IETF Logo Mail Archive

Re: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)

"Hale, Britta (CIV)" <britta.hale@nps.edu> Thu, 18 June 2020 01:07 UTC

Return-Path: <britta.hale@nps.edu>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3B433A094E for <mls@ietfa.amsl.com>; Wed, 17 Jun 2020 18:07:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PA8ykFTvC5ej for <mls@ietfa.amsl.com>; Wed, 17 Jun 2020 18:07:39 -0700 (PDT)
Received: from mule.nps.edu (mule.nps.edu [205.155.65.106]) by ietfa.amsl.com (Postfix) with ESMTP id CF3C03A094A for <mls@ietf.org>; Wed, 17 Jun 2020 18:07:39 -0700 (PDT)
X-ASG-Debug-ID: 1592442457-0e394572da17f80001-bGA3T6
Received: from mail.nps.edu (skywalker.ern.nps.edu [172.20.4.117]) by mule.nps.edu with ESMTP id Q7jFIISHUVx10yzV; Wed, 17 Jun 2020 18:07:37 -0700 (PDT)
X-Barracuda-Envelope-From: britta.hale@nps.edu
Received: from skywalker.ern.nps.edu (172.20.4.117) by skywalker.ern.nps.edu (172.20.4.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3; Wed, 17 Jun 2020 18:07:37 -0700
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (104.47.44.51) by skywalker.ern.nps.edu (172.20.4.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3 via Frontend Transport; Wed, 17 Jun 2020 18:07:37 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AgOEZ8gdx5SurMNK3XOkCer7RzypmIGYkYtUhUYcGi1Gz1zpyExqypfMJCs57kZET1ZS8sflp7g9wDJY38y6hNwsTJJyy9vx/qRD6bLITYMBcq/1NikHulot/4l4lWVoQIvPB4HRr/lpFmD+GuOXTR24L4ih4r2/kdrXD4jykpk9qirrt1t2s4E6Jis91LmhcDPlGii/l1jlGdnCSI/XWsd+B3bHbKtZItkB8lkGkAr7gAkixl9cNcz2QXR/wvhGafiOzicbmTgHy6QcXnas/+B7E7l7s7pPV14UxeLvL5E7g3z5f7mQ9ihANifbmymyP0mbd1OZ2hPkdVeLgoH3xQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+znb1D5giYQbspNKRdYvTygCRM6B6Qwtr1+d3oT8vxk=; b=FB8EtRhpAKXWTr2ddtBBFjmS7A+UHlNWkNRxIjYby+8w7yh23nS9XbXhAcOd5fEEq1ATCibtPddIAtGca65p6UsZhZladszbQFfx9nlltFAeAihX/JMMZij1DPXKC4FUvd9nnF8YJxMUq+FXu/Z7A+g7CoGEBYSNXavH3g6OkM58Dm5VqJ6ygrfEm6bdLtxRU90QZXnuyxvZkFfqXmrW/vKHNwxvt1TDuXyicptVb2PTzreL1fypF0tXmiryBsD5OYE6bX3KAz41sJiDehpkKmRsGu8WIzHRhu85H1vjdqxBfdXiIPQwirPtUV9kBgS2Ym2QUCM2cC8jV8mxOqJWlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nps.edu; dmarc=pass action=none header.from=nps.edu; dkim=pass header.d=nps.edu; arc=none
Received: from BY5PR13MB3013.namprd13.prod.outlook.com (2603:10b6:a03:185::31) by BYAPR13MB2470.namprd13.prod.outlook.com (2603:10b6:a02:bd::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.15; Thu, 18 Jun 2020 01:07:36 +0000
Received: from BY5PR13MB3013.namprd13.prod.outlook.com ([fe80::cc82:a6a7:32b1:be38]) by BY5PR13MB3013.namprd13.prod.outlook.com ([fe80::cc82:a6a7:32b1:be38%6]) with mapi id 15.20.3131.009; Thu, 18 Jun 2020 01:07:36 +0000
X-Barracuda-Effective-Source-IP: UNKNOWN[2603:10b6:a02:bd::18]
X-Barracuda-Apparent-Source-IP: 2603:10b6:a02:bd::18
From: "Hale, Britta (CIV)" <britta.hale@nps.edu>
To: Richard Barnes <rlb@ipv.sx>, Messaging Layer Security WG <mls@ietf.org>
Thread-Topic: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)
X-ASG-Orig-Subj: Re: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)
Thread-Index: AQHWRPpKgd3HuS0F70KUZ1R3ixejz6jdGmaA
Date: Thu, 18 Jun 2020 01:07:35 +0000
Message-ID: <BFD5B4F7-3617-41AD-811F-C6C49A803983@nps.edu>
