Re: [MLS] External Commits - Resync
"Hale, Britta (CIV)" <britta.hale@nps.edu> Mon, 23 November 2020 20:39 UTC
Return-Path: <britta.hale@nps.edu>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723EA3A10D3 for <mls@ietfa.amsl.com>; Mon, 23 Nov 2020 12:39:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwGCz0aFJhk2 for <mls@ietfa.amsl.com>; Mon, 23 Nov 2020 12:39:42 -0800 (PST)
Received: from mule.nps.edu (mule.nps.edu [205.155.65.106]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C54FF3A10CF for <mls@ietf.org>; Mon, 23 Nov 2020 12:39:42 -0800 (PST)
X-ASG-Debug-ID: 1606163981-0e39454b98968f0001-bGA3T6
Received: from mail.nps.edu (synergos.ern.nps.edu [172.20.4.116]) by mule.nps.edu with ESMTP id AVBKd2G87zLuRM4d (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Mon, 23 Nov 2020 12:39:41 -0800 (PST)
X-Barracuda-Envelope-From: britta.hale@nps.edu
Received: from skywalker.ern.nps.edu (172.20.4.117) by synergos.ern.nps.edu (172.20.4.116) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.2106.2; Mon, 23 Nov 2020 12:39:41 -0800
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (104.47.37.54) by skywalker.ern.nps.edu (172.20.4.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.2106.2 via Frontend Transport; Mon, 23 Nov 2020 12:39:41 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MpqqB1s333yzYKK5ca6ixdAf00OZ+3UG1ADl0xDpaaPw2ddSnEXTUXKwfY6nXZLGMBSy/OuuT+bULRlWlTYOQSepQHKQBN6F6ea4CLiGCUy6O3ukpaNO4EjjA6WfDr04l1f5/VQRX6RylAnjWzp4Fu9Bom+4zjqez/gh4kDsL0Hqvl8n4bdjnYiGHg2js5okTBw16JGPPgBQiodyulVNQ2d5nbOFbmYgcvk86PNijXRQdgTNZ6vbPFLR+NGNgEtia7ictr4BMzTKc/BHPwGu1AEE0HiJndphIW+pV17XSmWEfcnRlkpfp5/puGYisrYyGVyB45x3P95hf7LHQD/0VA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v09o/gD/nJ3TPrOT4ZcJuwRWkDzfVaTFhyqObm6ebP4=; b=gmjnT7h7TrN0hWtpV0etw7FR29d1bSCudWk13nig4dT77GCj6Wt8ElN2OJX/nxY9XR6zIn3h5u6CYyx1IVqT41UPqQ9w5aSjx3YH6uxfjMt6lKa7yIk8jSyPdZuWCd1f7f5a03UEPvIayeQ5ONQojqtk2jMp8FkjrAWeJoj80gyMK08p1ZkpBGhQV362vA1iIrwyjGDkN+vTaMuF6HJ9Xbvzcdyrp3idBF4pXU4oM+gWpHKVDDhEO+BmfG9nQmlT4EX5YauuST9h+Og0G9/ANT0UGGFMetaakuIr8/JY7uusQpEPxJ1LSTw+o14OCS4xmBTGpCRK+r03ZJJTV+mNKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nps.edu; dmarc=pass action=none header.from=nps.edu; dkim=pass header.d=nps.edu; arc=none
Received: from BY5PR13MB3348.namprd13.prod.outlook.com (2603:10b6:a03:1aa::23) by BY5PR13MB3176.namprd13.prod.outlook.com (2603:10b6:a03:190::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.9; Mon, 23 Nov 2020 20:39:39 +0000
Received: from BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::8da3:28a1:917e:51c7]) by BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::8da3:28a1:917e:51c7%6]) with mapi id 15.20.3589.030; Mon, 23 Nov 2020 20:39:39 +0000
X-Barracuda-Effective-Source-IP: UNKNOWN[2603:10b6:a03:190::23]
X-Barracuda-Apparent-Source-IP: 2603:10b6:a03:190::23
From: "Hale, Britta (CIV)" <britta.hale@nps.edu>
To: Raphael Robert <raphael@wire.com>
CC: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: [MLS] External Commits - Resync
X-ASG-Orig-Subj: Re: [MLS] External Commits - Resync
Thread-Index: AQHWv5NRsk7dG7UlqUma1q4mUO19OKnVwo2A///ptQA=
Date: Mon, 23 Nov 2020 20:39:39 +0000
Message-ID: <A2D566A2-02E3-4CC6-8534-73257F03948C@nps.edu>
References: <44D1D4F7-9F82-4D46-AF26-D4ECCFB14D13@nps.edu> <D0C2B87B-3425-4618-B23E-176E091E81E4@wire.com>
In-Reply-To: <D0C2B87B-3425-4618-B23E-176E091E81E4@wire.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: wire.com; dkim=none (message not signed) header.d=none;wire.com; dmarc=none action=none header.from=nps.edu;
x-originating-ip: [2601:647:cb00:2941:1875:a352:9b61:3621]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b8a7e1a-7722-4202-35ba-08d88fefe62a
x-ms-traffictypediagnostic: BY5PR13MB3176:
