Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
Joel Alwen <jalwen@wickr.com> Thu, 20 August 2020 14:20 UTC
Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F39373A0B53 for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 07:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.848
X-Spam-Level:
X-Spam-Status: No, score=-2.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2apxchFAt3o for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 07:20:53 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63C7B3A0B18 for <mls@ietf.org>; Thu, 20 Aug 2020 07:20:53 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id w2so1471484edv.7 for <mls@ietf.org>; Thu, 20 Aug 2020 07:20:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=GvDatw6Rm6yR5LuhDmxchI377lt2rkest2/yaYzyrpo=; b=GU93Mnh3LJh5qVhn9euZmns9chljhkluaSuELa1cSol5Oore769G5imGwQ2+kE2U+Z G1deMJhHS6KwHl/Zq9ZkotH+4oXGmtCFxkZhQVjXWyLroyfiEn7b3NPXUrWVlLXDy+s7 FRSPk2QHFHsyagLT2jhqUR1B6NlnTQSPGpos52Af2YTmANuI4BQp1Oypw4J527Z+jSIa KUnt9GtshIkAsPmeki9Ujfv3zqi4IGGaVRqBkA8rC20eUFZJ2tFAOGtqhW+CgQjfRH1M Gk1eaDqB7QXxyh3SPNV6XXZN+XVvR7qs85HP65olgPp3LWspzd9WwJqLE5sz8a2Vrq0+ lqNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=GvDatw6Rm6yR5LuhDmxchI377lt2rkest2/yaYzyrpo=; b=aFDdUfk9FEnjsYsTpwOy7OzrIhD2nZkboTTbzIo2qE4APlvnGdaJvK50st/geGe0qd dezQvN0gz1YA9lEM0zCXUqNBX/k3U7EIWleyXk2rzfg+EpwsmHM2gx8F8KaWCZlDY1jf gN0DwYXW872gc8FsKoDY/NcJeQM6LtRr6iFRNS9yXlm8SGa2Ln+ARpAsUuwELOs2d+r9 bVIj7Pxx1RZxovQf0lPPaLYvBDiNN54jcVJ0HZwgCJE3n66I7ll2FBwPrTJIRgVCd5OS XmuQP2EjASVEPR2kKQpRijfyGvdQZkP1qeWuw8Vbxx7FJxS856bKO1v9mZP5rGfVaf1g xmiw==
X-Gm-Message-State: AOAM533YgzB1+ZGHaxyRaVricM1HCiiDxoPnaYW/uUdCDtnh8j1CCBku atl5T383TGbh2fMz1gwJluDQC58MdArl9A==
X-Google-Smtp-Source: ABdhPJwSrAEZjlmqln8fjL3XEah7LPvbMEFIHgzwqztDYY8yRWRZduZ9Sst4CPq6XS5L6KuIfuoRww==
X-Received: by 2002:a50:ee93:: with SMTP id f19mr3088103edr.31.1597933251346; Thu, 20 Aug 2020 07:20:51 -0700 (PDT)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id bz19sm484605ejc.72.2020.08.20.07.20.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 20 Aug 2020 07:20:50 -0700 (PDT)
To: Raphael Robert <raphael@wire.com>, Richard Barnes <rlb@ipv.sx>
Cc: Messaging Layer Security WG <mls@ietf.org>
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <F5B1E029-D8B4-4BEA-BF7A-CDD531D662BD@wire.com> <CAL02cgRTtZp+gHKA0hXxxEn_L6SWRRTJa-U+bhQUhpvM8qZ+Cg@mail.gmail.com> <87d72ad5-dce9-18f7-f1c4-7a8317fd0739@wickr.com> <30DD617C-A8A8-4801-A62A-43A722B1B597@wire.com> <CAL02cgTo8CXNt26XKGrMo1vU-n6M88YtoJ4cqdxrvpyWaX1VNA@mail.gmail.com> <f4e7ea74-d368-154c-72ee-8d70b30235d2@wickr.com> <CAL02cgTbQ+cirgAGdpH4=c=Yv4X=vHqik1NQ3hHxeRC=L2Uc4Q@mail.gmail.com> <26970E9E-6EED-46D5-BD5D-8E1ADB40A93F@wire.com>
From: Joel Alwen <jalwen@wickr.com>
Autocrypt: addr=jalwen@wickr.com; keydata= mQENBFyIZvABCAC65JupY1w7gzhhNo41ftIk09n7Lid9p31jDR8Jefv9R5sWL+HZFGDeABAY 1J1JvV6vOaMsfdy9iUFfGS1GhMJ3+mh799SIsB3JSfPq/eq6Jut57D2yPtILmc7ZbuJyBHg0 xuYfKCQQAYikW+v2LJQU1Y+BUDbVldpzxSc8Z3PPSfunWdzhY6qAAhyCv+Y8EzJlQivMwD5B f6737krf8SoBsjsqCHQrRo/r+BSj5Wtd5/K3FkmWLOUAFoYK23+cpoFntGJKZfss27gDPhyS gX9ibXcBGQqBEF4qDPEzEHK8iQmXTxLul5Y7lQ6ADf69xH15WM4GmRBeCvR3Uanxcr2/ABEB AAG0HUpvZWwgQWx3ZW4gPGphbHdlbkB3aWNrci5jb20+iQFUBBMBCAA+FiEEYFNg9IH2SV6e 03O3FR5tDZv8eygFAlyIZvICGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ FR5tDZv8eyjSywgApQNIRcL4IKTJ0I4XwcQRhICu1Bht3c2fUnG2YziJXjGf6DZ49uKKtuIu fk8mNS+vKRLoLZ7+u+Pv/Yjmk8jtrr6Saz1vnfsle3GgmXG5JaKOM5cOfeo5JnlNUP3QonR7 LMZwY1qVKg2mzNmwi0jG1zIGgQ5fiAwqe+YTNFli5bc/H1O9LcSmbrLV9OyucARq11DIiAvU fDknZ17OahQls+9mgfAXH5vZjzo296tYvzkOJQ2A6GPxdMHIXGbJM/vjuMe2QJl6C0zaqOtm JvFcx/HpNhmugYI9OsNAd7846HASDp8BKyfY5FYP7bn0/JBuCpg18Aykru6xyFjG3gv0Lw==
Message-ID: <1bd2268c-7f27-e24a-bcd7-3192afae13c9@wickr.com>
Date: Thu, 20 Aug 2020 16:20:49 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <26970E9E-6EED-46D5-BD5D-8E1ADB40A93F@wire.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/bnWqgVw-LYp0QCiZkTyVSzEZGI0>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 14:20:56 -0000
