IETF Logo Mail Archive

Re: [MLS] Use Cases for avoiding Forward Secrecy

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 01 March 2018 01:10 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE45112D7F9 for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 17:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1yDXSeIqkVk for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 17:10:19 -0800 (PST)
Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BBC812D7F6 for <mls@ietf.org>; Wed, 28 Feb 2018 17:10:19 -0800 (PST)
Received: by mail-ot0-x231.google.com with SMTP id f11so4086840otj.12 for <mls@ietf.org>; Wed, 28 Feb 2018 17:10:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=PVmM8h6Y7gDz/oZw28kISyNZh2H0WwADMNHqpDNQ274=; b=PS9q8w/yGeVSHXQqq20GGRYhj8/Ske7kqmP1MkuWhhkTyTlECFewRo43YEttQmtg/P ePFfxk/E7JUJn1SYu2AECf4g5hqOgkO3n79aK5fMdFczHop9lfGxBrHgqQBTZVLmyZkd oMF9nR69h3rzBreICAJ0BmZ7qSrVYmhv8t/QtYBQdKtEwg0b6kVW+2LEFnUznZr6nwJs 2NHmgKvElen7VVf/pd4yCtG+gHzJGlrTjw9aq7/sOEqQXfHChfH4BYHRmhLzuv5OiMxU fHb/cYvrX9omk+10AUQaF2WzzDDH+b8Ym1ImOA+opi1SbtIRnrdZooFg7Ab7SX5EU39B KnQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=PVmM8h6Y7gDz/oZw28kISyNZh2H0WwADMNHqpDNQ274=; b=nohWPlwnY3Y78kaozM0MxavIrh03KHF9t2w5pz1aI6Mk3mEnwJXJuhKBbhdEhbfISI 09kFD6A4myizMDHK9h3WBnWEFINg2KA5DBkG8zBcr0RL0Hg9AARx4nz9ok6trYbet5d6 1y3HDivYubwjaFntrERfHs3xXUcb0TF6zoXbEbwVyLLicRbVjMMKCOTi/lqv20mZSnFJ HgeCL8IOMH+jsvpwu7GPH/8lUuSrwQkYF1V/h0bF4t38yE8YBgiawpQ2zJH2I0ME52KJ O7PW8T6a4/XmAivPaQSDIcjEzF7yy6Lq1G6XouhwQqDTTLiXItfkVmpSbcETVlZABt02 4yfQ==
X-Gm-Message-State: AElRT7FvTpmThdC7oxgjm2IpgACYx8hQZKRSI2DfqqTCIYMWOy7B9UEJ 5j/2tq0cRfAmecv061ltBEImsXk7TwYsSPPdUkM=
X-Google-Smtp-Source: AG47ELuxzL8lH+Q26DDyjh/1GFiLejJ83tRDPMr0bXNfBOT7X4TbCEk3jnRdxGPLb6j97I931koJhiEMTiJfpGB0Q6M=
X-Received: by 10.157.3.196 with SMTP id f62mr54924otf.360.1519866618101; Wed, 28 Feb 2018 17:10:18 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.5.5 with HTTP; Wed, 28 Feb 2018 17:10:17 -0800 (PST)
In-Reply-To: <20180228234104.14fde460@T-200>
References: <CAKHUCzxOwmPrpUUj6HSRMcxiXtRmT05OapeBQdRA49bSWum6yQ@mail.gmail.com> <f10d4e2c-7b4c-b841-eadf-056e1729c713@cs.tcd.ie> <CAMm+LwjJxdTJcPBCNh3JsjDeWODFuS3FwUPz_ztvzKpkU7X8DA@mail.gmail.com> <20180228222800.0a978ded@T-200> <CAMm+LwjGfQj2K1krkKMfL3ZwBj0XCXK7VTkfmRDTt4d18MOk3w@mail.gmail.com> <20180228234104.14fde460@T-200>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 28 Feb 2018 20:10:17 -0500
X-Google-Sender-Auth: 6h3cI8s9NKpyzF7dFQlkHDJu8Ig
Message-ID: <CAMm+Lwh2Vz4duXXEh1DKOHmzWRxgguOhJS+ywDNYUhc=Zfg6pw@mail.gmail.com>
To: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c03c326e0c5e305664f8530"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/YAweUUvhoJbQtHHnajcAvI5bgZo>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 01:10:21 -0000

On Wed, Feb 28, 2018 at 6:41 PM, Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
wrote:

> > ​The cost of this shared state is far from trivial at the protocol
> > level as both the sending and receiving device have to be in
> > synchronization. What happens when Alice and Bob have a dozen
> > devices? Then we have 144 sets of shared state.​
>
> Phillip, it's clear you've read neither the MLS draft, nor the paper it
> is based on. For example: one of the key contributions is a reduction in
> the amount of shared state from O(n^2) to O(log n)
>

​It is pretty clear to me that you need to stop making assumptions about
what other people have read.

You are being very rude and you need to stop. NOW.


These are complicated issues and I for one would never assume that I had
written a paper that was clear enough for everyone to understand
immediately.

Further, it is far from clear to me that the paper addresses the multiple
devices per user as distinct from the multiple user problem. The draft has
all of two paragraphs on multiple devices. I have spent three years working
on the problem of sharing keys across multiple devices and it requires more
than two paragraphs to address all the issues, I am sure.​
​

​My exchange is O(n). If a participant drops out, the others can rekey
using the existing information.​



> > If this group is not interested in open discussion, it might be in
> > the wrong standards organization.
> > Trying to shut down discussion of other requirements is a REALLY BAD
> > predictor of success in IETF.
> > Go talk to the DANE folk and see how that worked for them.
>
> The discussion on PFS has been done to death, both on the TLS mailing
> list and in numerous other places and I would hate to see us repeat it
> for little gain.


​Well hate away​.

This is a different problem to TLS because we have more than two parties
and it changes matters. One of the things I only just realized is that PFS
is not even a property of the protocol, it is a property of a key in the
exchange and not of the exchange itself.

I can modify my key exchange to support use cases in which the key exchange
has forward secrecy with respect to the keys of Alice and Bob but not Doug
or Carol. I am not sure why you would want to do that yet. But you can do
it.

​Actually, I do have a use case.

Let us say that we want FS with respect to each of the keys of Alice, Bob,
Carol and Doug but ​they don't all want to inject fresh FS information at
the exact same time. Let us say Alice has her key in a HSM while Bob is
using a soft key, Alice is sitting in a SOC and Bob is a field agent on
Moscow Rules. Bob probably wants for FS their key every ten minutes. Alice
might be good for a week.


> In the end, TLS 1.3 mandates that PFS be used in
> every connection. I find it hard to imagine that MLS will aspire
> to a weaker security goal than TLS, but as you say, it is for the
> group to decide.


If we have PFS at the TLS level, why do we need it at the messaging layer
as well? Or are you thinking you will be running your application over IP?


In general, I think that thinking about the protocol more is what leads to
higher security. Not simply insisting on a set of features we already know
how to implement.

v2.23.0 | Report a Bug | By Email