References: <CAL02cgTxm+OMRHvXk_34MAxk5bgit_kpkW81wigGPZriKFtebw@mail.gmail.com>
In-Reply-To: <CAL02cgTxm+OMRHvXk_34MAxk5bgit_kpkW81wigGPZriKFtebw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.16.200509
authentication-results: ipv.sx; dkim=none (message not signed) header.d=none;ipv.sx; dmarc=none action=none header.from=nps.edu;
x-originating-ip: [2601:647:cb00:2941:f5f3:50f0:7080:5702]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9b623d86-97bc-4d32-9bb5-08d81323fcf7
x-ms-traffictypediagnostic: BYAPR13MB2470:
x-microsoft-antispam-prvs: <BYAPR13MB247087907F4F86F19C9C7682FB9B0@BYAPR13MB2470.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0438F90F17
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Nqm85Z0FcsUpg9/H6bcjFUMI2iG5dW9rUaKCWozFx7bgUYkm0TNRPp4DlGOfUfDoyFX1LWGeO18lGn+HlnfnHAl6BOllUoPP1IGzvmWucT+kaZwxF1AP3IwqPFENUDaNq9dMQvFzeBCLMHUs3NK7t58DZnqHyiXMymhyHCSaeCFgbcVt2iva/eBxfq/UpVv6u3xlLMP+Mu0YPf5JlWrR5oNDdNcpOOA+lr8/Df9XxjJMzoVRsL9hw9uqEbxupPM02PVzSXVkcCDRPDqj5qL0b7uKJDRMPssQtccDsoTg6DhC7fpapNwEllG+cAaFgISRai7D9GLDlM6rHycbD5kZiR9Sul1nuB+c4JaTBPj81FljW+vznm5OfqZiQrEjnm3T
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR13MB3013.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(39850400004)(136003)(376002)(346002)(75432002)(83380400001)(5660300002)(33656002)(2906002)(8936002)(6512007)(2616005)(76116006)(66556008)(86362001)(64756008)(66446008)(71200400001)(53546011)(186003)(9326002)(110136005)(316002)(36756003)(478600001)(66946007)(786003)(66476007)(6506007)(6486002)(8676002)(21314003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Hvl3l5Ix1yEw0xGXkHb0VK/3280idvk21kpV7HVS37+E4vwkHYHPqYeItp8EFS7OOfGgTdG4kUuNdmU+7saq7NqrZpyD/xZ+lWedPiA23116T1m93dlrDCdkkxuuNQ2F0bcVdK8z7KHuJOLXB/5kaN0GXciDYtpq/9XhT3lKXM/6uR5ZhwXdWY+5jIdrST8TyoVPYUdU4ln4z8mus84dEWSRXtkZipetIIj7P4hNXk1JI3MWyocEb9AGEmcKvoucez1pbZQi+GcN6G2ajsZYY6BxCce08UpQkFIgPq9ka7M5gLoq7EaZnJgzyWStPAE4sGDJgdnHu1KHFbGxvteS+0F4vNJUelw/BFHBYnI+QpfjRVINXA9UumllCcMMfjVTuO34wa9OOkdtHQyh7HwXs+un21uFvroCjxO8p/xqBpsTlkNdtRpv2TpGW6l/w4WRNJgux1x36ymkVNEcQQVUsbd7q7Tq/UnxAuZs8p/6h7akxADB98cp9hgHdVpyLXexFF1Zi7mUyMCHpGEscFLyXYGyjTLi5wLtj/s3e3pVXefKtM8kFHUTqyZ5upJIqzgX
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BFD5B4F7361741AD811FC6C49A803983npsedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b623d86-97bc-4d32-9bb5-08d81323fcf7
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2020 01:07:35.9595 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d936231-a517-40ea-9199-f7578963378e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: C9xinP355bbw5I42NcbbPMzxS9fgj55VFUCoLgRqkjgCi3NaU3j2Vip20PNIlLIySSjApfUz6sbD+BwO4LwNYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR13MB2470
X-OriginatorOrg: nps.edu
X-Barracuda-Connect: skywalker.ern.nps.edu[172.20.4.117]
X-Barracuda-Start-Time: 1592442457
X-Barracuda-URL: https://205.155.65.106:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at nps.edu
X-Barracuda-Scan-Msg-Size: 17105
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.82626 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/YAVp0FG1oP1QAP8ClmWeouUL1Bg>
Subject: Re: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 01:07:42 -0000

Hi Richard,

Thank you for the comments and careful read of the PR.

For #1/#2: I am amicable to the idea of adding an extension field to the commit message. As a general comment, we may want to consider if there are other types of commit extensions worth adding or, alternatively, how the field may be abused (e.g. treated as AD by an application).
It terms of objection to the current form though, your argument is not clear. PSKIds should uniquely identify PSKs, and a joiner (or anyone) should be able to identify the correct PSK given the PSKId, if they are in possession of it. PSKs must only be used in an Add if the joiner is a past group member (line 2055) and therefore has the correct PSKId/group_id/psk_epoch, although this is nullified if we make the change discussed in #4. In that case, the issue for Adds goes away.
The PR already allows for a PSK in the Welcome message.

For #3: Currently, in the PR, there is a recovery_secret derived per-epoch. When a member wants to re-initialize, they issue a Re-Init proposal. They may then re-initialize the group by sending a Welcome message (see lines 1923, 1948, and 2349) with the PSKId for the parent group/epoch and a psktype that indicates that they are re-initializing the group with the stated PSKId. So this seems to already be what you describe below as “have the initiator of the child send a Welcome that has a pointer back to the parent”. However, you are right that more detail can be added; in particular a requirement should be added to terminate the parent group and that the terminating member/re-init proposer must also create the new group.

For #4: There was a discussion at the first virtual interim in late April (Interim #11-2020) wherein some expressed a desire for this feature. Namely, instead of re-syncing the entire group, there were use cases for re-syncing the odd member when necessary. Its inclusion in the PR arises from that later request. I am favorable to removing it since, from security standpoint, it is not ideal. However, the motivation for this was pushed from the implementation standpoint. Consequently, now is a good time for anyone to speak up who wants to push for this.


One item: you made point of specifically requesting – a few times – at the virtual interims #11 and #12 in April/May that this PSK PR and as many other key schedule-related PRs be combined into a single one. Raphael made a similar request under git issue #325. In fact, the authors of this PR had pushed back on that insistence to limit the current PR down to the items it currently covers, instead of merging in other key schedule changes as well. Are you saying that you have changed your mind?
We can, of course, accommodate a revised preference if needed.


Britta



From: MLS <mls-bounces@ietf.org> on behalf of Richard Barnes <rlb@ipv.sx>
Date: Wednesday, June 17, 2020 at 3:54 PM
To: Messaging Layer Security WG <mls@ietf.org>
Subject: [MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)

Hey all,

Sorry for the late review on this PR, I have finally gotten a chance to really dig into it, and ... I have some concerns.  My current thinking is consistent with my earlier comments that the general thrust of this PR is OK.  But I think the actual approach needs to change a fair bit.

As its title implies, this PR is trying to do several things at once, which seem to me to be fairly separable:

0. Update the key schedule so that PSKs are injected at the right point and multiple PSKs are supported
1. Signal that a PSK should get injected into a given epoch
2. Request injection of PSK at join / in Welcome
3. Re-initialize the group with different parameters
4. Re-sync group members that have lost state

For the most part, I think these are worthwhile goals, but they should be accomplished in different ways than the PR proposes.  Detailed thoughts by objective:


# 0. Update the key schedule so that PSKs are injected at the right point and multiple PSKs are supported

This part of the PR is fine, but I think is ultimately done a bit more elegantly with the n-PRF stuff in #337.


# 1. Signal that a PSK should get injected into a given epoch
# 2. Request injection of PSK at join / in Welcome

(These go together)

The PR proposes (heh) an EPSK proposal or an Add proposal, but then requires that only one EPSK be used.  I actually don't the proposal for including PSKs in Adds actually works.  The joiner would have to know all of them plus the EPSK, and there's not even any syntax in the PR to tell the joiner which ones to include.

I would propose that instead we add an extensions field to the Commit message, then add a Commit extension that specifies the PSK ID for the PSK to be added.  That extension can then also go in the Welcome message corresponding to the commit, so that joiners know to add the PSK.

This change actually doesn't make a difference in terms of what ends up in the transcript -- either way, only the PSK ID selected by the committer goes in the transcript.  It seems better not to deliberately have proposals floating around that never get included in the transcript.


# 3. Re-initialize the group with different parameters

The PR proposes another proposal type for reinitialization, but it's really under-specified what you do to re-init.  For example, what goes in the ratchet tree?  Clearly you need a brand new tree, since the one you have might be tied to the wrong ciphersuite.  What you really need is something like a Welcome message.

And that's how I think we should actually arrange things.  Instead of having the parent group do something to spawn, have the initiator of the child send a Welcome that has a pointer back to the parent.  So we have another Welcome extension (`parent_group`, say) that has a pointer to the parent group by group ID and epoch, and instructs the joiner to take a secret from that group/epoch's key schedule and add it into the new group's key schedule.



# 4. Re-sync group members that have lost state

We should not do these.  At the January interim, we decided not to drop the resync issue (#93) given that there were some subtleties depending on exactly what state had been lost, and that it could be cleanly done in a separate spec.


# Conclusions

Given the above, I would propose we break this into separate issues to be closed with individual, smaller PRs.  Assuming that (0) will get addressed by the n-PRF PR, that leaves us with:

#XXX Add Extensions to the Commit message
#XXX Signal use of external PSKs in Commit/Welcome (=> extension to Commit/Welcome messages)
#XXX Allow Welcome to signal the inclusion of information from a prior group (=> Welcome extension)

Happy to write those up, and contribute to PRs.  Sorry again for the slow progress here.

--Richard

v2.23.0 | Report a Bug | By Email