[MLS] long term identity key rotation suggestion

"Owen Friel (ofriel)" <ofriel@cisco.com> Wed, 20 November 2019 08:36 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35104120A8D for <mls@ietfa.amsl.com>; Wed, 20 Nov 2019 00:36:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UMipQh8W; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=O4X6sAJ+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PfJzTiT3Eeux for <mls@ietfa.amsl.com>; Wed, 20 Nov 2019 00:36:13 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646AC120A88 for <mls@ietf.org>; Wed, 20 Nov 2019 00:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9187; q=dns/txt; s=iport; t=1574238972; x=1575448572; h=from:to:subject:date:message-id:mime-version; bh=mq0EjkgBWIemlP8t+fkwX6QCcrDwAF17+csfMcpo/pQ=; b=UMipQh8W9jk+TjNTtmil/Zp/YVv+vevPnNt+0cWvIMpTBfY8Ub2aKd0o gbd5kE2kE3Y07Jwwh9LW2qvtECP9DJ9F0dU/gP+Thllksfm9QAL8jcqB6 qkTCK22Irgo24E1j9O73fA7V4eZceLrKMavn6CthobWk6OBlthzTfwkGk E=;
IronPort-PHdr: =?us-ascii?q?9a23=3AG2hybhM8UdFXmZ2bqg0l6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEuKQ/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBj8IuTrYigSF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DEEQBJ+tRd/4sNJK1cCR0BAQEJARE?= =?us-ascii?q?FBQGBfoEcLyQsBWxYIAQLKodwA4pzTpUuhGKCUgNUCQEBAQwBASMKAgEBhEA?= =?us-ascii?q?CgiYkOBMCAw0BAQQBAQECAQUEbYU3AQuFahsTAQE4EQGBAB8HAQQbGoMBgXl?= =?us-ascii?q?NAy4BAgylGwKBOIhggieCfgEBBYE4AoNUGIIXAwaBNowVGIFAP4ERRoVsAQE?= =?us-ascii?q?DgTQsK4MVgiyVWphTCoIrhxqOUII+l1OOSIFBhneRUAIEAgQFAg4BAQWBaSK?= =?us-ascii?q?BWHAVgydQERSRGoNzhRSFP3SBKI4RAQE?=
X-IronPort-AV: E=Sophos;i="5.69,221,1571702400"; d="scan'208,217";a="376521238"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Nov 2019 08:36:11 +0000
Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id xAK8aBeS020105 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <mls@ietf.org>; Wed, 20 Nov 2019 08:36:11 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 20 Nov 2019 02:36:10 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 20 Nov 2019 02:36:10 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 20 Nov 2019 03:36:10 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cVFAl673c8T4a0fddAaUPqPRRkL8Ii8k8ThwywKyGAPSv4rSlKjbp4K98W1QJKzxol6w9unsBKcTAcDbo0KKqfgCRXhRZNqF82GQfN47Jsrg7zNHhpWCmUL5kkOiRvO45vHcKUtTyc33PMfJJP1oHl8xYZeob0+VJuBTpuqEUVI+7eAm6x+4xS3CShm0ruKh+eMFDTXkyaFTWOnWh9WrYqOsS1qIh+qf7MDYwfHu/1UFfeo6DUoz/vCv6ANNKxTRQ397nPZjyNFnPyuTV2JdjJm4oS5KzeBVjB+23bnN9pgg7OSuEDjCZ2g2nXNnUkrThneoP/R3l7zUYfmdC/MjfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=85QyPOBdUwrkANBD3gwANobmr7eETvzE0WnQSu3boSo=; b=oO7Tn4M/Liia2onZ9PQZ3e8N5kBgnJGIf0OTYGbCAmmi38OeBzAUvsEyRtZ0NPq9FeDuL3b93J3OOVnJTcVAUskW+X0WtsP26a90sfiI/A7VyCjnjoevWwwuu6rfVl5JGa2sCgb/5m1UzZ8DpyL8iDlHSR8DEoS0lqJYpfevm68Kvb8AEpg+xAoWOucX8Q7IceV2wEh94aKfDSLoiDf2oY/khEdLBAOzu4dxMlY2MQl9I4FbCAqxZ2FFTCiCHV3avFZ08PBdrcweXqONmpjiajB+42OaO8+X1xB3zyiTnoc7aI5e9qcRuSSfSFemubSfdxSgDYIKXLzQS6Mv614yTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=85QyPOBdUwrkANBD3gwANobmr7eETvzE0WnQSu3boSo=; b=O4X6sAJ+fYSAA0eHFfcHpRCMooPxX8gs8AY+BR2yc9fUG2veFiwe43pEcmxNpihDVomYjRNlKyTFE7ni9AXFrBjZOfnE5r9nNjybE5RKIuXQ5A6FDFk4wy9IdN+P4nOmBSGhzmaj+SpFkrcL6IQfiIaPF4m7ymqPTqetRxthbJw=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4478.namprd11.prod.outlook.com (52.135.36.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.29; Wed, 20 Nov 2019 08:36:09 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2451.031; Wed, 20 Nov 2019 08:36:09 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: long term identity key rotation suggestion
Thread-Index: AdWfaFzfcHmkK9WtQtuHC238EKTEkA==
Date: Wed, 20 Nov 2019 08:36:09 +0000
Message-ID: <MN2PR11MB3901A192266B08604772B91BDB4F0@MN2PR11MB3901.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:c0c8:1001::f0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4cbefbc1-d520-4dc5-12bc-08d76d94b174
x-ms-traffictypediagnostic: MN2PR11MB4478:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <MN2PR11MB4478EF37814965E0C4F1EEA9DB4F0@MN2PR11MB4478.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39860400002)(136003)(346002)(366004)(199004)(189003)(102836004)(186003)(316002)(71190400001)(81166006)(25786009)(14454004)(2906002)(8676002)(71200400001)(7736002)(81156014)(966005)(8936002)(1730700003)(478600001)(606006)(76116006)(74316002)(256004)(14444005)(33656002)(561944003)(5660300002)(66946007)(790700001)(6116002)(66556008)(64756008)(66446008)(66476007)(46003)(52536014)(86362001)(2501003)(476003)(5640700003)(486006)(99286004)(2351001)(7696005)(236005)(9686003)(54896002)(6306002)(55016002)(6436002)(6506007)(6916009); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4478; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: blCptFJ+5HzuLHAKxe/ZeadNyjrJR0g4L1c4WWUBMyVjJft09curcJfoOTbjngQYKS+s1eturG+EOOg6nVSmr/6YKpWTxUfX6tVPegQVFn2LGRwYsIFIACtBN1i2v7h897j5X3S1wBRYBvI1SDHku2x3Xihbao+NCAEDrgeL9+e6voSiGuWDOuW/pU2qIiCBuY34qI0dfNA/hevGkgScfIXL/+4XTtdJP+UZ03iRHEYdMPB9Os/1pkKR4xSTeZLJBbcTOI/B0xxZL5lfwSn/3oKCIrWSPrl0sPd7Roy5sbG2P9lj+R8uaZrInOa2UGqHJVdQX9Ltrxj8zBMUiY+BeZS04Yls6w3yJC3NaB713oaOe2cLfrZKMPm6gr+yXMorxawM3LYxFp0ZWOBmFPO0WjOuMsNbnsGB6TMiqlV7rB8E1yvyvGShiS5khW83TVrlmO9lO6U9uFyhG40oARs4x81r/95+Bmz8llxgZsLGcw4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB3901A192266B08604772B91BDB4F0MN2PR11MB3901namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4cbefbc1-d520-4dc5-12bc-08d76d94b174
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 08:36:09.5156 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JS/23RXDrSaYBqlN4DgDzSHhLmYb6G7Hprt4M/SV8TTrFD/TSTdDsp6hb1DHAR80mSEWufyRmn4xlmsX+VtR9Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4478
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.17, xch-aln-007.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/LN9HlDvQGRS5A0afqnampxBDA50>
Subject: [MLS] long term identity key rotation suggestion
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 08:36:16 -0000

