IETF Logo Mail Archive

[MLS] Insider Replay Attack in MLS

"Kumar, Akshaya" <akshayakumar@gatech.edu> Mon, 03 February 2025 14:16 UTC

Return-Path: <akshayakumar@gatech.edu>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD6F0C1CAF30 for <mls@ietfa.amsl.com>; Mon, 3 Feb 2025 06:16:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gatech.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nQsumReUyQs for <mls@ietfa.amsl.com>; Mon, 3 Feb 2025 06:16:07 -0800 (PST)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2108.outbound.protection.outlook.com [40.107.102.108]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DB08C1CAE82 for <mls@ietf.org>; Mon, 3 Feb 2025 06:16:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jkmK8S6QbTn0Ry13XClTUDB2LJq6VnqtjR6mgiEpUiUPGWa223RUtjZ6UWm79qDoWCWRrFQwEIDdKKhBV1yYSChXeXInIfBgfxyQh+ro4k22968HOsWjJQ/Ilb8SqyFRbqA85e/oPEdCeBSg6OuhmcsRvijxUcinlNc20SOJs7MzwS/2+uhF0o0H0j5bRdf2DpD0R9BLRqzUw5X5fGF4t7EzXoXcL0Tp3Pdm4QIOc+Nt+p/0oq8ijiEDMOHv6IZxj1yjBSWKgn7hhD3FzZ0oolzF4T0CDhq2/nJyGBsUkP8qM2jTKyWVEtKu+ycI1HY6LMwVjd6zPpZyCstbwFvVJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UnGzuJWQtR5F8P2+YjZbP5mgGnJlzi15K56OmPE3y/o=; b=nxEMwsrrrFSwEvaj6QPnKfyNlUmRIyTvJEs8db9ZT/EF7XZC49credj6c/9BVS5R1tZTdPRWkfuwtntU78yYfikfcT9ilK8bjyRtSr6ddm417P5i8EFgZi0DRznX45iRKnCOfZrxVwtRFdF4d3muyUbVI9s3x0wXf54Tv1+p2Ql6mZJCPhTUH/JjQ1dgqYFrcim+mtRioSGkhSPas9uSBwCOZHrdEXPjVs5YGJ9DIopuV98Y9l4Tbl6QM/oQ+bj9LEpwQdaG/o+THIgEPYeOvykGyL9VD8+EuDeIL/w62btz9gxGtIsfUjnMin5pJh0CfbXAXvYVar5Zq7hnGz36jQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=gatech.edu; dmarc=pass action=none header.from=gatech.edu; dkim=pass header.d=gatech.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gatech.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UnGzuJWQtR5F8P2+YjZbP5mgGnJlzi15K56OmPE3y/o=; b=1JtCTYE53CKZnlCI0m2phxk/cxsh7S6o+p1Ui3FYHKT1Fh8FGhps0XaSg+RY9us4H6ns/pJb/EVT0rS1pddCYUO2zarW3pbjMtAEMMSOx49jz2yYjiinDfBJcN6a/pQyEctfl82ZsrDCipINpaZW2W8Ec7TZy+MUayxi9ANsBx1uGSXSuxXeLPpZQXBPT+zJ9bax8Sdq8onUC2Pbc8SfUH5lrGMyeF1N6srH19ri8Yxxo1yXneXQS73YhXHkMYOyLPe4jzWKDJeNMSmQLPgOmkOANYQXVAxkQvO090ns5IZ5J7776WQs7Y4d/P6pD0F5ZPdByze72eYxhEtBfLbaaQ==
Received: from BN7PR07MB4513.namprd07.prod.outlook.com (2603:10b6:406:b2::12) by CO1PR07MB9033.namprd07.prod.outlook.com (2603:10b6:303:160::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8398.21; Mon, 3 Feb 2025 14:00:02 +0000
Received: from BN7PR07MB4513.namprd07.prod.outlook.com ([fe80::3eaa:ac0c:2797:88b2]) by BN7PR07MB4513.namprd07.prod.outlook.com ([fe80::3eaa:ac0c:2797:88b2%4]) with mapi id 15.20.8398.025; Mon, 3 Feb 2025 14:00:02 +0000
