Re: [MLS] Async Add
Richard Barnes <rlb@ipv.sx> Tue, 22 September 2020 17:21 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A933A18E0 for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 10:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0C0A265cI6r for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 10:21:54 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6243A18CC for <mls@ietf.org>; Tue, 22 Sep 2020 10:21:54 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id j3so9923256qvi.7 for <mls@ietf.org>; Tue, 22 Sep 2020 10:21:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l4I9wq36sf+9a8G6B8Jj58oLpSdvHznqlCy/zR+NpAA=; b=DpP0EM5ZOrdrF4R3XkaJ9KRx22RPS0EvR6If4XxhlddfgMsgxu1BOjSpBy7h9h+OCg rqFsXP1+3tcr/yQ1pgyNK61HLl0loUH1E8hNtaGADyyFzp+FKO3wdfBzUzB26+kuIArI JOKgQuB2fQKwi2ffl/wnHNAUjauCPmXUe7umsbpFpVzr7iqxm9P/3+zpB+FnaFTgbEv4 cPibu4Smfd1p/I6v6U3h+rY2qgXl9Ns21w7x593Ieoc2ptpzgqthDzSQ+Re2AdCJAQLU 21x9j6cFwO4ou4I9yuxVFt1CniHIkNyKI/yqZBfl/GICAppcPoBgnATSkNOBHAq678pz GRwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l4I9wq36sf+9a8G6B8Jj58oLpSdvHznqlCy/zR+NpAA=; b=G/4XvEva7v180JWhSD6f+pesGFfiukEzjGY4jSPugHGOc90IZJLzOXZlNNFWYOs2Ld hpFxsY2Yu+r7NXuZclhyX8mxXNx/E1VWVW1wZTio48Lp5QjF/AJlErLEj9S91nDeDnS1 qdOVJwuXQb9Rv04OMLk6Ekbpuic+qObtRIvv4F2QMYQzyDv2pA5S/TsHosxv/p+xnOdL ocwTGLmnhVAoNtft4Djyrg+Om1bEsExZbTNUc+Y9nMFK6WdOeNK9nACCMVDPnKYIrqn2 nUT9CXHy/NdbOQXJ+K5hmkf+4uWfbMY9Up0ZtfpI9RTd5EuLFrW77/T8O/QBDIomZnvB DlAg==
X-Gm-Message-State: AOAM530aMd2IGpzsjkr9l6VBccpxA2OkLWPGtBXfwUwcgZFByZ+oyFI0 3J9kAEI996zgtYus7mIveDdB8Ogj+QxUvOnfCXnJODL0RIdH3g==
X-Google-Smtp-Source: ABdhPJwDGXohXn75ERYpvOwVizB64KZD4ZeJuAZ3EyE4ixtn4yuDqpYzj9jutGmMeLWzd15CJqfWAuDG+waVZBzw9q4=
X-Received: by 2002:a0c:d682:: with SMTP id k2mr6590741qvi.27.1600795312825; Tue, 22 Sep 2020 10:21:52 -0700 (PDT)
MIME-Version: 1.0
References: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com> <52db4542-ed98-a10b-ac55-e49594504ded@wickr.com> <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com> <CABP-pSR5k=ahwS108iJA6qy-gG-PRHj2x3sRjLzWwQY9gTMyHg@mail.gmail.com>
In-Reply-To: <CABP-pSR5k=ahwS108iJA6qy-gG-PRHj2x3sRjLzWwQY9gTMyHg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 22 Sep 2020 13:21:18 -0400
Message-ID: <CAL02cgT7vSnm9XPuN_6pDo4dMnkcxqgjCZgxSFXHbZ6fQ1Rf8A@mail.gmail.com>
To: Brendan McMillion <brendan@cloudflare.com>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000facf9d05afea3303"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Z5_xBItW0NHXkKLrhzji-BIo7E0>
Subject: Re: [MLS] Async Add
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 17:21:56 -0000
To expand on what I said on the call: My proposal would be that we use the HPKE exporter function https://github.com/cfrg/draft-irtf-cfrg-hpke/blob/master/draft-irtf-cfrg-hpke.md#secret-export-hpke-export So the scheme you would end up with would be something like: init_priv = KEM.DeriveKeyPair(erstwhile_init_secret) enc, ctx = SetupBaseS(init_priv.public_key, "") // on the send side ctx = SetupBaseR(enc, init_priv, "") // on the receive side init_secret = ctx.Export("mls 1.0 init", secret_size) That "enc" value is the additional data that needs to be conveyed from the sender to the receivers. I'm sympathetic to Brendan's argument that if this is good enough, we should just do it all the time. What is missing for me is an understanding of how the following two transformations relate: epoch_secret --DeriveSecret-> init_secret epoch_secret --DeriveSecret-> erstwhile_init_secret --DeriveKeyPair-> init_priv --SetupBase{skE},Export-> init_secret (Aside from the latter involving a lot more steps!) Either way you have transformed one secret to another; in the latter case, it is also available to whomever holds skE. --RLB On Tue, Sep 22, 2020 at 11:09 AM Brendan McMillion <brendan@cloudflare.com> wrote: > b. "Init with KEM" - You could generate a key pair off of the key >> schedule, use some KEM-based operations to derive the next init