x-microsoft-antispam-prvs: <BY5PR13MB317639F7CF884975EFB44D02FBFC0@BY5PR13MB3176.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5ItbAVpo5Z2JUQtFsmqvl8HAYUMsdKRLNHn5EV+vROttr3krkjvQH2frIb3tszrzbRmosrlptgr//ohJdS+7aAazH3pmTbSRWqiWYflOCkNYrFhzo/HTSE4xPEjt0yIO0yhsnxl+qmcG9ZU7gP5GnYF8AZEBtB0Hr5H38nErdfUkbfckdgX0hm+va3IIM4CPvg/Zbb7Zd04Tyn8AxO/ctpR+2qxlS5M1haEU9xMYBvynW1bRR983PbAZW5PG07FkmQXOJdm1Yvj9yMnNwYI6hrawXxe/ihN5mVhOuR+eDGFGxdrWXGnG3nnzTROfOiqs+UBmeOZRPLKpqqlEAT6K/JUYf7+CHtXsmnbu4BWiqG3mZP9MyFE2EkozT7LFEj1gwzJCaMeVFglg6gwn5JWnxg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR13MB3348.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(39850400004)(376002)(136003)(396003)(83380400001)(86362001)(8936002)(4326008)(8676002)(478600001)(75432002)(186003)(6512007)(166002)(966005)(6486002)(6916009)(786003)(316002)(36756003)(66476007)(66556008)(66446008)(66946007)(64756008)(76116006)(2616005)(53546011)(5660300002)(33656002)(2906002)(71200400001)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: YCjzvdZnl5xVdoWFeW/efXZliW/nn1jXwHXP6Up7WUKY6TYlA2I+6KSUB+xkPCRKBlloI+tqA9hzzcESgzJfUok6FFyN9s7OJlWdaYCpf3h7rSwnpGQCOgTEU8nDPR73RH0gzdg8diJDAnraPuZv5lUC3jgYJCLNUrQ2mUidd3jwNc5SOQdnIooKW721xdnWn85gAN/ZNIo/LviGliD3Thdm5s04Vhag0m2d98gWfSYA0/DF+Es1g31IujZfm92GQOduKiBkdnDUcX4a3ynIU0iaYOVnYQeZ6WcrtwubwE2LOP5LzUhNris5/CGc1Q1EUcSg2kOQgJcy/pfZBJMHI2Qspciwg5YabDekfKdOQTaV4DdoyDIWQWCLSn+Ib6RyW78yCuBTdQYtFirBZ+tkIRia3fkQ/mQKxWOYt9vZJYg+gELPfuVdTi9qRwhhvbhF7/z+HK/CVZMXu/681RafwmMd0N1Iwro3QZdOXU4YXRmbrH3E9Nng2DiPKuuMzITfNOJV0dcMO3Mxf+/ossnoerhiHGNC7nGZ2wK5+OmKnsuzm3HvAhafzn8VkfXkoDqs9m3q0f2n0/AOudrJPx/5KmIaaQ45cARdskxAhGR8Hf02OUWh1uvDDbQAWDLXxQRmjwsumREbXS5pSzVMSgWzv5hFsfE0imSJDH5Q23gJem6sbcgXxQZuxmQCW1X8SgI6TjQrvU3nz0HF+sXd1NTXaQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_A2D566A202E34CC6853473257F03948Cnpsedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR13MB3348.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b8a7e1a-7722-4202-35ba-08d88fefe62a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Nov 2020 20:39:39.2767 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d936231-a517-40ea-9199-f7578963378e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K52wCzhIY06v/rL2p3Nnc3mprYmjd9qVUvkklgqOyoLxmNMBA1x8ZTUohz95ragud+MQgbWHaH5smOeWV9n3ww==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR13MB3176
X-OriginatorOrg: nps.edu
X-Barracuda-Connect: synergos.ern.nps.edu[172.20.4.116]
X-Barracuda-Start-Time: 1606163981
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://205.155.65.106:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at nps.edu
X-Barracuda-Scan-Msg-Size: 25666
X-Barracuda-BRTS-Status: 1
X-Barracuda-BRTS-Evidence: messaginglayersecurity.rocks
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.86076 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/_ztYibDmyoYvwDQf6Vi4UPQ-B34>
Subject: Re: [MLS] External Commits - Resync
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 20:39:45 -0000
You raise good points. I will throw in some thoughts on a few of these: 1) This has definitely been the case for pair-wise connections – if Alice desyncs such that her conversation with Bob is unrecoverable, they just start an entirely new session wherein trust is based only on identity keys. That then relies on OOB authentication of those keys / trust-on-first-use/etc. The group context is a little different due A) the entire group does not tear-down when Alice desyncs to rebuild a new session and B) it is much easier to be a passive observer such that it is harder to notice if attacker-as-Alice is not behaving as Alice. Some of these irregularities in group messaging link to the reason that the working group so often requires knowledge of the current group state for Alice to make use of keys/send updates/etc. vs. just knowledge of her signature key. By requiring knowledge of the group state, we get continuity for the entities involved from the point of trust-on-first-use of the signature keys. However, if we allow Alice to enter/reset at any time without that continuity in proving knowledge of the group state, then we actually allow subversion against many of the mechanisms that we have put in place elsewhere in the protocol. The distinction here is between joining a session as a new member (where the app decides how entity authentication is handled and users decide who gets to join) and re-joining a session as an already trusted member with all the in-app privileges that were held by the real Alice. 