IETF Logo Mail Archive

Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

Richard Barnes <rlb@ipv.sx> Tue, 18 August 2020 19:20 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E5FC3A0A74 for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 12:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xj886SPnmM0w for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 12:20:16 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FB4A3A0A73 for <mls@ietf.org>; Tue, 18 Aug 2020 12:20:16 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id 62so19356109qkj.7 for <mls@ietf.org>; Tue, 18 Aug 2020 12:20:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bXOD5teVqO0FklLapSZ+3YfuugqNYcopqfvWgQCHl1E=; b=09VTvinkFaKK6Q6eICS9VMSy68Hp4SE6THwh1PIA5q4xyra22xFlZEsdAIov8TkIcb x2CceB8HNEKXvM1ZuwZB4YXx4EGrHXFQnftM5azV4tNTqJlo8y5yWpnChbH3JCp8E+1c QcVSRY/H04nn0Oxziq5Rsoz3tJPFLjxcdlifLydNtd+/uxw4gDuIV6sL67TcqLhBAhk1 +SSnmtEfBx8BKqonmNUbvMZNbtT2Z568kihcLO1LFpo02iwoFM1wZh0n7ICsE5U5e4j4 soIclN5nzxS3miHoHu0+9RzoSct15TWdfjzSowGyNUtOYuLQ7iTc51Z1p18+B7P3DARu lPNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bXOD5teVqO0FklLapSZ+3YfuugqNYcopqfvWgQCHl1E=; b=DZ6hPVh8lGS6QOWjESxnlFMjiPWCyb7UVV3n/9tR9iaAV1wwmETe9tK7y2t2+e1Wve w0UpEAVx7U3zDVKJpajBsdK79EXoUXC8tz6RNjvs3jla579C8oVV6aigE3TJXa1T5kuw Q7N8th8NpjOTWOj+zB8jedXh94Ws+dh6Vo0wtGU4Z7+F77jceHk2mLqZyPvoaFOu85xI 0dXAYHHodIac1iK0pALvanvcB4vz2VzikIhJAOqMOXV1x/ZQyIn/4ZL0yiyrCCDT7FBZ CSuR1mHgTnvsehtAqeebeDxKouQXkmZ5qOPUS0gby58FzlKiUIlfUbkCI8+8msUizAvh 6Cog==
X-Gm-Message-State: AOAM530IUGrZEhxm8wKUJEKijQYIUgcvMVbeo8+fQPsWd+wnd2PDkNDZ KebkDjxdrmVQss2fi2iNl8khkz/UmUd4maMDFuLlIQ==
X-Google-Smtp-Source: ABdhPJxds/oVM9V66WDOcM/s+JLxsOgAOj0ylxmJ/RHaJjDYoA2SNV2/3hlMt7vEHLDOKqQBiYWLGaSlOOODZsWYuyc=
X-Received: by 2002:a05:620a:132c:: with SMTP id p12mr18355194qkj.159.1597778415217; Tue, 18 Aug 2020 12:20:15 -0700 (PDT)
MIME-Version: 1.0
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <CABP-pSSBcf_BUXPp=uxWMpBviBday8-utGzo=ksPG4Ei=_x3ag@mail.gmail.com> <7abf555f-a266-f62f-2a22-8b0f389304d5@wickr.com> <CABP-pSSzZnqaB95RreekLJ2Fx_HZP4X4CuL0RU6_wRqNEVO+3w@mail.gmail.com> <CANYP602_ixw_tCg9iBswd6PP6fn=-ndt7=U3w+k9ArVP8MU+Kg@mail.gmail.com>
In-Reply-To: <CANYP602_ixw_tCg9iBswd6PP6fn=-ndt7=U3w+k9ArVP8MU+Kg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 18 Aug 2020 15:19:54 -0400
Message-ID: <CAL02cgRfeYRghHE8AK-sgZ4MjWa+nOktRgK+wrTOZdqDVhzgNQ@mail.gmail.com>
To: Joel Alwen <jalwen@wickr.com>
Cc: Brendan McMillion <brendan@cloudflare.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000de83f805ad2bc6be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/XZAcyPn7ZDZQYeXzQxDvfP49IpI>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 19:20:19 -0000

I'm not really grokking the PCS sig scheme, but it seems like it's (a) not
general to all signature schemes, and (b) complicated enough I would want
review from CFRG.  Both of which seem like deal breakers for being a
requirement here.

