[MLS] Improve FS granularity at a cost
Konrad Kohbrok <konrad.kohbrok@datashrine.de> Thu, 24 January 2019 09:51 UTC
Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E88130FCD for <mls@ietfa.amsl.com>; Thu, 24 Jan 2019 01:51:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnJiPce9zsiU for <mls@ietfa.amsl.com>; Thu, 24 Jan 2019 01:51:00 -0800 (PST)
Received: from mx2.mailbox.org (mx2a.mailbox.org [IPv6:2001:67c:2050:104:0:2:25:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADFD712D7F8 for <mls@ietf.org>; Thu, 24 Jan 2019 01:51:00 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 01C59A11F9 for <mls@ietf.org>; Thu, 24 Jan 2019 10:50:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [80.241.56.117]) (amavisd-new, port 10030) with ESMTP id P7IbIsZXrQRM for <mls@ietf.org>; Thu, 24 Jan 2019 10:50:55 +0100 (CET)
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
To: Messaging Layer Security WG <mls@ietf.org>
Message-ID: <bfac6389-d465-b46b-e147-865c38bd3369@datashrine.de>
Date: Thu, 24 Jan 2019 11:50:54 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/WRdXVr8iUwibaQu0tH6sDnqU1no>
Subject: [MLS] Improve FS granularity at a cost
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 09:51:04 -0000
Currently, when a member of a group does not issue an update for a while and
then gets compromised, the adversary gets to see all the key material back until
that member had last sent an update. The application could enforce a policy,
where members have to issue updates in regular intervals, but in specific
scenarios, but we might be able to do better for a price.
Again, if this was already suggested earlier and for some reason didn't make it
into the document, I'm sorry.
In the case of an honest-but-lazy group member which is online, but doesn't send
updates, we could still get some FS guarantees in case that member gets corrupted.
One way of doing this could be puncturable encryption [1], where after a
decryption operation, the receiver "punctures" their private key such that a
certain set of ciphertexts (in our case, every ciphertext decrypted until that
point) can no longer be decrypted with this copy of the key, giving us forward
secrecy. I'm not intimately familiar with the details, but I think this doesn't
work with any public key encryption scheme, so it might limit our choice there.
Another way would be if with every update (or maybe with a special "UpdateAll"
handshake message), the updating node contributes to the key of every node
they would KEM an update to. Since we have to make sure that every node is still
aware of the (new) public key of every node that was impacted that way, we could
do something like this:
(This is similar to Yevgeniy's "delta" proposal for garbage collection or might
even be the same thing seen in a different light.) Along with the regular KEMed
secrets, the updating node (A) encrypts some additional randomness. Then, every
node changes their private and public keys using that randomness.
Revisiting the example from Section 5.4.:
G
/ \
/ \
E _
/ \ / \
A B C D
Let's say A updates its secret key to X. Then, along with the relevant secrets
for the nodes in the resolution of its direct path, the ciphertext sent also
contains some fresh randomness r. The message sent to C for example would look
like this:
E(pk(C), r||h(h(X)))
Then E would update its private key to be Er and its public key to be
(g^E)^r=g^(Er)
Now every node can compute the new public key of every other node updated this
way, because they know the old key and they all received the same randomness
(resulting in n DH-operations for every node). If a node gets compromised, the
adversary only get the new key (Er), but won't be able to derive E from it and
thus can't access key material that was previously KEMed under that key.
Of course, this doesn't work if the victim is not online, but I still think it
might be a realistic threat model.
The catch here is that every member has to do log(n) exponentiations.
Konrad
[1]: https://ieeexplore.ieee.org/abstract/document/7163033
- [MLS] Improve FS granularity at a cost Konrad Kohbrok