[MLS] Overflow discussion on #406

Richard Barnes <rlb@ipv.sx> Tue, 20 October 2020 18:54 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3FF023A0EFC for <mls@ietfa.amsl.com>; Tue, 20 Oct 2020 11:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id sGiy26FUD47g for <mls@ietfa.amsl.com>; Tue, 20 Oct 2020 11:54:17 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 983213A12E1 for <mls@ietf.org>; Tue, 20 Oct 2020 11:54:16 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id t9so2004032qtp.9 for <mls@ietf.org>; Tue, 20 Oct 2020 11:54:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=bHY9mNgKPDHYsOkfQil/nRpv3SViouGcHto7uAMJsGA=; b=P8MRpAcV4fplDbDJEoKm3vK5jM31rSJngHd7ITnSKdqpdbwAdsmx3mbFyTz8mErPTJ 8j4EtijBQudsmSUfd8ejiMvALbxvcvTNcqij/xVUnJ+s+ZkUAQYr6NLhxyR00Un/NaAh CGhtm8WgE1mgaOybCAHo0J0BY1wF9k7ktnjWdYXgkFxQtUakKU66TyXoNxtvrf5baDi+ 41yLytYwUjZhWcoRl+xLwm5A3Y73ebCYzpFfM1mPADxnjDs1vmisl4QHbJmggrdi+M82 tdmNH4ze9pD/2e0jGSB1iJwOJV8mQkDl88xzx8Joq4d9Hg2AGFp0XYYr/xKcUetJKSMc RCag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bHY9mNgKPDHYsOkfQil/nRpv3SViouGcHto7uAMJsGA=; b=QujZq2sr1IYT29Q7qVxzbWfOaxtrwgSvrOm3frcKc5pOw1K/YdhqL8ks+rX35vt2zB yz8wTlvW/nwIDbT8YIB4JPuYxtYjW1SoOafyEQHstTnrkPr1WjAJh5JifEH/JG7TPgoT 8RqBtwgSt6rBjDhp0AwyaKJIUkahDjOMDpw0u6y4SgmtjHUy/qi91slaUo9cj7zCF+tJ B9lHpX1TKAjdvIsIljqamlbD3buZ2V3yxeVr4nH/jF7/ngrxyuTXjOPVYJTZ5odrEET/ az0S9q+4NK7HVjfYRgsTDuulos7TdwnBY8gC3l2Vu8RW8r4uM0yvkX/L4pbhBBjDq1lq ihuA==
X-Gm-Message-State: AOAM531LBhbe8gc/8E818Mif9FaXUvFz7X8w8C0Ci6eksINXPH1m4pP6 zbgS4eOGURmL48/9kiKF+1Kz8RlreIR2wRb+CwOB0DEs9wAWhw==
X-Google-Smtp-Source: ABdhPJypdzKoprC6jd9fDBiwV5OY3nD9HH/kKChW6LYgJh/JKzNo3XqfnZj3BVMZtBkEiOgzNwo8OhdjnGluLdE2DBo=
X-Received: by 2002:ac8:1246:: with SMTP id g6mr3780338qtj.353.1603220054970; Tue, 20 Oct 2020 11:54:14 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 20 Oct 2020 14:53:59 -0400
Message-ID: <CAL02cgRuAzoVpgZvOVPj3hwv3geDJjrhRxPL__8O6jXBLD9xVA@mail.gmail.com>
To: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dfadc605b21ec158"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Ph3qDIcZCkG_JiABNeiSpHoK8C4>
Subject: [MLS] Overflow discussion on #406
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2020 18:54:19 -0000

Our interim call went about 30min past our scheduled end time today.  Since
we were without chairs for the last 30min, that time was not official WG
time, so we couldn't make decisions about PRs.  Luckily, we only had one PR
remaining, and we couldn't come to agreement on it anyway :)

Two remaining questions on PR#406, where the first is more important:

1. Should the GroupKeyPackage / GroupPublicState be signed?

On the one hand, having a signature would remove any concerns about
copy/paste recombination of the various constituent parts.  In particular,
it would avoid the public key for one group being reused with another (up
to reuse of signature keys across groups).

On the other hand, Raphael expressed some concern about deniability, since
this would be a public signature by a member of the group over the whole
state of the group.

Personally, signing seems like the conservative option to me.  But I
haven't done much analysis here.

2. Which transcript hash(es) should be included?

(This is more of an engineering question than a security question)  To
summarize how the transcript hashes / confirmation tag work:

confirmed = H(interim || all_of_commit_besides_confirmation_tag)
confirmation_tag = MAC(confirmation_key, confirmed)
interim = H(confirmed || confirmation_tag)

In a GroupInfo / Welcome based join, the joiner needs the confirmed
transcript hash but not the interim.  The confirmation tag is provided in
the GroupInfo and verified by the joiner, and can then be used to compute
the interim transcript hash.  (This is a side effect of #416, which moved
the signature from interim to confirmed)  In other words, the joiner starts
at the second line above, since they don't actually see the commit.

In an GroupPublicState / Commit based join, the joiner is computing the
commit, so they start at the first line.  As a result, the joiner needs the
interim transcript hash, not the confirmed transcript hash.

I have implemented these changes (removing interim from GroupInfo and
confirmed from GroupPublicState) in my draft implementation of #406 [1],
and they do work.  I have filed a small spec PR to remove this [2] and
suggested the corresponding changes in #406.


[1] https://github.com/cisco/mlspp/pull/118
[2] https://github.com/mlswg/mls-protocol/pull/428