Yeah, good point. While I'm not sure every case of server inspection would require checking sigs on packets I am sure it would be useful for some cases. > The obvious fix is to include the membership_token in MLSPlaintext as well. Yup, I'm all for it. (Or at least for making it an optional field in that struct.) - Joël On 19/08/2020 09:24, Raphael Robert wrote: > I thought about this some more and now I’m not sure that the membership_token > should only be implicit: > > The whole reason for HS messages to not be encrypted is that they can be > inspected along the way by an external party (e.g. the Delivery Service). If > this is not a requirement, MLSCiphertext should really be used instead. > Hiding the membership_token from external inspector means the inspector can not > verify the signature anymore. I think that defies the point of HS messages being > inspectable. > > The obvious fix is to include the membership_token in MLSPlaintext as well. > > Raphael > >> On 18 Aug 2020, at 21:01, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote: >> >> Here ya go: https://github.com/mlswg/mls-protocol/pull/396 >> >> On Tue, Aug 18, 2020 at 1:30 PM Joel Alwen <jalwen@wickr.com >> <mailto:jalwen@wickr.com>> wrote: >> >> > Joël, do you want to write a PR? If not, I could probably get to it in the >> > next couple days. >> >> Thanks. :-) If you could that would be really nice. >> >> - Joël >> >> On 18/08/2020 19:20, Richard Barnes wrote: >> > Sounds like we're converging here. The only question in my mind is what >> goes in >> > the MAC -- seems like the easy option is probably "the remainder of the >> > MLSPlaintextTBS", i.e., everything from group_id to the end. That seems >> like it >> > minimizes multiple serialization: >> > >> > tbs_content = serialize(group_id, ...) >> > membership_token = KDF.Extract(confirmation_key, tbs_content) >> > tbs = group_context || membership_token || tbs_content >> > >> > So the PR would be to basically pop the context off of MLSPlaintextTBS >> and add >> > the three lines above (with the switch for internal/external in prose). >> > >> > Joël, do you want to write a PR? If not, I could probably get to it in >> the next >> > couple days. >> > >> > --Richard >> > >> > On Tue, Aug 18, 2020 at 12:24 PM Raphael Robert <raphael@wire.com >> <mailto:raphael@wire.com> >> > <mailto:raphael@wire.com <mailto:raphael@wire.com>>> wrote: >> > >> > I think what you just described is indeed a combination of option 1 & 2. >> > It’s a MAC over the payload we want to authenticate, but it’s >> implicit and >> > we only include it in the MLSPlaintextTBS. Or in other words, we >> stripped it >> > from MLSPlaintext because it is implicitly known to any valid member >> of the >> > group. >> > >> > Raphael >> > >> >> On 18 Aug 2020, at 18:16, Joel Alwen <jalwen@wickr.com >> <mailto:jalwen@wickr.com> >> >> <mailto:jalwen@wickr.com <mailto:jalwen@wickr.com>>> wrote: >> >> >> >> Yeah, I like Option 2 here. I like that it avoids growing packet size. >> >> >> >> One caveat though: I'd go for the MAC(...) version rather than the >> >> confirmation_key. For starters thing including confirmation_key doesnt >> >> authenticate the contents of the packet. But even if it did, >> signatures aren't >> >> meant to hide the contents of what was signed. (Amend you favorite sig >> >> scheme to >> >> tack on the message at the end a signature and you've still got a >> secure >> >> signature scheme. But clearly not a message hiding one.) That means >> that AFAIK >> >> neither ECDSA nor EdDSA etc. were designed or analyzed for such a >> property. So >> >> this would amount to a very non-standard use of a signature schemes by >> >> MLS. Not >> >> saying it doesn't work for the particular sig schemes in our >> ciphersuite. But >> >> its def. not how signatures are "meant" to be used. >> >> >> >> But that leaves Option 2 with, say, including tag = MAC(conf_key, >> >> conf_trans_hash || MLSPlaintext.content) into whats being signed >> which I like >> >> and think gets the job done. Both conf_* values are taken from the >> current >> >> epoch. By MLSPlaintext.content I mean whats now called MLSPlaintextTBS. >> >> >> >>> I would propose that we do need something additional on Commit >> messages as >> >>> well