secret. >> > > This is a really smart idea and seems like it wouldn't break PCS of the > group like the initial proposal or a public init secret would > > On Tue, Sep 22, 2020 at 7:56 AM Richard Barnes <rlb@ipv.sx> wrote: > >> Thanks for posting this, Raphael. I agree with Joël that this is a >> feature that is likely to get some use. And the PR is pleasantly short >> (though I think it might need a bit more elaboration). >> >> On the topic of entropy from the last epoch, I'm wary of the current >> all-zero approach. It seems like there are at least two other approaches >> available: >> >> a. "Public init secret" - Alongside the regular init secret, derive a >> "public init secret" from the key schedule. Then use this as the init >> secret for external commits. >> >> b. "Init with KEM" - You could generate a key pair off of the key >> schedule, use some KEM-based operations to derive the next init secret. In >> the early days of MLS, we used DH for this. Nowadays, we're KEM-only, but >> I think the HPKE exporter might be pressed into serving a similar purpose. >> >> Looking forward to the discussion... >> >> --RLB >> >> >> On Tue, Sep 22, 2020 at 9:24 AM Joel Alwen <jalwen@wickr.com> wrote: >> >>> My initial 2 cents: this is not just a corner case. MLS should specify >>> how to >>> support such functionality but as an optional mode and making explicit >>> the price >>> in security it entails. >>> >>> >>> I believe such a feature would be used quite a bit if it where >>> available. E.g. >>> My phone is the only device on my account. It breaks. I get a new one >>> and log >>> back in to my account. Now I want my re-join my old groups. In most >>> deployments >>> I'd expect that to be permitted by group policies. But how can I re-join >>> w/o the >>> help of someone else in the group actively "pulling" me in? If I'm not >>> mistaken >>> then this PR provides an answer. >>> >>> >>> The solution does come with a price though. Some things that come to >>> mind: >>> >>> - It seems to require storing public group state on the DS (or some >>> other >>> server) which isn't great for E2E metadata protection. >>> >>> - An external commit provides weaker security guarantees than a normal >>> commit. >>> It throws out the old init_secret. Ergo, if ever an HPKE sk to which one >>> of the >>> UpdatePath secrets was encrypted to leaks then the entire application key >>> schedule of the new epoch is compromised. (Not to mention that further >>> epochs >>> may also be compromised depending on the particulars of the execution.) >>> For >>> normal commits that's not the case because the adv. also needs the old >>> epoch's >>> init_secret. >>> >>> >>> - Joël >>> >>> On 21/09/2020 20:15, Raphael Robert wrote: >>> > Hi all, >>> > >>> > Over the course of the past weeks when assessing how well MLS would >>> fit into existing messengers, it became obvious that adding new members is >>> still problematic. The operation – while technically asynchronous – still >>> requires two parties to be online in many cases. >>> > >>> > Rather than writing a lot of prose here, I attached a presentation >>> that explains the problem and offers a potential solution. >>> > >>> > I also created the following PR: >>> https://github.com/mlswg/mls-protocol/pull/406 >>> > I will bring this up at the interim tomorrow for discussion. >>> > >>> > Raphael >>> > >>> > >>> > _______________________________________________ >>> > MLS mailing list >>> > MLS@ietf.org >>> > https://www.ietf.org/mailman/listinfo/mls >>> > >>> >>> _______________________________________________ >>> MLS mailing list >>> MLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/mls >>> >> _______________________________________________ >> MLS mailing list >> MLS@ietf.org >> https://www.ietf.org/mailman/listinfo/mls >> >
- [MLS] Async Add Raphael Robert
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Brendan McMillion
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes