IETF Logo Mail Archive

Re: [MLS] Stupidest possible message protection

"Katriel Cohn-Gordon" <me@katriel.co.uk> Sun, 02 December 2018 23:15 UTC

Return-Path: <me@katriel.co.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A98C130DCC for <mls@ietfa.amsl.com>; Sun, 2 Dec 2018 15:15:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=katriel.co.uk header.b=GVxDaMQS; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=JBLMEyYi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9lSVpQKxV6Lw for <mls@ietfa.amsl.com>; Sun, 2 Dec 2018 15:15:15 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFB31130DCB for <mls@ietf.org>; Sun, 2 Dec 2018 15:15:15 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 92EFC20964 for <mls@ietf.org>; Sun, 2 Dec 2018 18:15:14 -0500 (EST)
Received: from web5 ([10.202.2.215]) by compute6.internal (MEProxy); Sun, 02 Dec 2018 18:15:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=katriel.co.uk; h=message-id:from:cc:mime-version:content-transfer-encoding :content-type:subject:references:date:in-reply-to; s=mesmtp; bh= cTnxyTtydwP6HhFEyha6a3fFBjwGDAISPaTTwxNUcNg=; b=GVxDaMQSER2NuMgd XlFULfUUT21w0pbwAfmPgufSFWZYhoV4lT2HahINuVkkAEvQYxP96SkXP3AHFFCY wMmMrv2ECPseCVk3I59wbUh1wC/8m+v8qJ8cshBZ1jSCq4q5lf0+XC0OjpRRoxPY 1DCmU9PwQCaync/Lu/d22Sl9Tx0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=cTnxyTtydwP6HhFEyha6a3fFBjwGDAISPaTTwxNUc Ng=; b=JBLMEyYidRYKMdCkl3uhRyKur8/KWDCJV1q1G33C2pNEatulakFPsgyAl 81WclMNiMDPZmgfG6AmfvZ8y7oBPDC+pwu8Uqum+tG9lIVFx9pCTqSFOJb058ory MZi5vx3xftK5x3i0LdaiGgWoAD7NmWWqLdLE8Q8W4/f0EOLasKzn8Je8v8wNisHH HeEdRU41uWyAT4OZ6NGe/ws9o1GZjUK8vUItlptU1XKIMjyqryg1IJx0uYZoshNy s/+DNfJ23YDXwin8piYyoWtGpwJ0kBRB4BKOC5xB1C1QVvv5qJn92X0F/oUSFCDd GZ9ESf/zeQgRMlD67EqD7tYBBJ+AA==
X-ME-Sender: <xms:gmcEXPU_6UW3Z5NvQzGqiNP6lWzb2sY6ntolfzHmvbmJss8QBCcYGw>
X-ME-Proxy: <xmx:gmcEXAJmIIwhxKH7un_R0NiPsUGBdn4y0da5vnKzC2r4tDSBA4bIhg> <xmx:gmcEXGlcE5VKaHclazzlg_H-xGYYjEydI1p2c8roWsTPsY6-bIAsMw> <xmx:gmcEXONiH-eFf9kFLRmYq1zsVaLqWptcstUohN7pk1KF8ax4gZ7wTg> <xmx:gmcEXFwaMx1brF5W_-bcsDqLHxsetaOeAxiLgf5eawjbFM5EGHJPIA> <xmx:gmcEXGmSEgsidC4iWBul_EVQNi_wdrv18zcAFe0csSDNtkegVdgTKg> <xmx:gmcEXCIlyelWJr088LbFPyAR-Siq34xdWuyJYPfO9fsvwNPn-e7DOA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id D6C259E11A; Sun, 2 Dec 2018 18:15:13 -0500 (EST)
Message-Id: <1543792513.2270495.1596377416.0D5076E7@webmail.messagingengine.com>
From: Katriel Cohn-Gordon <me@katriel.co.uk>
Cc: mls@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_154379251322704950"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-3449945b
References: <CAL02cgTjD==YgS848sBWEGrBBkNMAtbUXJuV6RrDmak_+Mu6fw@mail.gmail.com> <CACsn0ckND-uBNwcfQTZrY+7sZr6OWqkA1_z71Jb7PHYz7yh6dg@mail.gmail.com> <CAL02cgSfqV-r3kvJkdi0E7H44MMuYJTOux0xWNi0F55iCuwZ-A@mail.gmail.com>
Date: Sun, 02 Dec 2018 23:15:13 +0000
In-Reply-To: <CAL02cgSfqV-r3kvJkdi0E7H44MMuYJTOux0xWNi0F55iCuwZ-A@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/dcOZuZqHzApeMwdbDlfJDb_fiFQ>
Subject: Re: [MLS] Stupidest possible message protection
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Dec 2018 23:15:18 -0000

