[MLS] Key Schedule, ProposalOrRef objects, Group splitting attack

Tijana Klimovic <tijana.klimovic97@gmail.com> Tue, 08 June 2021 09:17 UTC

Return-Path: <tijana.klimovic97@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 307C13A294F for <mls@ietfa.amsl.com>; Tue, 8 Jun 2021 02:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id jZWgd792ape3 for <mls@ietfa.amsl.com>; Tue, 8 Jun 2021 02:17:07 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA4073A294C for <mls@ietf.org>; Tue, 8 Jun 2021 02:17:06 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id i6so14574268ybm.1 for <mls@ietf.org>; Tue, 08 Jun 2021 02:17:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=SgdTDVG4hDkM4WUhAgws+6AWaUSJMWHMfsb1pzqP/LA=; b=WkTXHPAZ+FNbQd11UX8WRWdvu7xETtrTSVFsm05uKN4n5L1FiwpVNUcffZPNQrs89G HKrXCv+73gaTjtyC217vOdA9VbvaPpE23hpIFkd5ykbE3a2mCXNqP4+w4nySJFQMQYnG SG3uzPq8bDmR3rfStLp0UXvbl+VUYfDvRPB/OaKFPw2tetx/K4JcmhK3D8co0LV0GwKE yM322kH4WrmOGCpdnkTJg7KsYNrAkvXkGeYcrQh8sx0CVWxV9jZ9hxwdjtSl6qp2REYm eAO/0Z8+NfE4fIsSqv1VH7v+DpfjPwVTDWAK3YxXOUP399RVwv4n0g6HEphzN4m00/VU sHDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=SgdTDVG4hDkM4WUhAgws+6AWaUSJMWHMfsb1pzqP/LA=; b=T+XmwRZs/J49SR47oenmi8oYV8TRUmjvzIDT2vdhmkReiByosQn2SHpoet5pMHs1eS Rc/I2NL8JT+X+OR19i1iU5R+sbSOqeNA9eeXWLmlv6IdpqlH0YzeWBOZ6SbnBDksyFid jCVt+jGdq6sO8no0WbIe2Y+/qlXVzrr6qgsmvUUWQ0+fLphXplDpnjpHOOObc50Ecd4n 9jdyMprUuUriV8MoWICAhHEhc+zBYWwJLyMhGutCOpiG2ENWSRYNXh/s4D5dWjeet3Hg MxZToO9MOEJx7qis1n5icC30c+chtmN0PbDpEgby7YX8pZjYacuptHAc/Y9Dx1vK4OeB i+Zw==
X-Gm-Message-State: AOAM5303PcJH5tX0Qo0NcnXUZ4hvO8TSyv/aQseqX8ZYDgsILAmOx3G8 K7vuLo/aFswr/anEhT6mCiRQbftCIf8hVaRX1Dh92+xp
X-Google-Smtp-Source: ABdhPJxrUsYugSz0yvynZ0Xxxgt626F1DNKIbzkbu2QVJlE56ExU6E3f9m+0BS97tJGwzBVGPndLFu+TNdt9b38Dhhs=
X-Received: by 2002:a25:7003:: with SMTP id l3mr14951225ybc.231.1623143825156; Tue, 08 Jun 2021 02:17:05 -0700 (PDT)
MIME-Version: 1.0
From: Tijana Klimovic <tijana.klimovic97@gmail.com>
Date: Tue, 8 Jun 2021 11:16:53 +0200
Message-ID: <CAHvbzjJ9fXseMG6T+bJj4oVxfa3C5FCb73aPDeR04sfuE=accA@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001e2bce05c43d9fd5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/WxAmfn0Zu0xGiadmSA7U2Uf-M_s>
Subject: [MLS] Key Schedule, ProposalOrRef objects, Group splitting attack
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 09:17:12 -0000


I had a few questions about different parts of the specification.

Firstly, I wanted to ask about the motivation behind the Key Schedule being
what it is, namely a sequence alternating between KDF.Extract and
KDF.Expand. Why couldn't it be just a single KDF.Extract followed by a
single KDF.Expand, to form an actual key derivation function, and then
derive the different keys by providing the appropriate context?

Furthermore I am not sure why the KDF.Expand is used at all here since the
length parameter provided is KDF.Nh which from the specification is
supposed to be: "The value KDF.Nh is the size of an output from
KDF.Extract, in bytes". Therefore, the KDF Expands used by the scheme don't
really expand the pseudorandom key given by the KDF.Extract to have a
bigger length.

I am not sure why we use a ProposalOrRef type. And why only proposals sent
by the commiter are included by value and all others are hashes of the
MLSPlaintext containing proposals sent by members different from the

Lastly, I haven't managed to find where the specification tackles the
problem of the group splitting attack. Namely, if we for example have a
group of 5 clients, the attacker can split the group state into two group
states, by making sure that any message (proposal, commit, application)
originating from client 1,2,3 is delivered to only client 1,2,3 only and
that similarily any message originating from clients 4,5 are only delivered
to clients 4,5.

Many thanks.
Tijana Klimovic