IETF Logo Mail Archive

Re: [MLS] Malicious user segmenting the group

Raphael Robert <raphael@wire.com> Tue, 23 October 2018 17:32 UTC

Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B23AE124C04 for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 10:32:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6ZGPFJIpNoi for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 10:32:04 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA853130E65 for <mls@ietf.org>; Tue, 23 Oct 2018 10:32:01 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id w19-v6so2439345eds.1 for <mls@ietf.org>; Tue, 23 Oct 2018 10:32:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=9yvgFiABktSSbzVfbcZ+z+hAlwfDBpCZiPBhPzt5fVs=; b=1SPyI8qrmSJVeeAiBzG2PCdYuMJ1TuFKifoglSx6PoEVSnp0OXdQCxllMmOevxVtNm nveqg11HlyJKoAPe0EnQ4F0K8JuW7Wupzkmrv3+05Ylj8R0ZaJd8DGkr8qf9dWy0k7MW poajMnZ4sqjYHBKAzM7HS5UYuhGVt+30LyY8bmJkuMhWwV0jQ+Vcoaf2yvhdcxQGztdm W1m2YVLMzfgBpTbBIqBFrSTx92fl1+TfvGZK36y8KZd/mNFevetIuy+j/MsrWwsUrEof uLd1266R4s9rNflmZ+VhILKIiuFQRuNUvdvKzTngITIzC7ti+yK9rQxhQCb2apJ0KT5E WIeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=9yvgFiABktSSbzVfbcZ+z+hAlwfDBpCZiPBhPzt5fVs=; b=dLVQETQ3u26YeykbfQzN7KNAW3FiAJ0lYJFCrSn00ADnJM3JbMVL7q+2+7o/ZU/riP ktlMjzc4O8wDxW7FsbXFEwhHCyPJSgmYcUJ/S6X3vx+PvbiiJ9YGQFi2YKwA5D6RsThA u42sISWHElPEW4ItG7we5wOtaZq/ApqZ6rVBI1bWTz17zWzCoQQY50bQXFe5swJfxJQ0 MmW2HZJpzaBHuKq9HzReQ1097EUklI1RD49bRM0viK1nSayvkB1rXLrA9d4XWisEhsGD XQQ90Tq9yb/Cqx2Rjl3TZiinFQ6h+g+cL+vL656OPM0ho4V9x6YedP/DYoBVH/chO6E/ uEQg==
X-Gm-Message-State: AGRZ1gLSUtD+NezB5SJ0SkQqYieG8CklDFZ5DInz2IQxOm4zlQZhldP9 kjj/qr7i+2glKQFKcj/GZZQx+gQft3A=
X-Google-Smtp-Source: AJdET5eLTRVLkj3kiAuZoJwgbwqDVrDvGtn9Vu0EWQ7e7vaeMB2HeNqq2n28PmpRWdPOxFNXktpcSg==
X-Received: by 2002:a50:a699:: with SMTP id e25-v6mr3830245edc.225.1540315919107; Tue, 23 Oct 2018 10:31:59 -0700 (PDT)
Received: from rmbp.wire.local (h-62.96.148.44.host.de.colt.net. [62.96.148.44]) by smtp.gmail.com with ESMTPSA id a40-v6sm971891edd.61.2018.10.23.10.31.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Oct 2018 10:31:58 -0700 (PDT)
From: Raphael Robert <raphael@wire.com>
Message-Id: <5DD65297-F437-4F22-A3E6-C2955D428B1C@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8798F5BF-5A8D-41C4-9F92-4F1501474114"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Tue, 23 Oct 2018 19:31:56 +0200
In-Reply-To: <CAL02cgSdSoYKQhU94Qedh2XN=8usNnkJGAKziashYz+HRF9ZpA@mail.gmail.com>
Cc: jtoohill=40google.com@dmarc.ietf.org, Emad Omara <emadomara@google.com>, gbelvin@google.com
To: mls@ietf.org
References: <CA+tdQEvNiiVvJfeh51AWBPB-z9Jpymt4LHRRfCBdkYh6XnfkAQ@mail.gmail.com> <CAL02cgSdSoYKQhU94Qedh2XN=8usNnkJGAKziashYz+HRF9ZpA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Rp3w2uofJeegxFJiW4uU2prRBAY>
Subject: Re: [MLS] Malicious user segmenting the group
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 17:32:07 -0000

I’d like to second that this is an active issue. I think there are two kinds of attacks an ill-intentioned member could do (for an Update HS):

 a) Send the wrong public keys
 b) KEM values that not part of a valid hash chain

In both cases, not everyone can detect these attacks. Members can only detect malformed values between the intersection node and the root. The intersection node is the node where the direct paths of the updating node and the member’s leaf node intersect. Any malformed value that are below the intersection cannot be verified.

