Re: [MLS] Unpredictable epochs?

Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Fri, 26 April 2019 13:08 UTC

Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BFAF1201D9 for <mls@ietfa.amsl.com>; Fri, 26 Apr 2019 06:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69OjkzKjeI-v for <mls@ietfa.amsl.com>; Fri, 26 Apr 2019 06:08:18 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE1741201D8 for <mls@ietf.org>; Fri, 26 Apr 2019 06:08:17 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.60,397,1549926000"; d="scan'208";a="304094947"
Received: from 91-165-78-144.subs.proxad.net (HELO [192.168.0.18]) ([91.165.78.144]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2019 15:08:15 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
In-Reply-To: <CAL02cgR98gpF1HqDn31-xxUC6w3Orec_P=2VZ_5jc3xx6uLWCQ@mail.gmail.com>
Date: Fri, 26 Apr 2019 15:08:14 +0200
Cc: Michael Rosenberg <micro@fastmail.com>, ML Messaging Layer Security <mls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E984A4FB-DBA9-4B4D-A0F4-A6A5ABEF8ADD@inria.fr>
References: <CAL02cgSE1xTF2Wsq-u=BCu2Z_4UzMzqMPi=D_H7_7hbRpUMVVA@mail.gmail.com> <2D195D14-9F9A-4D64-92EF-35C601C52C01@inria.fr> <CAL02cgR8gQ6cH_QXd_9v46aJ5aeo=b=1GiYu9YxCNYzJb0tOFQ@mail.gmail.com> <B36BF8F5-EAE9-4C96-A867-82CDFBF830C0@inria.fr> <CAL02cgQ7-JMQsG6sq6YBB3G-5tmCVQoo07nvW63tzBzHPQ0ZWw@mail.gmail.com> <AC74CACD-541B-49CD-9CC9-63343307A53D@fastmail.com> <CAL02cgR98gpF1HqDn31-xxUC6w3Orec_P=2VZ_5jc3xx6uLWCQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Qz1EYQ1r8dOAXbT7Iu2yoWuQiBc>
Subject: Re: [MLS] Unpredictable epochs?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 13:08:21 -0000


> On Apr 26, 2019, at 2:28 PM, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Well, I don't think we can get rid of the epoch entirely.  For handshake messages, you could maybe get by with the theory that if a message doesn't apply to the single most recent state, then it's no good, so you don't need to explicitly say which state it applies to.  But that seems painful, especially if you want to tolerate a degree of partial order / forking history.  For application messages, you definitely need it, otherwise you have an issue with application messages being out of order with handshake messages.
> 
> That said, it does seem like we could maybe steal the epoch from elsewhere and save a few hash invocations.  The question is what value we could re-use that wouldn't be leaking information.  The tree hash seems bad from that perspective, because it is never transmitted in the clear otherwise.  Another option I had pondered was re-using the confirmation MAC value.  In any case, as a first effort, it seemed simpler to derive a value for the purpose.
> 
> W.r.t. the transcript hash - I have the same suspicion you do, but I am waiting for someone with a security proof in hand to tell me it's OK to remove :)

I will do a round of review next week but *from what I remember* about the proposal,
I don’t think you can do that. The transcript hash contains strictly more information than
the tree hash anyway, especially for authentication. I’ll check when reviewing but if the tree hash
doesn’t cover the signatures, for example, then you can’t replace one by the other.

B.