Re: [MLS] Weak vs. Strong Tree Authentication
Brendan McMillion <brendan@cloudflare.com> Fri, 23 October 2020 20:01 UTC
Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E3B53A0AFA for <mls@ietfa.amsl.com>; Fri, 23 Oct 2020 13:01:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63qdfTB240EY for <mls@ietfa.amsl.com>; Fri, 23 Oct 2020 13:01:13 -0700 (PDT)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CADD73A0AF7 for <mls@ietf.org>; Fri, 23 Oct 2020 13:01:12 -0700 (PDT)
Received: by mail-qv1-xf34.google.com with SMTP id de3so1332661qvb.5 for <mls@ietf.org>; Fri, 23 Oct 2020 13:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UzAKdmtq65x6lj4v8WPaYMtpa0IYv05YQNdm/gpomeY=; b=ZcsHBWbjewy3Xn9mLJkyczCRNLMGnYU6TPAVSqjAMYLUJenoX8kNRlLAmIPYMjwEPB YvnnOCiycO1JBtEK0xTLxI6HpXitPH/lYyHxqoR57+gHknNhhQ3h5FhtsNk5U1TD1lUS ahitxXjIEzs0o1pkiA1GBF5FhXndTRyVPKTsE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UzAKdmtq65x6lj4v8WPaYMtpa0IYv05YQNdm/gpomeY=; b=j9aWwhqkned25zGZyumKLT/JHcpbf2KphGg1siegwoN5ElTKyNk/ONTykfcqtHqkON gpHRE0QS6aoHiuGVs09dzxU2TTzDr+t8ttDo8ga0p78Uau4MUycys/0zHSqWJHmhRpoO unzF464Ad0hF0mFOapU4iMrOviBHrzDCcbk8hXKW6MkLaX+4ihAyJ5YFEwubV8b9brg7 X6iCq1opMvQsfjfoREDA+0HP4AVsVyFYruYunAxL2vwHvzfEmPxG4urV8SZOj2TYxWie jfwdGvDHQV2f4dc2cY8zoWwcpEX6YExLanBDydFV8u/MUN2OHWT5TlNC/f7u7hNJSgZq Ziww==
X-Gm-Message-State: AOAM532js2MKo+cfiO1hWmIldpejTtx1qEEBXlgXf7EzJ8BkVZtclpKr MxnRVuRO8agGSCz+mQ7C2vJ3Lo2QDCOF1lklU2stXA==
X-Google-Smtp-Source: ABdhPJyFg9Sv4lAnu1ghhB4mKzVNxtQffiyL1PWamoghHlVjfiL2A6O2X3EPogRNQcE+KIX4bkqvwsHNRPCAL9+AoyY=
X-Received: by 2002:a0c:e585:: with SMTP id t5mr811563qvm.6.1603483271571; Fri, 23 Oct 2020 13:01:11 -0700 (PDT)
MIME-Version: 1.0
References: <fdad0840-6396-341b-b646-7bee23e2d5d8@wickr.com> <C3D36254-A92F-43E0-9418-E775D0BBA0F7@wire.com>
In-Reply-To: <C3D36254-A92F-43E0-9418-E775D0BBA0F7@wire.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Fri, 23 Oct 2020 13:01:00 -0700
Message-ID: <CABP-pSR9hO6coX1oYLn1RvidvLN9w+d1tnfiEOL9prND==0rtA@mail.gmail.com>
To: Raphael Robert <raphael=40wire.com@dmarc.ietf.org>
Cc: Joel Alwen <jalwen@wickr.com>, Jost Daniel <dajost@inf.ethz.ch>, Messaging Layer Security WG <mls@ietf.org>, Marta Mularczyk <mumarta@ethz.ch>
Content-Type: multipart/alternative; boundary="000000000000ce540705b25c0a5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/ZzTq8b-4WIn0RA-5auv-3loB5eA>
Subject: Re: [MLS] Weak vs. Strong Tree Authentication
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 20:01:17 -0000
Hey Joel, Thanks as well. The bar we were having trouble meeting at the interim in NY was finding a meaningful attack that distinguished the two constructions. But since you've now done that, I definitely agree we should move to the stronger one. On Fri, Oct 23, 2020 at 11:24 AM Raphael Robert <raphael= 40wire.com@dmarc.ietf.org> wrote: > Thanks for the detailed write-up! A few thoughts that came to mind when I > read it: > > - When we discussed the weak parent hash construction vs strong tree > hash, it was obvious that a malicious insider could create fake trees and > trick new joiners. Creating fake trees is a possibility that’s always been > there (and still is) in MLS: the attacker places a bunch of KeyPackages in > leaves, the attacker commits (thus populating their direct path) and > invites a new member at the same time. The new member can only verify a > parent hash/tree hash that the attacker created. The group looks valid to > the new member, but in fact all other members of the group could be fake > until we’ve seen an update from them. What you now describe has a new > quality (at least to me): the impossibility evict the malicious insider > from a group. > > - In the example you describe, it is clear that Dave did not manage to > cryptographically evict Bob from the group. What’s maybe worth clarifying > is that Alice and Charlie are no longer able to participate in G2, since > Bob swapped his position with Charlie. This would lead to a different tree > hash for Alice and Charlie, hence the group context would be a different > one, hence they would have different inputs to the key schedule. They would > detect that when Bob Commits (from his fake position in the tree) to add > Dave, because Bob would produce a confirmation_tag that would look wrong to > Alice and Charlie. In the end this means that Dave thinks he ist talking to > to whoever is left in the group after he evicted Bob (in this case Alice & > Charlie), while in fact only Bob can decrypt his messages. At some point > Dave might notice that nobody else interacts with the group anymore, but > the damage might already be done if he sent messages to the group in the > meantime. > > - Regarding External Commits: Did I get this right that your point is that > just signing GroupPublicState isn’t enough and that you’d need the strong > tree hash construction instead? > > - The reason why Bob couldn’t be evicted by Dave is because Bob had the > liberty of reshuffling the leaves. Or in other words, we can conclude that > the current parent hash does not fully protect the tree invariant, only one > aspect of it. Going for fully hashing the tree nodes as described locks > down the whole tree structure, making any reshuffling impossible. Maybe > there is a more lightweight approach that would yield the same result > without “provid[ing] irrefutable evidence that the signing key's owner was > in a group with (at least some) of the other members in the group”, but I > can’t think of anything right now. > > - To follow up on the last point, what the current parent hash scheme is > missing, is that it doesn’t convey to whom the secrets in a direct path of > a member were made available. The only way to convey this is to show who > was below the heads of the copath nodes when the new node secrets were > KEMed to the copath during Commit. The full tree hash provides that > information. The unwanted side-effect is that it fully reveals the identity > of the leaves, especially their long-term identity. If there was a way to > dissociate the identity from the position of the leaves in the tree, the > side-effect might be alleviated. But again, I don’t see how to achieve that > right now. > > That’s all for now, I’ll think about this some more. > > Raphael > > > On 23 Oct 2020, at 12:00, Joel Alwen <jalwen@wickr.com> wrote: > > > > Hey everyone, > > > > In the course of our insider security analysis of MLS (detailed in our > previous > > email titled “On the Insider Security of MLS” on the list today and > available > > here [1]) we noticed a trade-off MLS is making between deniability and > security > > that we believe merits extra attention. > > > > MLS initially considered two "tree-signing" methods (see below), where > method 1 > > seemed more secure but was less deniable than method 2. MLS went with > method 2, > > since at the time additional security of method 1 was unclear. We now > have a > > much clearer understanding of what we’re giving up by opting for method > 2 so we > > wanted to share that with everyone. Put simply, method 2 provides a fair > bit > > weaker security guarantees for people joining a new (possibly > adversarially > > generated) group than does method 1. > > > > [1] Alwen, Jost, Mularczyk - On the Insider Security of MLS. > https://ia.cr/2020/1327 > > > > > > Two Constructions > > ----------------- > > In more detail, the issue centers on how the parent_hash is defined. A > party > > joining a group authenticates the group’s ratchet tree by verifying the > sigs at > > each leaf. Some of those leaves include a parent_hash value which, in > turn, > > fixes values stored higher up in the ratchet tree. Intuitively, this is > meant to > > provide some security guarantees to the new member. Basically, the hope > was that > > if all keys in a ratchet tree are signed by group members and you trust > all the > > group members you should be in a secure group. > > > > It turns out though that exactly how parent_hash is defined is critical > to > > whether we really achieve this intuition or not. We are aware of 2 > definitions > > considered in the past. For lack of better terminology we'll call them: > > > > "weak parent_hash" : What MLS does now. parent_hash of a node only > covers the > > HPKE pks on the path from root to the node. Roughly speaking, we have > that: > > - root.parent_hash := 0 > > - node.parent_hash := H(node.parent.pk, node.parent.parent_hash). > > > > "strong parent_hash" : Define parent_hash to include tree_hash (and > tree_hash to > > *not* include parent_hash). The tree_hash of a node covers all values in > the > > subtree rooted at that node (except the parent_hashes and signatures). > So > > basically something like this: > > - leaf.tree_hash := H(leaf.data) > > - node.tree_hash := H(node.data, node.lchild.tree_hash, > node.rchild.tree_hash) > > - root.parent_hash := 0 > > - node.parent_hash := H(node.parent.tree_hash, > node.parent.parent_hash). > > > > > > In an effort to preserve a modicum of deniability, the working group > opted for > > the "weak" approach. It was felt that this way a signature at a leaf > would only > > weakly bind the signing party to the session it was signing in. > Conversely, > > signing a strong parent_hash would provide irrefutable evidence that the > signing > > key's owner was in a group with (at least some) of the other members in > the > > group. As far as we know, at the time the security implications of this > decision > > (beyond deniability), were not well understood. > > > > > > Different Security Guarantees > > ----------------------------- > > Here's what we found about these 2 variants. Consider an MLS execution > where > > Alice joins a session using a valid looking welcome message and ratchet > tree > > *possibly produced somehow by a malicious insider*. (Think of an > “insider” as an > > attacker that can participate as a group member in MLS sessions, can > leak honest > > parties states at will, and that can completely control the DS and the > AS. For a > > more complete explanation of their capabilities see the email with > subject “On > > the Insider Security of MLS” in this mailinglist.) Alice's session > continues, > > e.g. parties issue proposals, commit and send application messages. > > > > We asked ourselves: When (if ever) does the session Alice joined become > > “secure”? A bit more precisely, when can we prove that (in our > adversarial > > model) the epoch_secret of a given epoch E looks random to the adversary? > > > > We answered this by defining 2 properties of the execution that suffice > for us > > to prove such a claim for any given epoch E. > > > > Call a signature key pair "leaked" if it's secret key was either chosen > by the > > adversary or explicitly revealed to the adversary in the course of a > leaking the > > key’s owner’s local state. We call a ratchet tree "bad" if at least one > leaf is > > assigned a leaked key pair. > > > > - Property 1: The ratchet tree for epoch E is not bad. (When MLS uses > strong > > parent_hashes then this property suffices to prove security for E.) > > > > - Property 2: No key pair at a leaf of E was ever part of a bad ratchet > tree. > > This includes ratchet tree's for other epochs in other sessions. (When > MLS uses > > weak parent_hashes then this property suffices to prove security for E.) > > > > This difference in what we need to prove security for strong and weak > hashes is > > not just a limit of our proof techniques. In fact, we can build concrete > attacks > > that demonstrate the different guarantees. The attacks succeed against > weak > > parent_hashes but fails against strong parent_hashes. See the end of > this email > > for an example. > > > > > > The Argument for Strong parent_hashes > > ------------------------------------- > > In our opinion the difference between the 2 properties is big. Suppose > you find > > yourself in an epoch E and are trying to decide if it’s secure. Property > 1 means > > that E’s security depends only on the security of the keys involved in > that > > epoch; that is keys you can see belonging to parties you are aware of. > So if > > you believe that everyone in E is honest and is using an unleaked key > you can > > already conclude you're getting privacy. > > > > But Property 2 means that to reach the same conclusion about E you'd > further > > have to assume the same thing about all sorts of other epochs (of other > groups!) > > which just happen to involve a key pair also used in E. That seems like > a *much* > > worse guarantee. In particular, there's no reason to believe you'd even > be aware > > of all those other groups, let alone who was in them and what keys > everyone was > > using. To us, this motivates switching over to strong parent_hashing. > > > > On the flip side we would lose the deniability benefits that the weak > > parent_hashes give us now. We believe this "loss" to be worth it though. > First, > > our (Joël and Marta) take is that deniability is at most "nice to have" > but > > nowhere near as crucial as privacy and authenticity are. Second, we > don't think > > that even with weak parent_hashes we could make any claims that MLS is > deniable > > in some reasonable and holistic sense. So by giving up this particular > mechanism > > it doesn't look like we're really losing any general