2) I agree that the resumption secrets infrastructure that we have already could work very well here. 3) The threat model is actually a rather critical aspect of this, as there is a subtle entanglement with the PCS claims. Traditional PCS states that after an epoch wherein the attacker is passive, the security is “healed” with the attacker locked out – even if the attacker becomes active later. Now that is no longer the case and we must assume that the attacker continues to be passive indefinitely (or until signature keys are rotated) for PCS to hold. For example, suppose that Alice’s full state is compromised. One epoch later the group state is no longer of use to the attacker. However, the attacker still has the signature keys and can perform the external commit – remove Alice – impersonate Alice sequence. There are cases where signature keys may be compromised without the rest of the state, but I will focus on the above example for now. Note that even the “solution” I proposed before does not prevent this break in PCS assumptions/guarantees. It would, however, imply an i-epoch PCS variant. For example, the attacker gets the signature and resumption secrets and is passive for i=2 epochs, and we only allow re-syncs within those i=2 epochs before considering Alice to be an entirely new zero-trust member. Alice can resync within i=2 epochs while providing group members some assurance that she is still the same entity, and there is an i-limit on the number epochs we require the attacker to be passive, thus still allowing for a form of PCS. 4) I do not have a solid proposal for this. One possibility could indeed be that if a signature key already exists in the tree we assume that Alice is attempting a resync (i.e. if Alice is not in the tree at all then she is a new member or else should prove knowledge of a past state). Another could be a list of current group members/identity keys. Britta From: Raphael Robert <raphael@wire.com> Date: Monday, November 23, 2020 at 5:59 AM To: "Hale, Britta (CIV)" <britta.hale@nps.edu> Cc: "mls@ietf.org" <mls@ietf.org> Subject: Re: [MLS] External Commits - Resync Hi Britta, That’s definitely an interesting question. The way the spec is written right now, Alice could just re-sync like you described and that raises a few questions (in no particular order): - The status quo with messaging apps is that you can typically join a session by only controlling the identity key. This is the case for messengers based on the Signal protocol. While a session gives you certain well-understood guarantees, it’s up to the apps to define how seamlessly you can initiate a new session (https://github.com/signalapp/Signal-iOS/issues/4138). While that’s the status quo, it doesn’t mean we shouldn’t aim higher with MLS. - You mention the proof of past participation and I think the resumption secrets we already have could be used for that (https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#name-resumption-secret). Provided other members keep them around for long enough, Alice could prove that was indeed a member in the past. - What is the exact threat model? An attacker that compromises a device will not only get the signature key, but most likely also the resumption secrets. The intuition here is that it is unlikely that the resumption