This can lead to different reactions from members:

 1. Some will detect that values are malformed, discard the HS message altogether and keep the current epoch secret
 2. Some will not detect the attack and hash up from a faulty value to derive a new root secret (attack b)
 3. Some will not detect the attack and hash up from a correct value, but will later KEM to a faulty public key (attack a)

In all cases this leads to partition with no obvious ways of reconciliation. For case 1 members will know who the culprit was, which is marginally better than case 2 and 3, where they don’t know. For case 1 the attack could be surfaced to the user as some sort of warning, so that users can manually resolve the situation by ultimately removing the attacker from the group.
Case 2 can be addressed with the key confirmation in [1], because members will not derive the same root secret and fail on the HMAC verification. They will thus also know who the culprit is.

It would be interesting to see if efficient ZKPs exist, so that clients can always come to the same conclusion on whether or not a message is valid.
There might also be another use case, where the verification could be done by the server (assuming unencrypted handshake messages). This would allow the server to discard faulty messages right away without forwarding them to clients. It would also potentially address the bottleneck situation we currently have with Welcome messages. In such a scenario the server could cache the public keys of the tree nodes and make them available to newcomers. This is obviously a complex subject with some intricacies that should be discussed separately, but since this is yet another reason to have ZKPs to verify handshake messages, I wanted to mention it here.

Finally, I wanted to mention that concept of ACK/ NACK messages adds a notion of interaction and inter-client consensus that hasn’t existed so far. Since there is no guarantee that clients who are theoretically able to detect a faulty message will ever come online to warn others, the group state could advance for quite some time and lead to partition.


[1] https://github.com/mlswg/mls-protocol/pull/72

> On 22 Oct 2018, at 20:10, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Hi Jon,
> 
> This is definitely an active issue.  See my message earlier today about authentication / key confirmation.
> 
> There have been some discussions of ZKPs for this, but AFAIK, no workable proposal has emerged.  The problem is that what you want to prove is that a sequence of keys are the result of transforming a chain of hashes from hash outputs to key pairs -- if you want to do a ZKP with a general hash function, the ZKP is very expensive, and if you adapt the hash function to have nicer proof properties, you lose some of the cryptographic properties you would want.
> 
> My current thinking is that we should probably try to address this at the protocol level.  In some of the pre-BoF discussions, we had talked about doing some specification of ACK / NACK messages.  Now that at least some endpoints can recognize a bad message, it seems like we could define a NACK that says "that handshake message was invalid" and basically let endpoints veto invalid messages.
> 
> If someone wants to come up with a concrete proposal, I would love to discuss further.
> 
> --Richard
> 
> On Mon, Oct 22, 2018 at 1:37 PM Jon Toohill <jtoohill=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote:
> Hey MLS folks,
> 
> I'm still skimming through the mailing list archives to get up to speed, so apologies if this has already been discussed & solved. I saw the following note in a recent version of the protocol draft:
> 
> [[ OPEN ISSUE: It is not possible for the recipient of a handshake message to verify that ratchet tree information in the message is accurate, because each node can only compute the secret and private key for nodes in its direct path. This creates the possibility that a malicious participant could cause a denial of service by sending a handshake message with invalid values for public keys in the ratchet tree. ]]
> 
> It seems like this could be solved by having the handshake message sender prove in zero knowledge (i.e. without revealing their secret or the parent secret) that they derived the parent public key correctly. ZK-SNARKs are one way of doing that, but my admittedly weak understanding is that generating proofs might be too computationally expensive for mobile devices. Does this seem like a worthwhile direction to investigate? Does anyone know of a more efficient construction that could be used in MLS?
> 
> -Jon Toohill
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.23.0 | Report a Bug | By Email