Much like SIV, it would be nice if we could support it as an option, but I
wouldn't want to require it.

On Tue, Aug 18, 2020 at 2:26 PM Joel Alwen <jalwen@wickr.com> wrote:

> Chaining key pairs builds a PCS sig scheme from a standard one. (No FS
> needed.)
>
> PCS sigs could be helpful as a complementary mechanism for getting yet
> more PCS auth. If so it seems worth it to think if we cant get a more
> efficient construction of PCS sigs.
>
> Regardless, proving to receivers that the author of a message knows the
> current group key schedule still seems prudent to me.
>
> - Joël.
>
> On Tue, 18 Aug 2020, 19:37 Brendan McMillion, <brendan@cloudflare.com>
> wrote:
>
>> I actually describe in the thread I linked how to take a standard FS
>> signature and turn it into a PCS signature. While it's baked into the
>> primitive, essentially what's happening is that every time Alice sends an
>> Update, she generates a new signing key and certifies it with her old
>> signing key before discarding the old signing key. So if Alice's Update is
>> accepted by the group, anyone who compromised the old signing key can't
>> sign new messages because they don't have the private key of the *new*
>> signing key.
>>
>> On Tue, Aug 18, 2020 at 9:55 AM Joel Alwen <jalwen@wickr.com> wrote:
>>
>>> > My objection to this is that Alice can still be impersonated by
>>> members in the group, if we only have symmetric forward-secure
>>> authentication.
>>>
>>> I'm missing how FS sigs (or any other FS auth primitive) helps. My
>>> understanding
>>> is FS auth primitives prevent leaked keys from being used to authenticate
>>> messages in *past* time periods. But the attack involves signing
>>> messages for
>>> time periods (epochs) after the leak occurred not before the leak.
>>> Imagine we
>>> could deterministically ratchet sig key pairs forward much like we can
>>> MAC keys.
>>> We'd have an FS sig scheme but I dont see how this fixes the problem.
>>>
>>> Which is not to say that FS sigs dont solve an auth problem for MLS.
>>> Just,
>>> AFAIK, not this one. (Rather they help prevent forgeries in bygone
>>> epochs.)
>>>
>>> What I do agree with is that other group members (that know Alice's sig
>>> key) can
>>> still impersonate her in future epochs till she updates the key. The
>>> same is
>>> true when sending MLSCiphertexts.
>>>
>>> Unfortunately, for epochs between when Alice's state is leaked and when
>>> Alice
>>> finally updates her (authentication specific) asymmetric key material I
>>> see no
>>> way around this. It seems inherent to the adversarial model since other
>>> group
>>> member know and can do everything Alice can during those epochs.
>>>
>>> One thing we could look at are PCS signatures. Something like the
>>> Updateable PKE
>>> scheme in the RTreeKEM work. Namely every time you sign you also
>>> re-randomize
>>> your signing key (or simply sample new ones). That way leaking your old
>>> key
>>> doesnt let me sign under your re-randomized new key just like in UPKE
>>> leaking
>>> your old decryption key doesnt let me read ciphertexts encrypted to your
>>> re-randomized new key. Make sense?
>>>
>>>
>>> - Joël
>>>
>>>
>>> On 18/08/2020 18:34, Brendan McMillion wrote:
>>> >     So to that end, how
>>> >     about we modify MLS such that MLSPlaintext packets coming from
>>> group members
>>> >     must also be authenticated using something from the application
>>> key schedule.
>>> >
>>> >
>>> > My objection to this is that Alice can still be impersonated by
>>> members in the
>>> > group, if we only have symmetric forward-secure authentication.
>>> >
>>> > There's been some discussion in the past about using forward-secure
