Re: [MLS] Key confirmation - Extra MAC needed?
Richard Barnes <rlb@ipv.sx> Tue, 23 October 2018 15:08 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2705613102D for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 08:08:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMkHw5O2NaV7 for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 08:08:27 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6245F130EE1 for <mls@ietf.org>; Tue, 23 Oct 2018 08:08:26 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id x4so1716554otg.3 for <mls@ietf.org>; Tue, 23 Oct 2018 08:08:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4fj16CdPEAxegQbh3gdaYMSuxVuazSuuVuE7T0Gt4cI=; b=jspHF+8tqs3T6Y0HkHinxRF7SvL8AKP7x9uUS4jJwkKtjeFbCOOzrkMix8nRAACTLw MVFoy7gcKA5Bd9cvw/scs9tV6TtySoU4dbgHuXXBAhMYL55slxkZKUSxEwI47HD+4X37 qTxITu4RreQNxZZyKofcc3X4jrabdui0lefN8HD35TCPmHtx5Pt3jNbm4rtvaQkHqROG Xv7cFC0PBzwg//XL3NDgMhN3KzReqlpZ5W9NY7ab5l6kGt+qJezPxzhIDX+4XNKSOknc zUL4TN8aXe8zZ5J7dnd5A/StCsalkVVjXuUhRHKk2OctzfBzOhTrPCaE4WQBRP0t4wMT CtNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4fj16CdPEAxegQbh3gdaYMSuxVuazSuuVuE7T0Gt4cI=; b=t+Jvpz1B+Ct8FD8Y45jGF00kIPzixx+uaSRfN9ThJsgoZ50f6/6sGadExCYXeU4b5S drJcsymruy8UDk1jN2RpSyOyNulQgvOO8dle3//XGPlJ9iIY7R/WK0DJqIAqBUx/mzJk qIXQVK5JaFSX0aaASkq14SEaeUwG595pTdq7Ev2AyX1AkRl3G/lZFs6dY4vfp3VviziZ eQjT077G5v4cH4nLcfE3hLxvf9sack1CgF2dilLC6/pPIwKf5P1WJfIlzfMrrmP1ixB1 Au7GDUkGAornJ7xM/wQaNAkVMkIz+B0SFC26oQApvrnISWZCBq1xqGKdkrO6FK+fFxHb FvNQ==
X-Gm-Message-State: ABuFfogPo1x9WMAcsWg28XRGt+c/C4uFcOKMGs4TIeMjQWSuVF23oZB4 pqWR3Bghzf6PBbcCNxYFMmVkiMMKbPvg6G7RE1l6bbVN
X-Google-Smtp-Source: ACcGV63htQSM2HbCJrBPSTr83bHx3G/KFpNZaMbtnMASRGTh8aJkJqtRZwjgD6K9mF/Tt69lCQJqIE9L7HQ1zIqebYw=
X-Received: by 2002:a9d:2377:: with SMTP id k52mr32825531otd.238.1540307305522; Tue, 23 Oct 2018 08:08:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgTk+mBNi8jDicN8jmpGZkixTOu541MVEFj7SSgroL8DHg@mail.gmail.com> <58A76FA7-6A4B-4E78-8631-A20CD20AE533@vigilsec.com>
In-Reply-To: <58A76FA7-6A4B-4E78-8631-A20CD20AE533@vigilsec.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 23 Oct 2018 08:08:06 -0700
Message-ID: <CAL02cgT-x0DNVK-YOJZYUWs1j4nnsFRAv92gS9YkjOPzb7AbGg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ca79e30578e6bd1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/RO9ln0mJVKzZDDMtb6HDOQRVpO0>
Subject: Re: [MLS] Key confirmation - Extra MAC needed?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 15:08:33 -0000
On Tue, Oct 23, 2018 at 6:34 AM Russ Housley <housley@vigilsec.com> wrote: > > Hey all, > > In the just-released -02 draft of MLS, I've added a key confirmation step > to the handshake authentication process. Important question after "=====" > below... > > In the previous draft, there was an authentication mechanism that ensured > that if two group members ended up with different GroupState objects, then > they would have different keys. However, it did not provide any way for > group members to recognize that this was the case, except for AEAD checks > on encrypted messages failing. With explicit key confirmation, the > recipient of a Handshake message knows that if processing of the handshake > message succeeds, then the recipient has the same GroupState as the sender. > > This provides a degree of protection against malicious insiders that send > different TreeKEM values to different parts of the tree. Namely, only the > subset of the tree that got the key matching the key confirmation will > accept the Handshake message; the others will be locked out. (Assuming a > broadcast channel; if the sender can send different key confirmations to > different recipients, then this is no help.). This isn't complete > protection, but at least the locked-out members know they've been locked > out, and can complain about it. > > ===== > > The major question here is whether it's sufficient to derive a key > confirmation value from the key schedule and publish it, or whether the > value derived in the key schedule should be used as a MAC key to generate a > MAC over the message transcript. I've posted PRs for both; the latter is > what I merged in -02 > > Derive: https://github.com/mlswg/mls-protocol/pull/72 > MAC: https://github.com/mlswg/mls-protocol/pull/71 > > On the one hand, the MAC-based approach is what is done in TLS. It feels > safer, because we never publish anything that's in the key schedule diagram. > > On the other hand, the Derive-Secret operation used to create the key > confirmation value in the key schedule is **already** based on HMAC. So it > doesn't seem like the extra MAC step is adding that much value. > > If we can convince ourselves that the Derive approach (without the extra > MAC) is sufficient, I would prefer to do that, since it's simpler. But > feedback on this point would be very much appreciated. > > > The Derive approach is straightforward. If this leaks in any surprising > way, then draft-ietf-tls-exported-authenticator has a problem too, right? > I don't think that necessarily follows. That draft follows the MAC approach, in that the values it exports from the TLS key schedule are used as inputs to a MAC, and only the MAC output is published. That said, I agree it's instructive to look at uses of the TLS exporter to identify parallel risks here. You would want to find some case where an exported value is used as a public value. Unfortunately, the only other major usage of exporters that comes to mind is DTLS-SRTP, which exports a key and salt. You could use that to argue either way, since the salt is notionally public, but in practice is never published. --Richard
- [MLS] Key confirmation - Extra MAC needed? Richard Barnes
- Re: [MLS] Key confirmation - Extra MAC needed? Russ Housley
- Re: [MLS] Key confirmation - Extra MAC needed? Richard Barnes
- Re: [MLS] Key confirmation - Extra MAC needed? Katriel Cohn-Gordon
- Re: [MLS] Key confirmation - Extra MAC needed? Richard Barnes
- Re: [MLS] Key confirmation - Extra MAC needed? Katriel Cohn-Gordon