This seems like a neat approach; I agree that putting the bit into the
GroupState is a good idea.
As Watson says, this could be an opening for downgrade attacks, so we
should make sure that there's as little negotiation as possible about
the "encrypt handshake messages" bit. Having it just go in the group
state and requiring clients to know it seems fine, although there is the
case of an app which previously didn't encrypt handshake messages and
now wants to.
At a high level I support the idea.

k


On Sun, 2 Dec 2018, at 10:51 PM, Richard Barnes wrote:
> 
> 
> On Sun, Dec 2, 2018 at 17:31 Watson Ladd
> <watsonbladd@gmail.com> wrote:>> On Sun, Dec 2, 2018 at 2:25 PM Richard Barnes <rlb@ipv.sx> wrote:
>>  >
>>  > Hey all,
>>  >
>>  > As we discussed in Bangkok, there are trade-offs between
>>  > encrypting handshake messages and enabling the delivery service to
>>  > assist with scaling.>>  >
>>  > One way to try to split this baby would be to try to evaluate what
>>  > information the server needs in order to provide its assistance,
>>  > and leave that unencrypted.  This solution would of course require
>>  > that we convince ourselves that the unencrypted bits are actually
>>  > not sensitive, and would entail a fair bit of complexity in the
>>  > encryption system.>>  >
>>  > Another, simpler, approach we could take is to punt the decision
>>  > to the application.  We would define in the document two options:>>  >
>>  > 1. Send Handshake messages in the clear
>>  > 2. Send Handshake messages encrypted as Application messages
>>  >
>>  > (And specify details like how you do Welcome+Add, how you
>>  > disambiguate Handshake from other Application messages.)  But
>>  > we would not specify which of those paths a given application
>>  > would do.>>  >
>>  > What do folks think about that idea?  Personally, I find it kind
>>  > of appealing in its simplicity, though I acknowledge it adds
>>  > another variable for interop testing / interop failure.  And if
>>  > you want to make an MLS API, it's another switch to support.>> 
>>  Doesn't the server need to agree with the client how to do this?
> 
> The server needs to be aware of it’s going to provide any assistance,
> yes.   But in principle, clients could choose to encrypt and the
> server would never know.  I think the more important question is
> whether clients all need to agree.> 
>> And
>>  what about downgrade attacks?
> 
> Seems like there are basically two choices: (1) don’t worry
> about it, let the application figure it out, or (2) include the
> “encryptHandshake” bit in the GroupState so that everyone
> agrees on it.> 
> I think (1) is probably sufficient, since I think most apps will pick
> one.  But (2) seems prudent.> 
> —Richard
> 
> 
>> 
>> >
>>  > Cheers,
>>  > --RIchard
>>  >
>>  >
>>  > _______________________________________________
>>  > MLS mailing list
>>  > MLS@ietf.org
>>  > https://www.ietf.org/mailman/listinfo/mls
>> 
>> 
>> 
>>  -- 
>>  "Man is born free, but everywhere he is in chains".
>>  --Rousseau.
> _________________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.35.0 | Report a Bug | By Email | System Status