>>> signatures
>>> > that might be worth looking into instead, which would fully address
>>> this attack
>>> > vector:
>>> https://mailarchive.ietf.org/arch/msg/mls/o3fmIul_4s6STmnqmz514cjADpw/
>>> >
>>> >
>>> > On Tue, Aug 18, 2020 at 7:36 AM Joel Alwen <jalwen@wickr.com
>>> > <mailto:jalwen@wickr.com>> wrote:
>>> >
>>> >     Hey everyone,
>>> >
>>> >     Something thats been bugging Marta Mularczyk and Daniel Jost and
>>> me for a bit
>>> >     now is that handshake messages sent out as MLSPlaintext packets
>>> are only
>>> >     authenticated using signatures, but not using the group's key
>>> schedule. For
>>> >     non-members that makes sense but for group members that's weaker
>>> than need be.
>>> >
>>> >     Suppose Alice is in a group using signing key pair (spk, ssk). I
>>> corrupt her to
>>> >     learn ssk. Now I loose access to her device again. Later she
>>> generates a fresh
>>> >     key package with her same spk but a new HPKE key for her leaf. She
>>> sends out and
>>> >     update proposal for her new key package and someone commits to the
>>> update.
>>> >
>>> >     Expected result: she (and the group at large) has achieved PCS
>>> again.
>>> >
>>> >     Actual result: using her stolen ssk I can still forge a new
>>> proposal's (sent as
>>> >     MLSPlaintext packets) coming from Alice. Some things I could do
>>> with this power:
>>> >      - I can generate a new key package kp for Alice using her spk and
>>> some HPKE key
>>> >     she doesn't know. Then I forge an update proposal for Alice with
>>> kp. If it gets
>>> >     committed I've effectively kicked her out of the group.
>>> >      - I could forge Add's and Remove's coming from Alice, so I could
>>> trick the
>>> >     group into thinking Alice is trying to Add my account to the group
>>> or remove
>>> >     some other group member.
>>> >
>>> >     Lemme know if I've missed something here in that scenario...
>>> >
>>> >
>>> >     If I didn't miss anything and the attacks really work as
>>> advertised then IMO
>>> >     this is kinda weak sauce and worth avoiding if possible. So to
>>> that end, how
>>> >     about we modify MLS such that MLSPlaintext packets coming from
>>> group members
>>> >     must also be authenticated using something from the application
>>> key schedule.
>>> >     Now the above attacks fail. As soon as Alice's update is gets
>>> committed I no
>>> >     longer know the group's key schedule and so can't forged packet
>>> from Alice. More
>>> >     generally, this brings the PCS guarantees when using MLSPlaintexts
>>> frameing in
>>> >     line with what we're getting from MLSCiphertext packets.
>>> >
>>> >     Any thoughts?
>>> >
>>> >     - Joël
>>> >
>>> >
>>> >
>>> >     PS. For concreteness, we could probably extend the current
>>> mechanism for getting
>>> >     concistancy (the confirmation_tag) to also provide symmetric key
>>> authentication.
>>> >     E.g. include most of the MLSPlaintext content into whats being
>>> tagged by
>>> >     confirmation_tag. That would cover the case of a commit packet and
>>> doesn't even
>>> >     grow the size of MLSPlaintext packets over the current design.
>>> >
>>> >     For a proposal packet we could also have a confirmation_tag but
>>> this one is
>>> >     computed using the *current* epoch's confirmation_key and
>>> >     confirmed_transcript_hash.
>>> >
>>> >     _______________________________________________
>>> >     MLS mailing list
>>> >     MLS@ietf.org <mailto:MLS@ietf.org>
>>> >     https://www.ietf.org/mailman/listinfo/mls
>>> >
>>>
>> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email