From: "Kumar, Akshaya" <akshayakumar@gatech.edu>
To: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: Insider Replay Attack in MLS
Thread-Index: AQHbdaixHIl9cA3tjUS4wcMF5pm4bg==
Date: Mon, 03 Feb 2025 14:00:00 +0000
Message-ID: <BN7PR07MB45133345AF011CE6FD3772BEB4EA2@BN7PR07MB4513.namprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=gatech.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN7PR07MB4513:EE_|CO1PR07MB9033:EE_
x-ms-office365-filtering-correlation-id: dafd164f-58b4-4951-2bc1-08dd445b0dee
x-gt-tenant: 042d12d7-75fe-4547-b5b6-0573f80f829d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018|8096899003;
x-microsoft-antispam-message-info: kEI1yXOSKEhvgljVtTBGXLboBnVueu/guRlMtTDaamSyNBhIirsuQ3i93xZvKzNtkMaC+e8FlNSnIVspVVRPqvWIxHeUrMldwKlnEdhg677Aw9OD9712+dHIlcSI6/mJW5qRniMymWkk392OHfSeg8FEcPNcdL3s+5O/2jeGnVwmLz8gwzDXhvxT9oNeSmS5aXsTXyZ2CYDykXfUt0D+sExHvxrifndFooHd0EEoEYymIcAYD8go/+7E9tlaDPRZemT6p7Npp9tVbtJYa5Em+qjhKL0v4+EjtFG0tCEonugLtpZ1kBqS2ThiPcGHgD7aCQemKKhYVxuIBKRqqItrSkiNuR3eXH41sok8gad4f3D+UhYFJT82ySOlSfHLNxQXZNZjgywPDT8+HA4qzdDaVbZW+GY1e5wc8oJfz3Sa6x8Nne1oZ9nHC0f0tgso6M4Y6/UrLj7Ja2octXsUpILo34pxhYEoUvsIFT7W8b3n59nPO2rMSBuXr3yGbFglasnf3m3tkGf414oFfh8WTvreRg5l/2ykO5CoAfw51PpDDP5qhSxmSMGkCQUpsWQ3RrtcUo43qKFHbnONcq2+WPe82O/Hz+bTcCh1ZV4HPAf2mPX9mxYnl76Pf/ptFhqVOIx7vfQQf130SDHF0WLjPBlkTjt4kCOx1ngf0AOZYaKldxFMJ1jO62RMa8hKm7u9N/tp3ExTAgLwGE2DsOadr1n8ZutxPOqfjuxzonZqWSqGTOtLYLDI+qAMqk1VXFFjmkTRt9JupbeuZOyFk8+kUfQl4h6143WE5H6SUSqo8sqUs5KC3mZUeLNQdr4NI/4NPhM9YoOXcvt9QryIrdrnkX5weQff9HGTdTp+dQmPGZttA6f8RPXTYNUx68jj7pPWW3XtJBQd5n/iwuU1hHUs1TglcLgFGk4PE/QtFkpGbt+YeHsdMM+a8oq98wJ8X8+M4dlzSZoCATiE1uBj1H4bV/56oll76wBE0DEeUNhEcVlKbfbqSI57avDri3NhvtQFlS2yEaodQIL29lZyNP6tjSU8yfpJQHaNv0hBjaiQpGMp/ppDSlYcAkRlnqe4+cayIJvqBmk7HwtrUqBw7H2jiWyRJgs/x+tFkGcSXZB74xhlKllC112aowes887HLtHTFAoWDFE86ru4+mwKN5z3VQ/upZXSVEWhXqFT+KYHHbtt8QynuL7Fw6RwXE3ZxPXGo6NF296mv7WUBLT65fZY+Q6kF3alPVUvpNAzKDKT/C5rcm1kphTc02HnxUUWfXi525w0IraT8FCQCV20TSHQCULs4SVwTjEoxFHdBwvL6RDDAvQ6w2rDtf1lUBQw67MizlnLTDkX4oineh9Ka9djmEGgBXQLXJsUI7V8zpQ7wfafdQRLjIdl76Zjk7A0Xp8Czz0AJL8eLHUNDvv3Pe16j0QlkvYm8VAZNyNoNdpkS+Pp2lIaHb6a1sCkZdS0fxUBbxe5
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR07MB4513.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vUbKex2AP4sWwc2LOpx0Cuq7A/WcyH9ycb7rV+Frer4sn45bdGJHEKQ5fovOu8FJgPsE4MWp8E4X2xqsHAGQA/U3CNb8YPl9RBQwWHqta/w3ifPqpIDaO70r8ndUzbfX8ouUA0ofU/i6DEpS6JB/Dlw4m+AI/aVoRM8NifJ7019EcAyxnPyo8+0+7Y2VzGfgZLVFm9OwjmveghLKsobPazsXBPzdOCWWl9RzYuTIIHXuw8LWiTpOlfHXpX3P0s9F1VUBygYtI3GjaCJnKvI7F2wU6YlBo7cYHpx9SRPw4Zvlo13ov9TkMpjy0pzG7liBYjrmHLVpBubND2gxzpMOTHh5GKZIgsggeDoTZXS0FmBXoFKfdpTKh24T/UlFeKjsoYUPeISUZLKwwWCVIpTdp4O/VJ4AL/zHTQYB7RfaLJjx9YP0F6huEO3D8RN8xCEelvEBfOqN708z7VDRbmbAJmO4hfulbeik723OEvA6jZGwlBO5rEYLpkNHRqdF0P7D+ryYsZRffM62IMhuOSydBDMj6RIcB5aZiKbwFi1mzwFmkw1/HqCb2T1Bn65TUQxcP+D/0Roq5pEke2nFbPXywwHuZ8JNJk9GWTHLzZZJTjj5pUcCO3N4xbWudDqM46OdBkGDprxpl0oCnFtc6toN2PZZaL9BYpMl98g1gs0k2Nki7N01hNfCInUsCk0kKVDh58ZK4wBTGQkJxjIiztOdFOwdDvW/ZTc/0/9DHq4CBUC/wXuuTPiBZTBWX8jN2QOfTGtguxSZr5Fz9u+oTyMOKSpAXHp+WsyFucc7jdgGOPLA5ppNYjtExSZcS4oTV/g9thlYjFEl63pG5Ilf9WrqGvzJaauh7TsMYvAmSCJx9mSb+Ph+RFVv3wubjuRs+uknkZA1bvufvgde3+0pMWeYGiu3CRrKyRvzrkxhROOs9B2RdYzfJbhLFw9bPaGOwEG1u8kp8qf4jp4UzNtezzW/kEyDsT+HDeQBZjam73F3iqyFRh8wJIGVKTxbSaPn2GQEuJUpTNd/kG3Zf2eyBK5glzcoGUT+kIRB9z8McsDv74PISRMd4g3InND+EdRq3WLEpCO9ifLHSNkWwC/ikWQXfOWnlhf+bvjORs/DhqkwwG9FvFs91PXIEfXHvX8A82GhxvgSW+6QU0vjNtz9LrIibahs/JY77xWrQbEv1XXTMqS3Uq2yNQ1+Hnx2RdgC+Ug8TA1crhe/GNcunTU5JXRIa54Deg5MZQWKyRmODKzX1/dw8Wjri0lcv4sBCKBG43ZS7EqBoQmbtzYAsqXsgAjiI3dLGUL1Wr4Z1SMeCCLkMX6QRhmxDgfaVAapuSfBfBn468T3r8aJVCuEd1I4mdjBLXw+JaTycopdIdjRFxbsiWYMCxLu3nsaP3eE1uu9I55yCXCMfLhnV6EGFQKWpAS+mZfVhpSyUjNg79CLw0sEO4YhcJcRiS6VfXpwPaB4OUKBQ1ay8weih5c/qpx3e7bvBCqKzZ+JIhhHENGKxVw6DV8JgJtUlN8+HM8XrVJuq9alKsKvfFFhBOSnja5cPdmoioDzeK0P+OdpjW9RQiX3v3k/grQgIkoPuLwyMvFh3D9I
Content-Type: multipart/alternative; boundary="_000_BN7PR07MB45133345AF011CE6FD3772BEB4EA2BN7PR07MB4513namp_"
MIME-Version: 1.0
X-OriginatorOrg: gatech.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR07MB4513.namprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dafd164f-58b4-4951-2bc1-08dd445b0dee
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2025 14:00:02.2624 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 482198bb-ae7b-4b25-8b7a-6d7f32faa083
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: stem2wCpU1ttAwn71z+P6IxbfIncZ2g/+gxEfLelcAYEWfp1k3LG1QF6v3q/WA37ieyo6inJGaM1EGXYJrSJIw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR07MB9033
Message-ID-Hash: U7PI4JJOMZQD55QX5LRF7T336ST43EWS
X-Message-ID-Hash: U7PI4JJOMZQD55QX5LRF7T336ST43EWS
X-MailFrom: akshayakumar@gatech.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Jaeger, Joseph S" <josephjaeger@gatech.edu>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [MLS] Insider Replay Attack in MLS
List-Id: Messaging Layer Security <mls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/SRAV33J5Ka9A4R-Ymv8a_T_TXhE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Owner: <mailto:mls-owner@ietf.org>
List-Post: <mailto:mls@ietf.org>
List-Subscribe: <mailto:mls-join@ietf.org>
List-Unsubscribe: <mailto:mls-leave@ietf.org>

