Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
Richard Barnes <rlb@ipv.sx> Tue, 18 August 2020 19:20 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E5FC3A0A74 for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 12:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xj886SPnmM0w for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 12:20:16 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FB4A3A0A73 for <mls@ietf.org>; Tue, 18 Aug 2020 12:20:16 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id 62so19356109qkj.7 for <mls@ietf.org>; Tue, 18 Aug 2020 12:20:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bXOD5teVqO0FklLapSZ+3YfuugqNYcopqfvWgQCHl1E=; b=09VTvinkFaKK6Q6eICS9VMSy68Hp4SE6THwh1PIA5q4xyra22xFlZEsdAIov8TkIcb x2CceB8HNEKXvM1ZuwZB4YXx4EGrHXFQnftM5azV4tNTqJlo8y5yWpnChbH3JCp8E+1c QcVSRY/H04nn0Oxziq5Rsoz3tJPFLjxcdlifLydNtd+/uxw4gDuIV6sL67TcqLhBAhk1 +SSnmtEfBx8BKqonmNUbvMZNbtT2Z568kihcLO1LFpo02iwoFM1wZh0n7ICsE5U5e4j4 soIclN5nzxS3miHoHu0+9RzoSct15TWdfjzSowGyNUtOYuLQ7iTc51Z1p18+B7P3DARu lPNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bXOD5teVqO0FklLapSZ+3YfuugqNYcopqfvWgQCHl1E=; b=DZ6hPVh8lGS6QOWjESxnlFMjiPWCyb7UVV3n/9tR9iaAV1wwmETe9tK7y2t2+e1Wve w0UpEAVx7U3zDVKJpajBsdK79EXoUXC8tz6RNjvs3jla579C8oVV6aigE3TJXa1T5kuw Q7N8th8NpjOTWOj+zB8jedXh94Ws+dh6Vo0wtGU4Z7+F77jceHk2mLqZyPvoaFOu85xI 0dXAYHHodIac1iK0pALvanvcB4vz2VzikIhJAOqMOXV1x/ZQyIn/4ZL0yiyrCCDT7FBZ CSuR1mHgTnvsehtAqeebeDxKouQXkmZ5qOPUS0gby58FzlKiUIlfUbkCI8+8msUizAvh 6Cog==
X-Gm-Message-State: AOAM530IUGrZEhxm8wKUJEKijQYIUgcvMVbeo8+fQPsWd+wnd2PDkNDZ KebkDjxdrmVQss2fi2iNl8khkz/UmUd4maMDFuLlIQ==
X-Google-Smtp-Source: ABdhPJxds/oVM9V66WDOcM/s+JLxsOgAOj0ylxmJ/RHaJjDYoA2SNV2/3hlMt7vEHLDOKqQBiYWLGaSlOOODZsWYuyc=
X-Received: by 2002:a05:620a:132c:: with SMTP id p12mr18355194qkj.159.1597778415217; Tue, 18 Aug 2020 12:20:15 -0700 (PDT)
MIME-Version: 1.0
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <CABP-pSSBcf_BUXPp=uxWMpBviBday8-utGzo=ksPG4Ei=_x3ag@mail.gmail.com> <7abf555f-a266-f62f-2a22-8b0f389304d5@wickr.com> <CABP-pSSzZnqaB95RreekLJ2Fx_HZP4X4CuL0RU6_wRqNEVO+3w@mail.gmail.com> <CANYP602_ixw_tCg9iBswd6PP6fn=-ndt7=U3w+k9ArVP8MU+Kg@mail.gmail.com>
In-Reply-To: <CANYP602_ixw_tCg9iBswd6PP6fn=-ndt7=U3w+k9ArVP8MU+Kg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 18 Aug 2020 15:19:54 -0400
Message-ID: <CAL02cgRfeYRghHE8AK-sgZ4MjWa+nOktRgK+wrTOZdqDVhzgNQ@mail.gmail.com>
To: Joel Alwen <jalwen@wickr.com>
Cc: Brendan McMillion <brendan@cloudflare.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000de83f805ad2bc6be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/XZAcyPn7ZDZQYeXzQxDvfP49IpI>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 19:20:19 -0000
I'm not really grokking the PCS sig scheme, but it seems like it's (a) not general to all signature schemes, and (b) complicated enough I would want review from CFRG. Both of which seem like deal breakers for being a requirement here. Much like SIV, it would be nice if we could support it as an option, but I wouldn't want to require it. On Tue, Aug 18, 2020 at 2:26 PM Joel Alwen <jalwen@wickr.com> wrote: > Chaining key pairs builds a PCS sig scheme from a standard one. (No FS > needed.) > > PCS sigs could be helpful as a complementary mechanism for getting yet > more PCS auth. If so it seems worth it to think if we cant get a more > efficient construction of PCS sigs. > > Regardless, proving to receivers that the author of a message knows the > current group key schedule still seems prudent to me. > > - Joël. > > On Tue, 18 Aug 2020, 19:37 Brendan McMillion, <brendan@cloudflare.com> > wrote: > >> I actually describe in the thread I linked how to take a standard FS >> signature and turn it into a PCS signature. While it's baked into the >> primitive, essentially what's happening is that every time Alice sends an >> Update, she generates a new signing key and certifies it with her old >> signing key before discarding the old signing key. So if Alice's Update is >> accepted by the group, anyone who compromised the old signing key can't >> sign new messages because they don't have the private key of the *new* >> signing key. >> >> On Tue, Aug 18, 2020 at 9:55 AM Joel Alwen <jalwen@wickr.com> wrote: >> >>> > My objection to this is that Alice can still be impersonated by >>> members in the group, if we only have symmetric forward-secure >>> authentication. >>> >>> I'm missing how FS sigs (or any other FS auth primitive) helps. My >>> understanding >>> is FS auth primitives prevent leaked keys from being used to authenticate >>> messages in *past* time periods. But the attack involves signing >>> messages for >>> time periods (epochs) after the leak occurred not before the leak. >>> Imagine we >>> could deterministically ratchet sig key pairs forward much like we can >>> MAC keys. >>> We'd have an FS sig scheme but I dont see how this fixes the problem. >>> >>> Which is not to say that FS sigs dont solve an auth problem for MLS. >>> Just, >>> AFAIK, not this one. (Rather they help prevent forgeries in bygone >>> epochs.) >>> >>> What I do agree with is that other group members (that know Alice's sig >>> key) can >>> still impersonate her in future epochs till she updates the key. The >>> same is >>> true when sending MLSCiphertexts. >>> >>> Unfortunately, for epochs between when