secrets are better protected on the device than the signature key itself (but I might be wrong). We also recommend that signature keys should not be re-used between devices, which lowers the chance that they leak when they are copied (they probably don’t have to be copied ever if they are not re-used). Given the above, I’m wondering if you had a particular scenario in mind? - Let’s say we wanted to address this. The practical problem I see is that it might be impossible for other members to determine if Alice is trying to re-sync. There was some discussion on this now closed PR: https://github.com/mlswg/mls-protocol/pull/439. If we don’t have a way to uniquely distinguish between members (other than by their position in the tree), how can we detect that they are trying to re-sync? I’m all for continuing the discussion though! Maybe we won’t find a satisfying solution, but we should try at least. Thanks Raphael On 21. Nov 2020, at 00:17, Hale, Britta (CIV) <britta.hale@nps.edu<mailto:britta.hale@nps.edu>> wrote: Hi all, A good point was raised by Jonathon Hoyland during the MLS IETF 109 meeting regarding possible concerns in using external commits for resync, particularly in the case of Alice adding/removing herself. Richard noted that this is a feature in the case that Alice is no longer synchronized with the group and therefore can use an external commit to add herself back in, removing the previous version. As opposed to any newcomer joining with an external commit, the case of Alice re-joining presents a potential security issue. Namely, as currently specified (in my reading of the draft), an existing group member, Bob, has no means to distinguish between the following cases: 1. Alice needs to resync and therefore performs an external commit and removes her prior version. 2. Alice’s signature keys are compromised (it is not necessary for the adversary to compromise any group state). The adversary performs an external commit in Alice’s name, and then removes her prior version and impersonates her to the group. One might hope that Alice notices that she is removed and communicates this to the group members OOB, but it is also possible that that she assumes some other reason for the removal, is offline, or simply is not active enough to take action for a fairly long compromise window. Even if she tries to use an external commit to get back into the group and then removes the adversary-as-Alice, there is no means for other group members distinguish the real Alice from the adversary-as-Alice and the process could be circular (until new valid identity keys are issued). While a newcomer is a fresh source to be trusted or not, Alice has been “healing” along with the group and the above option (2) allows the adversary to bypass all of that. The source of the problem is that when Alice re-syncs, she is not providing any validation of being the same/previous identity, so it is easy for other group members to accept that nothing more than a resync has taken place. Thus, a fairly straightforward solution is to require PSK use in cases where an external commit is used for resync. By enabling a PSK derived from a previous epoch during which Alice was part of the group to be injected with the external commit, Alice provides some proof of prior group membership and we avoid the total reset. What does everyone think about this? Is it a problem that we want to address, or let it fall out-of-scope? (Also, if I missed something in the draft that already fixes this, please point it out.) - Britta _______________________________________________ MLS mailing list MLS@ietf.org<mailto:MLS@ietf.org> https://www.ietf.org/mailman/listinfo/mls
- [MLS] External Commits - Resync Hale, Britta (CIV)
- Re: [MLS] External Commits - Resync Raphael Robert
- Re: [MLS] External Commits - Resync Hale, Britta (CIV)