Re: [MLS] Unpredictable epochs?
Richard Barnes <rlb@ipv.sx> Mon, 22 April 2019 22:50 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0EF6120177 for <mls@ietfa.amsl.com>; Mon, 22 Apr 2019 15:50:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APrJl1UnrzDS for <mls@ietfa.amsl.com>; Mon, 22 Apr 2019 15:50:06 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5042120168 for <mls@ietf.org>; Mon, 22 Apr 2019 15:50:06 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id 64so11060966otb.8 for <mls@ietf.org>; Mon, 22 Apr 2019 15:50:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XSdy/Ssoymxp5+GJ8rAQy+exF9AZi+jm4o4OoZC39NM=; b=cWOQy2DJPpy8NJD+vjmYRs3ULbkifZo1WJQDbSy3/9UI06sF51Bmb5Xr9BmrbZpnz6 Negsua13KvDhB/VQ9n1DVrHh3HeKYPhgmpeMntqDgdjtXBVInxjTfNas+noiOnQrJuol K3RLA6gqMr6ZV8zJbGlxn2g5HqNLYIoDbiyxTNZS+YVFiEwEQyvTx4g54KHDNThJSbMZ ZwdsDZ//Jwd779FxHJa8MKagNEuSCPOjFfec0Ybutfsf7vno/i17o+48NPspaEp5Vcl1 6tHfwtUOhMUaWfGb+1zNNxnijZZU+D08ClWBc0NHQ1ur4tBoXTwekDRtVZQMeDOL0b8+ pRtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XSdy/Ssoymxp5+GJ8rAQy+exF9AZi+jm4o4OoZC39NM=; b=gaOelS/Cusaif/VCbjHnY9N9IoUJJi4cpqrevWwf961mAxMB8+yyxQCEz2gVX45X9N oT9r/DPcl7ksvr7RSyC+RBvK0+GoF71JxTVVINRJQlkMk0WdmyYHdiMEJKrOd4Dw3rOV qy4k++S+4Tgovf6kkWdXKiUZFhO5i+ecQLDpU3+H7Tx73d7HMIzegjFAkXBUDCXnv/4Y BDlG3esUfKFffoQlGWzoXZh7LvHJhwS6sRudjqToJLtkx/Opw+i+Bzw+qSVyuaD93QUx TgMo2OBY7SaD57wUeI3FMaTOGtcP5FoAM5Mg9h3GU0XE4O5mQo97CAo1HiWoCkayLMTa X7IA==
X-Gm-Message-State: APjAAAWc48AcTSQ47V2tLJ8Ja9fcovh263CRL+2akLLQnrsTCFOUqw4n gMXJmYgqObZE/jHAic3I5sIipqtmowJ4BmKXBgn7qQ==
X-Google-Smtp-Source: APXvYqyZdhw/HI8BeZgfEVEKZU72pCsf0FQ0XK9rISQVoIzCnSrQnvz5sNaoGL2B7yCECAIkBfnB45ra85Zw3RL8LXY=
X-Received: by 2002:a9d:518e:: with SMTP id y14mr12943742otg.23.1555973405925; Mon, 22 Apr 2019 15:50:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSE1xTF2Wsq-u=BCu2Z_4UzMzqMPi=D_H7_7hbRpUMVVA@mail.gmail.com> <2D195D14-9F9A-4D64-92EF-35C601C52C01@inria.fr>
In-Reply-To: <2D195D14-9F9A-4D64-92EF-35C601C52C01@inria.fr>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 22 Apr 2019 18:49:46 -0400
Message-ID: <CAL02cgR8gQ6cH_QXd_9v46aJ5aeo=b=1GiYu9YxCNYzJb0tOFQ@mail.gmail.com>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023f5290587264a37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/KYoKdSzPX4AVGAdWeV305nuczTU>
Subject: Re: [MLS] Unpredictable epochs?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 22:50:09 -0000
True, you could have one unpredictable identifier that identifies both the group ID and the epoch. I like how that looks on the wire, but would require a bit more bookkeeping in clients. I might be inclined to go ahead and land an unpredictable-epoch PR in -05 (since that's a pretty small change), then look at folding in the group ID later. --RLB On Mon, Apr 22, 2019 at 6:42 PM Benjamin Beurdouche < benjamin.beurdouche@inria.fr> wrote: > Side note before I forget. After merging the common framing, the only two > things potentially remaining in the clear will be the group identifier and > the epoch number (because we need those to pick the group key necessary to > decrypt the sender info). Raphael and I talked about adopting a similar > approach but generating an ephemeral Group Id at the same time. That could > help a bit on the meta data protection side by making it harder for an > adversarial DS to be able to correlate messages in delivery queues across > groups and across epochs. The fact that this might be useful or not depends > a lot on architecture assumptions though.... > > B. > > On Apr 23, 2019, at 12:11 AM, Richard Barnes <rlb@ipv.sx> wrote: > > Hey all, > > As I've been working with Benjamin on updating and landing the common > framing PR, I noticed that the epoch is still exposing more information to > the DS than it needs to. > > Right now, the epoch just increments by one every time the epoch changes. > This lets the DS track epochs statelessly -- it can take any two messages > and see which was before the other, without the need for any ongoing > tracking. > > However, the epoch only needs to be intelligible to members of the group, > so we could generate epoch values in a way that would only be intelligible > to members. For example [1]: > > epoch_[n] = HKDF-Expand-Label(some_secret_for_epoch_[n], epoch_[n-1], > "epoch", 4) > > That way, the DS could observe epoch changes, and observe how many > messages were sent within each epoch. But it wouldn't be able to > understand the sequence unless it tracked things all along. > > A side benefit of this is that it allows the group to have forks in its > history more cleanly, since different forks will have different epoch > numbers. That could allow some softness in the ordering requirement, as > long as the group can eventually figure out which branch is the right one > [2]. > > Does this seem worthwhile to people? The cost is a few extra hashes. To > me, the completeness/consistency seems like a marginal benefit, but the > clean forking seems pretty convincing. If folks think this worthwhile, I'm > happy to write up a PR. > > Thanks, > --Richard > > > [1] I would probably keep epochs at 4 bytes, because any more seems > wasteful. > [2] > http://mycours.es/gamedesign2012/files/2012/08/The-Garden-of-Forking-Paths-Jorge-Luis-Borges-1941.pdf > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls > >
- [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Benjamin Beurdouche
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Benjamin Beurdouche
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Michael Rosenberg
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Benjamin Beurdouche
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Benjamin Beurdouche
- Re: [MLS] Unpredictable epochs? Jon Callas
- Re: [MLS] Unpredictable epochs? Benjamin Beurdouche
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Kelvin Ritland
- Re: [MLS] Unpredictable epochs? Raphael Robert
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Brendan McMillion
- Re: [MLS] Unpredictable epochs? Richard Barnes
- Re: [MLS] Unpredictable epochs? Brendan McMillion