deniability feature > of the > > entire protocol. If we want deniability in some form for MLS then we > believe > > we'll have to revisit much of what MLS does anyway. > > > > Thus, our take is that we'd rather have a stronger, (in particular more > locally > > based) privacy guarantee when joining a new group than the incomplete > > deniability guarantee we have now. > > > > > > > > - Daniel, Joël, Marta > > > > > > > > > > > > > > An Attack Separating Strong from Weak parent_hashs > > -------------------------------------------------- > > The basic vulnerability exploited by this attack is that signing a weak > > parent_hash only authenticates the HPKE keys on a direct path but not > which > > parties were then told each of the secret keys on that path. This lets an > > insider that knows many keys on a path construct a new ratchet tree > where they > > seem to only know fewer of the keys (near the root). So when the party > is then > > removed from this fake group some of the secrets they know will remain > part of > > the group state. That in turn lets them compute epoch_secrets even after > being > > removed from the group thus breaking privacy. The attack is described > bellow and > > depicted in the figure attached to this email. > > > > Suppose MLS uses weak parent_hashes. > > 1) Bob is an insider attacker. He's in a group G1 with 3 leaves. From > left to > > right they are assigned to Alice, Bob and Charlie. Alice performs a > commit in G1 > > resulting in ratchet tree T1. (Notice Bob now knows the HPKE sk at the > parent of > > Alice and Bob.) > > > > 2) Bob creates a fake ratchet tree T2 with 3 leaves as follows. He > copies all > > nodes from Alice’s leaf to the root from T1 to T2. Next he places a > fresh key > > package for Charlie the sibling leaf to Alice (i.e. Bob’s former leaf in > T1). > > Finally he places himself in the rightmost leaf. He also samples any > values he > > needs for the new groups application key schedule (e.g. an init_secret > from a > > fake previous epoch). Call the resulting group G2. > > > > 3) Next Bob creates a proposal to add Dave to G2 and commits to it > initiating a > > new epoch E’. He produces a corresponding welcome message which he sends > to Dave. > > > > 4) Once Dave joins, Bob proposes to remove himself from the group. Dave > commits > > to the proposal which initiates epoch E. > > > > At this point Property 1 for E is satisfied (as T2 only has Alice, > Charlie and > > Dave at the leaves). But in reality, Bob still knows the HPKE sk at the > parent > > of Alice and Charlie as that wasn’t blanked out or overwritten when Dave > did his > > commit removing Bob from T2. Worse, that commit by Dave includes a > ciphertext > > encrypting a secret to the sk which is intended to let Alice and Charlie > compute > > the commit_secret. That lets Bob compute the commit_secret and thus too > the > > epoch_secret for E. So E isn't secure. > > > > Notice the above attack fails when MLS uses strong parent_hashes. Copying > > Alice’s leaf and parent node from T1 to T2 forces Bob to also copy her > sibling > > leaf from T1 to T2. Bob can no longer pretend he is not the sibling of > Alice. > > Thus, when Bob is removed from G2 by Dave the parent node of Alice will > be > > blanked and so Dave will encrypt the secret for the grandparent straight > to > > Alice’s leaf. In other words, Bob can no longer process the commit and > he is > > truly out of G2 as intended leaving E in a secure state. > > > > Finally, to add to the discussion in the “Overflow from discussion on > #406” > > email thread, it looks like this attack is *not* prevented by having the > > GroupKeyPackage signed (e.g. by the sender of a welcome packet = the > most recent > > group member to commit). Dave gets the GroupKeyPackage for G2 from Bob > and Bob > > can create and sign it no problem as he is in G2, knows its key schedule > and the > > whole public part of T2. So everything would check out just fine for > Dave. > > <attack on weak parent > hashing.png>_______________________________________________ > > MLS mailing list > > MLS@ietf.org > > https://www.ietf.org/mailman/listinfo/mls > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Weak vs. Strong Tree Authentication Joel Alwen
- Re: [MLS] Weak vs. Strong Tree Authentication Raphael Robert
- Re: [MLS] Weak vs. Strong Tree Authentication Brendan McMillion
- Re: [MLS] Weak vs. Strong Tree Authentication Joel Alwen