as Proposals. >> >> >> >> @Richard: For Proopsals I think this works. Is that about what you >> had in mind >> >> for commits too? >> >> >> >> - Joël >> >> >> >> >> >> On 18/08/2020 17:26, Richard Barnes wrote: >> >>> Thanks for pointing this out, Joël. I agree that the attacks you're >> >>> describing >> >>> should work as things are currently specified. And they're salient, >> >>> especially >> >>> the "replace Alice in the group" one. >> >>> >> >>> Also agree with Raphael is correct that Commit is not affected by >> this, since >> >>> someone who is not a member won't be able to generate the right >> confirmation >> >>> value. However, I don't think this is actually the right design >> to adopt >> >>> for a >> >>> general solution to this problem. Confirmation verifies group >> membership >> >>> *after* processing the handshake message; the point here is that we >> >>> should also >> >>> have a membership check *before* processing handshake messages. In >> >>> particular, >> >>> I would propose that we do need something additional on Commit >> messages >> >>> as well >> >>> as Proposals. >> >>> >> >>> Thinking about solutions here, a couple of options come to mind: >> >>> >> >>> 1. Use MLSCiphertext, but with an integrity-only encapsulation >> >>> 2. Incorporate in the signature something that is only known to >> the group >> >>> (e.g., >> >>> confirmation_key or MAC(confirmation_key; confirmed_transcript_hash || >> >>> Proposal/Commit)) >> >>> >> >>> Option (1) has the appeal that you would only ever send >> MLSCiphertext, though >> >>> switching between encrypted/not could be problematic. Option (2) >> seems a lot >> >>> more appealing: It doesn't add any overhead, since the >> group-secret value >> >>> doesn't need to be sent. And we already switch between the >> signature context >> >>> that is added for group members vs. external. In fact, I think option >> >>> (2) would >> >>> just amount to a one-line change to include an extra, secret value >> in the >> >>> context at the top of the MLSPlaintextTBS struct. >> >>> >> https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md#content-signing-and-encryption >> >>> >> >>> The only thing that seems odd about (2) is overloading signature >> >>> verification in >> >>> that way, i.e., using the ability to generate a signature over a >> secret >> >>> thing to >> >>> prove you know the secret thing. That doesn't seem obviously >> flawed to >> >>> me, but >> >>> worth thinking about. >> >>> >> >>> Does that make sense to folks? >> >>> >> >>> --Richard >> >>> >> >>> >> >>> On Tue, Aug 18, 2020 at 10:55 AM Raphael Robert >> >>> <raphael=40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org> >> >>> <mailto:raphael <mailto:raphael>=40wire.com@dmarc.ietf.org >> <mailto:40wire.com@dmarc.ietf.org>> <mailto:40wire.com@dmarc.ietf.org >> <mailto:40wire.com@dmarc.ietf.org>>> >> >>> wrote: >> >>> >> >>> Hi Joel, >> >>> >> >>> For context: this would only apply when applications use cleartext >> >>> MLSPlaintext for HS messages. The recommendation is still to >> encrypt them >> >>> and send them around as MLSCiphertext. >> >>> That being said, we said we would like to support scenarios >> where HS >> >>> messages are not necessarily encrypted. >> >>> >> >>> Question: would this attack work with Commit messages? I’m >> thinking that >> >>> they would be rejected because the attacker cannot compute the >> >>> confirmation_tag. >> >>> >> >>> As you mention in the PS, the easy target would be Proposal >> messages. >> >>> >> >>> I’d be interested to see what exactly you would propose as a >> mitigation >> >>> mechanism. >> >>> >> >>> Raphael >> >>> >> >>>> On 18 Aug 2020, at 16:36, Joel Alwen <jalwen@wickr.com >> <mailto:jalwen@wickr.com> >> >>>> <mailto:jalwen@wickr.com <mailto:jalwen@wickr.com>> >> >>> <mailto:jalwen@wickr.com <mailto:jalwen@wickr.com>>> wrote: >> >>>> >> >>>> Hey everyone, >> >>>> >> >>>> Something thats been bugging Marta Mularczyk and Daniel Jost and >> me for >> >>>> a bit >> >>>> now is that handshake messages sent out as MLSPlaintext packets >> are only >> >>>> authenticated using signatures, but not using