[MLS] Include signature in the confirmed transcript hash?

Marta Mularczyk <mumarta@ethz.ch> Thu, 17 September 2020 13:53 UTC

Return-Path: <marta.mularczyk@inf.ethz.ch>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04E733A0B30 for <mls@ietfa.amsl.com>; Thu, 17 Sep 2020 06:53:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUH4rW_ZJKVP for <mls@ietfa.amsl.com>; Thu, 17 Sep 2020 06:53:00 -0700 (PDT)
Received: from mailg210.ethz.ch (mailg210.ethz.ch [IPv6:2001:67c:10ec:5606::21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A107A3A0100 for <mls@ietf.org>; Thu, 17 Sep 2020 06:52:59 -0700 (PDT)
Received: from mailm213.d.ethz.ch (2001:67c:10ec:5603::27) by mailg210.ethz.ch (2001:67c:10ec:5606::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 17 Sep 2020 15:52:55 +0200
Received: from DESKTOPTGVF3SH (87.239.204.48) by mailm213.d.ethz.ch (2001:67c:10ec:5603::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 17 Sep 2020 15:52:56 +0200
From: Marta Mularczyk <mumarta@ethz.ch>
To: <mls@ietf.org>
Date: Thu, 17 Sep 2020 15:52:54 +0200
Message-ID: <003401d68cf9$d7c5d420$87517c60$@ethz.ch>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0035_01D68D0A.9B4FB590"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AdaM+cw1naH5WIHWRqeI4Wc/P/8Cgg==
X-Originating-IP: [87.239.204.48]
X-ClientProxiedBy: mailm112.d.ethz.ch (2001:67c:10ec:5602::24) To mailm213.d.ethz.ch (2001:67c:10ec:5603::27)
X-TM-SNTS-SMTP: D315CA99F55E2348E9524F6DDAE5672D981766048D83957E472F326600647B8E2000:8
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Ij9zFRNlNqVksImFuWt0qeOSxG0>
X-Mailman-Approved-At: Thu, 17 Sep 2020 10:43:47 -0700
Subject: [MLS] Include signature in the confirmed transcript hash?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 13:54:32 -0000

Hi all,

 �

Together with Joël Alwen and Daniel Jost, we noticed some unexpected (at least to us) effects of the way transcript hash is computed. What are your thoughts on this?

 �

Details: Say Alice and Bob each processes a commit packet and they end up with the same epoch secrets. Expected guarantee: agreement on the secrets implies being in sync -- agreement on the group state, and being able to continue progressing epochs.

Problem: the latter is false if the packets processed by Alice and Bob only differ in the signature string (it's easy to come up with many equivalent ECDSA signatures, given only the signer's public key). Now Alice and Bob agree on the confirmed_transcript_hash, and hence on the current secrets, but not on the interim_transcript_hash, so they won't agree on the next epoch secrets. Result: they will never accept the same commit (due to not matching confirmation_tag) and so they'll never be in sync in the next epoch.

 �

This can be solved by including the signature in the confirmed_transcript_hash and not signing the confirmation_tag (the tag is also not part of the transcript_hash). We claim that this doesn't affect security. Assume Alice sends a commit and the adversary intercepts the packet. Consider these 3 cases:

- if the adversary doesn't know the current epoch secrets, then he can't modify any part of Alice's packet (due to AEAD/MAC security of the message framing).

- if he knows the epoch secrets but not Alice's signing key, then the only thing he can, in principle, modify is the confirmation_tag. However, the tag is fully determined by the signed part of the commit (and the transcript history).

- if he knows both, then the adversary can already produce any packet he wants on behalf of Alice.

 �

An additional advantage of this solution is that it simplifies the protocol by removing the interim_transcript_hash.

 �

In detail, a commit now proceeds as follows:

1. construct the MLSPlaintext with the Commit object and confirmation_tag=0,

2. sign the MLSPlaintext and include the result in the confirmed_transcript_hash,

3. advance the key schedule and update the confirmation_tag in the MLSPlaintext.

 �

If the working group generally agrees on the above approach, we'll be happpy to draft a PR.

 �

Best,

Marta