Dear members of the MLS mailing list,

I am a PhD student at Georgia Tech studying cryptography. Over the past two years, my advisor Joseph Jaeger and I have been analyzing the compositions of symmetric encryption and digital signatures underlying the chat encryption algorithms in secure group messaging protocols (starting from our work on Keybase with Igors Stepanovs that appeared at Eurocrypt 2024). In current work we analyzed MLS and we believe that it is vulnerable to replay attacks by group insiders that result from the lack of authentication of the message generation. (The specification uses the term generation to denote a particular position in the sender ratchet). Below we give a brief overview of MLS chat encryption, describe the attack, and propose mitigations.

Chat encryption in MLS composes a digital signature scheme and an AEAD scheme in a Sign-then-Encrypt fashion. To encrypt a message from a sender to the group, the chat encryption algorithm first signs the group name, the epoch, the sender’s leaf index in the ratchet tree, the associated data, and the message using the sender’s signing key. It then encrypts the resulting signature and the message using an AEAD scheme where the corresponding encryption key and nonce are derived using the sender ratchet and the message generation. The data authenticated by the AEAD scheme contains the associated data, the group name, and the epoch. Notably, the signature does not authenticate the message generation, leading to the following insider replay attack.

In MLS group chats, every group member knows the sender ratchet secrets (and hence the encryption keys) for all members. A malicious member can decrypt a ciphertext to get a message and signature for some generation i and then re-encrypt them with the key and nonce for a different generation j. This ciphertext will be accepted as coming from the original sender because none of the information authenticated by the signature has changed, resulting in the message being replayed.

The MLS Architecture document (Section 8.3.1.1<https://messaginglayersecurity.rocks/mls-architecture/draft-ietf-mls-architecture.html#name-compromise-of-aead-keys>) considers a setting where the attacker knows the AEAD encryption keys but not the sender’s signing key and guarantees the following.

“Compromise of the AEAD keys allows the attacker to send an encrypted message using that key, but cannot send a message to a group which appears to be from any valid client since they cannot forge the signature.”

The attack can be easily mitigated if either the message generation or the encryption nonce (one of the two suffices since the nonce is derived from the generation) are additionally included as inputs to the digital signature scheme during the signing process. One way to achieve this would be to include the encryption nonce/generation as part of the associated data. The RFC<https://www.rfc-editor.org/rfc/rfc9420.html#section-6.3.1> currently does not specify what should be included in the associated data field, leaving this decision to the application. To ensure secure deployments, developers could be encouraged to always incorporate this information in the associated data, preventing the attack while remaining compliant with the current protocol.

We believe it would have been preferable for the protocol to always require the generation be an input to the signature, but this seems like a reasonable fix given that it does not.

We have a paper (currently under submission) covering this and other related work, which we will make public in the future.

Sincerely, Akshaya

v2.46.0 | Report a Bug | By Email | System Status