There is currently no mechanism defined in https://tools.ietf.org/html/draft-ietf-mls-protocol-08 for long term identity key rotation. Richard and I have been thinking about how we could address this and here is a suggestion that could work.

The genesis of the idea is that as client can Add and Remove other parties from a group, a client with both an existing long term identity key (LTIK) that is in a group, and a new LTIK that is not in the group, could Add the new LTIK to the group, and then the client uses the new LTIK to Remove the old LTIK from the group. Working through that, it quickly collapses into a single Update message.

It ends up looking something like this (where CIK = ClientInitKey):

Client starts with:

LTIK-0
CIK-0 signed by LTIK-0
LTIK-0 and CIK-0 public key are in a group LeafNodeInfo.

Client then:

Generates new LTIK-1 and interacts with AS to get new LTIK-1 attested/signed.
Generates CIK-1 and signs it using LTIK-1
Interacts with DS to get LTIK-1/CIK-1 public keys published.

Then the client:

Sends Update Proposal message, signed by LTIK-0, which includes CIK-1, as opposed to just an HPKEPublicKey.
Updates DirectPath
Sends Commit message, signed by LTIK-0, which includes new DirectPath

Receiving clients need to:

Check that the Update is signed by LTIK-0 and that LTIK-0 is trusted
Check that CIK-1 is signed by the embedded LTIK-1
Check that LTIK-1 is trusted
Update the sender's LeafNodeInfo with LTIK-1 and CIK-1 public key

Subsequent messages sent by the client are signed using LTIK-1.

Thoughts?
Owen