the group's key >> schedule. For >> >>>> non-members that makes sense but for group members that's weaker than >> >>>> need be. >> >>>> >> >>>> Suppose Alice is in a group using signing key pair (spk, ssk). I >> corrupt >> >>> her to >> >>>> learn ssk. Now I loose access to her device again. Later she >> generates a >> >>>> fresh >> >>>> key package with her same spk but a new HPKE key for her leaf. >> She sends >> >>> out and >> >>>> update proposal for her new key package and someone commits to >> the update. >> >>>> >> >>>> Expected result: she (and the group at large) has achieved PCS again. >> >>>> >> >>>> Actual result: using her stolen ssk I can still forge a new >> proposal's >> >>> (sent as >> >>>> MLSPlaintext packets) coming from Alice. Some things I could do >> with this >> >>> power: >> >>>> - I can generate a new key package kp for Alice using her spk and >> some >> >>> HPKE key >> >>>> she doesn't know. Then I forge an update proposal for Alice with >> kp. If it >> >>> gets >> >>>> committed I've effectively kicked her out of the group. >> >>>> - I could forge Add's and Remove's coming from Alice, so I could >> trick the >> >>>> group into thinking Alice is trying to Add my account to the >> group or remove >> >>>> some other group member. >> >>>> >> >>>> Lemme know if I've missed something here in that scenario... >> >>>> >> >>>> >> >>>> If I didn't miss anything and the attacks really work as >> advertised then IMO >> >>>> this is kinda weak sauce and worth avoiding if possible. So to >> that end, how >> >>>> about we modify MLS such that MLSPlaintext packets coming from >> group members >> >>>> must also be authenticated using something from the application key >> >>>> schedule. >> >>>> Now the above attacks fail. As soon as Alice's update is gets >> committed I no >> >>>> longer know the group's key schedule and so can't forged packet from >> >>> Alice. More >> >>>> generally, this brings the PCS guarantees when using MLSPlaintexts >> >>>> frameing in >> >>>> line with what we're getting from MLSCiphertext packets. >> >>>> >> >>>> Any thoughts? >> >>>> >> >>>> - Joël >> >>>> >> >>>> >> >>>> >> >>>> PS. For concreteness, we could probably extend the current >> mechanism for >> >>> getting >> >>>> concistancy (the confirmation_tag) to also provide symmetric key >> >>> authentication. >> >>>> E.g. include most of the MLSPlaintext content into whats being >> tagged by >> >>>> confirmation_tag. That would cover the case of a commit packet >> and doesn't >> >>> even >> >>>> grow the size of MLSPlaintext packets over the current design. >> >>>> >> >>>> For a proposal packet we could also have a confirmation_tag but >> this one is >> >>>> computed using the *current* epoch's confirmation_key and >> >>> confirmed_transcript_hash. >> >>>> >> >>>> _______________________________________________ >> >>>> MLS mailing list >> >>>> MLS@ietf.org <mailto:MLS@ietf.org> <mailto:MLS@ietf.org >> <mailto:MLS@ietf.org>> <mailto:MLS@ietf.org <mailto:MLS@ietf.org>> >> >>>> https://www.ietf.org/mailman/listinfo/mls >> >>> >> >>> _______________________________________________ >> >>> MLS mailing list >> >>> MLS@ietf.org <mailto:MLS@ietf.org> <mailto:MLS@ietf.org >> <mailto:MLS@ietf.org>> <mailto:MLS@ietf.org <mailto:MLS@ietf.org>> >> >>> https://www.ietf.org/mailman/listinfo/mls >> > >> >
- [MLS] MLSPlaintext packets aren't authenticated u… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Hale, Britta (CIV)
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Brendan McMillion
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Brendan McMillion
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Brendan McMillion
- Re: [MLS] MLSPlaintext packets aren't authenticat… Hale, Britta (CIV)
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Cornelissen Eric
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Joel Alwen
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes
- Re: [MLS] MLSPlaintext packets aren't authenticat… Cornelissen Eric
- Re: [MLS] MLSPlaintext packets aren't authenticat… Raphael Robert
- Re: [MLS] MLSPlaintext packets aren't authenticat… Richard Barnes