Re: [MLS] Double-use of the same key
Chris Brzuska <chris.brzuska@aalto.fi> Thu, 20 August 2020 21:14 UTC
Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A1AA3A1435 for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 14:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.047
X-Spam-Level:
X-Spam-Status: No, score=-3.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pldr2NAUVUrS for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 14:14:02 -0700 (PDT)
Received: from smtp-out-01.aalto.fi (smtp-out-01.aalto.fi [130.233.228.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 085F83A12CA for <mls@ietf.org>; Thu, 20 Aug 2020 14:14:01 -0700 (PDT)
Received: from smtp-out-01.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id D0301115817_F3EE794B; Thu, 20 Aug 2020 21:13:56 +0000 (GMT)
Received: from exng4.org.aalto.fi (exng4.org.aalto.fi [130.233.223.23]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng4.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-01.aalto.fi (Sophos Email Appliance) with ESMTPS id 8E1F411580D_F3EE794F; Thu, 20 Aug 2020 21:13:56 +0000 (GMT)
Received: from exng6.org.aalto.fi (130.233.223.25) by exng4.org.aalto.fi (130.233.223.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Fri, 21 Aug 2020 00:13:56 +0300
Received: from [192.168.1.14] (130.233.0.5) by exng6.org.aalto.fi (130.233.223.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Fri, 21 Aug 2020 00:13:56 +0300
To: Richard Barnes <rlb@ipv.sx>
CC: Messaging Layer Security WG <mls@ietf.org>
References: <504ca35e-ca0a-47db-a861-774867c169b9@aalto.fi> <CAL02cgRHMjbmy+e=BPjsc5B-F3tpLADdjPUiQCgcek4nZTs7rQ@mail.gmail.com>
From: Chris Brzuska <chris.brzuska@aalto.fi>
Message-ID: <3b13972c-836c-ac48-41cc-8b8dad35e1af@aalto.fi>
Date: Fri, 21 Aug 2020 00:13:55 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgRHMjbmy+e=BPjsc5B-F3tpLADdjPUiQCgcek4nZTs7rQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DF010F23035C4F9EF7979C31"
Content-Language: en-GB
X-Originating-IP: [130.233.0.5]
X-ClientProxiedBy: exng8.org.aalto.fi (130.233.223.27) To exng6.org.aalto.fi (130.233.223.25)
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=subject:to:cc:references:from:message-id:date:mime-version:in-reply-to:content-type; s=its18; bh=7OlMUBg4m+7AOWjDEDnpFoA0F4h7waxb7GhRpTfjfxI=; b=gNXMCrpsLiBkc7GZkiNy8/kVfS3WEM+Wi/76ZiS++cbonApcdDcMi7JAz6/H/SmqiUx6EKs4cof9jCLPM35eDGGIG13qqYDkthc6u87oBhBIuc7HUCzpGf091WdVIrMPQ3vyCwIUIdkeKo1POJyKlDgj12q1Uc7nCkoMWmULzkKMm6YVobWUATkFgtJCQk1lbDMxHp0kd5G6E3zg2ef0z0/m6ruqqR2SlYJSm8Fp4YHRUemNRf57vqZPDZ0RGcKTG0oA/GSY5Rce/ql+0xHzhK4bodT+BQta3oxRcg+JVVUTmhTnYA4m+rHoDPw7gg93pikveTBfAzrgVAMrgwiNTg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Oeg-SfJpQDsw0IYEB1rqqtAP6bk>
Subject: Re: [MLS] Double-use of the same key
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 21:14:08 -0000
Excellent, thanks :-) Chris On 21/08/2020 00:04, Richard Barnes wrote: > Argh, we *used* to have an Expand call there, but got rid of it > because the first step of DeriveKeyPair was also Expand. But now that > we're delegating to the KEM here, it probably makes sense to add it > back, especially since the first step of DeriveKeyPair is now Extract. > > https://github.com/mlswg/mls-protocol/pull/397 > > I think I owe Konrad a beer since he initially proposed it and I > reverted it :) > > --Richard > > [1] > https://github.com/cfrg/draft-irtf-cfrg-hpke/blob/master/draft-irtf-cfrg-hpke.md#derivekeypair-derive-key-pair > > On Thu, Aug 20, 2020 at 2:40 PM Chris Brzuska <chris.brzuska@aalto.fi > <mailto:chris.brzuska@aalto.fi>> wrote: > > Hey all, > > I realized that that path_secret is now used to key two different > cryptographic primitives which violates key separation. Namely, > the path_secret is used to key the two functions ExpandWithLabel > and KEM.DeriveKeyPair. > > Downsides: > > * Violates the good crypto practice of key separation via > HKDF.Expand which we use in other parts of MLS. > * Moves MLS outside the scope of provable security, because > crypto assumptions assume that a key is only used in one > cryptographic primitive and not in two. > > Chris > > |path_secret[n] = ExpandWithLabel(path_secret[n-1], "path", "", > KEM.Nsk) node_priv[n], node_pub[n] = KEM.DeriveKeyPair(path_secret[n])| > > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Double-use of the same key Chris Brzuska
- Re: [MLS] Double-use of the same key Chris Brzuska
- Re: [MLS] Double-use of the same key Richard Barnes