the client will extract in the
> future if one of the following is true:
>   - the OS's RNG is good
>   - a commit from a group arrives, where the group itself is not
> compromised
>   - any other external entropy gets injected that the adversary doesn't
> have access to (e.g. a signature from a secret key that is kept secure in
> an HSM)
>
> To summarize: It's no silver bullet against bad entropy in general, but
> it's cheap, no worse than just relying on the OS's RNG and provides a
> framework to accrue randomness over time from various sources even if the
> OS's RNG is bad/compromised and it allows parties to recover from
> compromise in that case.
>
> Hope that shed some light on things.
>
> Cheers,
> Konrad
>
>
>
> > Benjamin Beurdouche <benjamin.beurdouche@inria.fr> hat am 30.03.2021
> 09:53 geschrieben:
> >
> >
> > Hi all,
> >
> > I like this idea. I am not fully clear about the threat model, though.
> >
> > From reading this, it looks like we assume that the adversary that
> compromised a
> > principal doesn’t have complete control the entropy pool.
> >
> > This is in contrast over what we assume of the AEAD keys or even the KEM
> keys
> > where a full state compromise will gain access to the values.
> >
> > However it looks very close to the assumptions about additional
> protections for signing keys.
> > E.g., not directly accessible, and behind an interface that an adversary
> can query for certain operations
> > through an API (e.g. when is stored in an HSM, co-processor or a
> functional secure enclave).
> >
> > Am I reading this properly?
> > If yes, I can understand the value in this threat model, but we should
> make it clear that the
> > entropy pool has to get these additional protections to provide these
> good properties.
> >
> > Seems to me like a good improvement in all cases anyway, so I think we
> should consider it.
> >
> > Thanks!
> > Ben
> >
> > > On 30 Mar 2021, at 09:27, Konrad Kohbrok <konrad.kohbrok@datashrine.de>
> wrote:
> > >
> > > Hi everyone,
> > >
> > > MLS is a protocol that is very vulnerable to individual parties with
> bad randomness. For example, when a party joins a group, the secrecy of the
> group's key material relies on the quality of that party's key material.
> Similarly, when doing an external join, the groups entropy is completely
> replaced by that of the joining member.
> > >
> > > There are multiple ways to mitigate this threat and Joël and Sandro
> proposed a few of them in the following mail to the list:
> https://mailarchive.ietf.org/arch/msg/mls/ZR84smU5xeLrziNTk5W1P1Z1nQI/
> > >
> > > Concretely, there were two approaches: one that would be baked into
> the protocol (essentially using a secret derived from old path secrets to
> inject into new ones in addition to the current approach) and one that
> would mandate the use of an entropy pool.
> > >
> > > The ideas were discussed a bit at the time, but nothing has happened
> since then. Joël, Sandro and I have just opened a PR with a concrete design
> for an entropy pool that is modeled after the key schedule (
> https://github.com/mlswg/mls-protocol/pull/467). Concretely, it allows
> gathering entropy over time and for parties with a bad entropy source to
> profit from parties with a good one without compromising security.
> > >
> > > While for future iterations of MLS, we might want to consider a
> solution that is more integral to the protocol, we are aware that the
> authors want to avoid breaking changes at this point. With the entropy
> pool, we thus propose a solution that does not affect the protocol flow,
> but that still offers significant advantages over no mitigations at all.
> > >
> > > Cheers,
> > > Konrad
> > >
> > > _______________________________________________
> > > MLS mailing list
> > > MLS@ietf.org
> > > https://www.ietf.org/mailman/listinfo/mls
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email