Alice's state is leaked and when >>> Alice >>> finally updates her (authentication specific) asymmetric key material I >>> see no >>> way around this. It seems inherent to the adversarial model since other >>> group >>> member know and can do everything Alice can during those epochs. >>> >>> One thing we could look at are PCS signatures. Something like the >>> Updateable PKE >>> scheme in the RTreeKEM work. Namely every time you sign you also >>> re-randomize >>> your signing key (or simply sample new ones). That way leaking your old >>> key >>> doesnt let me sign under your re-randomized new key just like in UPKE >>> leaking >>> your old decryption key doesnt let me read ciphertexts encrypted to your >>> re-randomized new key. Make sense? >>> >>> >>> - Joël >>> >>> >>> On 18/08/2020 18:34, Brendan McMillion wrote: >>> > So to that end, how >>> > about we modify MLS such that MLSPlaintext packets coming from >>> group members >>> > must also be authenticated using something from the application >>> key schedule. >>> > >>> > >>> > My objection to this is that Alice can still be impersonated by >>> members in the >>> > group, if we only have symmetric forward-secure authentication. >>> > >>> > There's been some discussion in the past about using forward-secure >>> signatures >>> > that might be worth looking into instead, which would fully address >>> this attack >>> > vector: >>> https://mailarchive.ietf.org/arch/msg/mls/o3fmIul_4s6STmnqmz514cjADpw/ >>> > >>> > >>> > On Tue, Aug 18, 2020 at 7:36 AM Joel Alwen <jalwen@wickr.com >>> > <mailto:jalwen@wickr.com>> wrote: >>> > >>> > Hey everyone, >>> > >>> > Something thats been bugging Marta Mularczyk and Daniel Jost and >>> me for a bit >>> > now is that handshake messages sent out as MLSPlaintext packets >>> are only >>> > authenticated using signatures, but not using the group's key >>> schedule. For >>> > non-members that makes sense but for group members that's weaker >>> than need be. >>> > >>> > Suppose Alice is in a group using signing key pair (spk, ssk). I >>> corrupt her to >>> > learn ssk. Now I loose access to her device again. Later she >>> generates a fresh >>> > key package with her same spk but a new HPKE key for her leaf. She >>> sends out and >>> > update proposal for her new key package and someone commits to the >>> update. >>> > >>> > Expected result: she (and the group at large) has achieved PCS >>> again. >>> > >>> > Actual result: using her stolen ssk I can still forge a new >>> proposal's (sent as >>> > MLSPlaintext packets) coming from Alice. Some things I could do >>> with this power: >>> > - I can generate a new key package kp for Alice using her spk and >>> some HPKE key >>> > she doesn't know. Then I forge an update proposal for Alice with >>> kp. If it gets >>> > committed I've effectively kicked her out of the group. >>> > - I could forge Add's and Remove's coming from Alice, so I could >>> trick the >>> > group into thinking Alice is trying to Add my account to the group >>> or remove >>> > some other group member. >>> > >>> > Lemme know if I've missed something here in that scenario... >>> > >>> > >>> > If I didn't miss anything and the attacks really work as >>> advertised then IMO >>> > this is kinda weak sauce and worth avoiding if possible. So to >>> that end, how >>> > about we modify MLS such that MLSPlaintext packets coming from >>> group members >>> > must also be authenticated using something from the application >>> key schedule. >>> > Now the above attacks fail. As soon as Alice's update is gets >>> committed I no >>> > longer know the group's key schedule and so can't forged packet >>> from Alice. More >>> > generally, this brings the PCS guarantees when using MLSPlaintexts >>> frameing in >>> > line with what we're getting from MLSCiphertext packets. >>> > >>> > Any thoughts? >>> > >>> > - Joël >>> > >>> > >>> > >>> > PS. For concreteness, we could probably extend the current >>> mechanism for getting >>> > concistancy (the confirmation_tag) to also provide symmetric key >>> authentication. >>> > E.g. include most of the MLSPlaintext content into whats being >>> tagged by >>> > confirmation_tag. That would cover the case of a commit packet and >>> doesn't even >>> > grow the size of MLSPlaintext packets over the current design. >>> > >>> > For a proposal packet we could also have a confirmation_tag but >>> this one is >>> > computed using the *current* epoch's confirmation_key and >>> > confirmed_transcript_hash. >>> > >>> > _______________________________________________ >>> > MLS mailing list >>> > MLS@ietf.org <mailto:MLS@ietf.org> >>> > https://www.ietf.org/mailman/listinfo/mls >>> > >>> >> _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] MLSPlaintext packets aren't authenticated u… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Hale, Britta (CIV)
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Brendan McMillion
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Brendan McMillion
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Brendan McMillion
- Re: [MLS] MLSPlaintext packets aren't authenticat… Hale, Britta (CIV)
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Cornelissen Eric
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Cornelissen Eric
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes