IETF Logo Mail Archive

Re: [MLS] Unpredictable epochs?

Richard Barnes <rlb@ipv.sx> Fri, 26 April 2019 12:29 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A45B5120045 for <mls@ietfa.amsl.com>; Fri, 26 Apr 2019 05:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tLhX4fAk8zNH for <mls@ietfa.amsl.com>; Fri, 26 Apr 2019 05:29:17 -0700 (PDT)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67C4D120091 for <mls@ietf.org>; Fri, 26 Apr 2019 05:29:17 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id v10so2790260oib.1 for <mls@ietf.org>; Fri, 26 Apr 2019 05:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cEBiV01rY8DBvriUVslb6NCquNHNs+GGygBm9O/iXgw=; b=yJC4hb53xIFewMotYXWgHX5kkqOAVBZTi9lW/zpkWRPnpU5JK/L7ncsYyNzZ/AKe8Z 6JVXarq405gkNt2oCcYO8KiTVi4lmpDzS1yrCf+5yWqxAyYfs/+lRJWR/PjlDh8lRzJC zBAzOIVQXK70zTDyVwi9RnqneoQP7+kfkC5z4VsDoLKKNeb7io/Dp2GedRleHzsyg5sd VFTjWqcYRYfNxxdwbAqv/PjXIy6s3NmEv+SSohxOgA461E15u/cVb8CMiJrZZlI6CKll UUkoujS/NWzO+E9MSlTnfbGeY93GVlAf2cHdOt78eQiDxqjb8wDTCoRHDD46mQi3XRFe U5/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cEBiV01rY8DBvriUVslb6NCquNHNs+GGygBm9O/iXgw=; b=dRYWMuVp1s4bhSTkA+Sygs9a200c/gFw/hVUhJ4N8Xh48lV+CEK2ScxEh+Q+ZOXVv9 FlRrYeLpMGPb0XsrXh8WS5a7/jge60EB9NPQBotJa4eWmIHeKQ6VkFQHLpzjCPf2N6Xo +qXTXLnfUj5bngchhNQDJgcRVYI8rc12jZUcC1XPS2eqtqpS7N6/vcFNXULlDhcl8513 2IRyFH6tP+63pQyesTy7+gBD1BzVGlKfvuaIYzMZVvVbpH17rSW+Nbp+dtyPeVsoQets adffBDUUII3UsyKqFwP8vyOiu+eQ1SdyuUJow8/J8h/kTqSqzc39gN5oMY9eYkDTW2Cs Mwgw==
X-Gm-Message-State: APjAAAXf6W8qDc78HMJeGztc4WOxaifCsX74sDsUHsiPJRgjfza8EcrQ pm8M7TQif/dTYqeZ43+dRXyH9dKUeneWQuDdo4+xuw==
X-Google-Smtp-Source: APXvYqyGrytSw2VnvgvKfJ0BqS21EXiH7ajbgpgT2x9uvgJql85v1mRJGVTje2X9GRx8w5C/n161f/83rxRh2ZfeZfA=
X-Received: by 2002:a54:468a:: with SMTP id k10mr6827357oic.36.1556281756300; Fri, 26 Apr 2019 05:29:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSE1xTF2Wsq-u=BCu2Z_4UzMzqMPi=D_H7_7hbRpUMVVA@mail.gmail.com> <2D195D14-9F9A-4D64-92EF-35C601C52C01@inria.fr> <CAL02cgR8gQ6cH_QXd_9v46aJ5aeo=b=1GiYu9YxCNYzJb0tOFQ@mail.gmail.com> <B36BF8F5-EAE9-4C96-A867-82CDFBF830C0@inria.fr> <CAL02cgQ7-JMQsG6sq6YBB3G-5tmCVQoo07nvW63tzBzHPQ0ZWw@mail.gmail.com> <AC74CACD-541B-49CD-9CC9-63343307A53D@fastmail.com>
In-Reply-To: <AC74CACD-541B-49CD-9CC9-63343307A53D@fastmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 26 Apr 2019 08:28:50 -0400
Message-ID: <CAL02cgR98gpF1HqDn31-xxUC6w3Orec_P=2VZ_5jc3xx6uLWCQ@mail.gmail.com>
To: Michael Rosenberg <micro@fastmail.com>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000414ed205876e15f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/fFmizfkEEGh7DPWuNYCkk5JTrdw>
Subject: Re: [MLS] Unpredictable epochs?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 12:29:21 -0000

Well, I don't think we can get rid of the epoch entirely.  For handshake
messages, you could maybe get by with the theory that if a message doesn't
apply to the single most recent state, then it's no good, so you don't need
to explicitly say which state it applies to.  But that seems painful,
especially if you want to tolerate a degree of partial order / forking
history.  For application messages, you definitely need it, otherwise you
have an issue with application messages being out of order with handshake
messages.

That said, it does seem like we could maybe steal the epoch from elsewhere
and save a few hash invocations.  The question is what value we could
re-use that wouldn't be leaking information.  The tree hash seems bad from
that perspective, because it is never transmitted in the clear otherwise.
Another option I had pondered was re-using the confirmation MAC value.  In
any case, as a first effort, it seemed simpler to derive a value for the
purpose.

W.r.t. the transcript hash - I have the same suspicion you do, but I am
waiting for someone with a security proof in hand to tell me it's OK to
remove :)


On Fri, Apr 26, 2019 at 2:22 AM Michael Rosenberg <micro@fastmail.com>
wrote:

> I like this idea, especially because it allows for partial ordering of
> GroupStates. One question: could the tree_hash be used instead of an epoch?
> The tree_hash...
>   * ...is not "predictable" in that it would require the DS to maintain
> state in order to establish an ordering on GroupStates
>   * ...necessarily changes after any GroupOperation is applied to a
> GroupState
>   * ...is already built into the GroupState
>
> So why not remove epoch entirely?
>
> Also, side note: given that the tree hash necessarily changes upon each
> update of the transcript, why is transcript_hash necessary anymore?
>
> -Michael
>
> > On Apr 23, 2019, at 11:03 AM, Richard Barnes <rlb@ipv.sx> wrote:
> >
> > Here's a PR:
> >
> > https://github.com/mlswg/mls-protocol/pull/152/files
> >
> > On Mon, Apr 22, 2019 at 6:52 PM Benjamin Beurdouche <
> benjamin.beurdouche@inria.fr> wrote:
> > +1
> >
> > On Apr 23, 2019, at 12:49 AM, Richard Barnes <rlb@ipv.sx> wrote:
> >
> >> True, you could have one unpredictable identifier that identifies both
> the group ID and the epoch.  I like how that looks on the wire, but would
> require a bit more bookkeeping in clients.  I might be inclined to go ahead
> and land an unpredictable-epoch PR in -05 (since that's a pretty small
> change), then look at folding in the group ID later.
> >> --RLB
> >>
> >>
> >> On Mon, Apr 22, 2019 at 6:42 PM Benjamin Beurdouche <
> benjamin.beurdouche@inria.fr> wrote:
> >> Side note before I forget. After merging the common framing, the only
> two things potentially remaining in the clear will be the group identifier
> and the epoch number (because we need those to pick the group key necessary
> to decrypt the sender info). Raphael and I talked about adopting a similar
> approach but generating an ephemeral Group Id at the same time. That could
> help a bit on the meta data protection side by making it harder for an
> adversarial DS to be able to correlate messages in delivery queues across
> groups and across epochs. The fact that this might be useful or not depends
> a lot on architecture assumptions though....
> >>
> >> B.
> >>
> >> On Apr 23, 2019, at 12:11 AM, Richard Barnes <rlb@ipv.sx> wrote:
> >>
> >>> Hey all,
> >>>
> >>> As I've been working with Benjamin on updating and landing the common
> framing PR, I noticed that the epoch is still exposing more information to
> the DS than it needs to.
> >>>
> >>> Right now, the epoch just increments by one every time the epoch
> changes.  This lets the DS track epochs statelessly -- it can take any two
> messages and see which was before the other, without the need for any
> ongoing tracking.
> >>>
> >>> However, the epoch only needs to be intelligible to members of the
> group, so we could generate epoch values in a way that would only be
> intelligible to members.  For example [1]:
> >>>
> >>> epoch_[n] = HKDF-Expand-Label(some_secret_for_epoch_[n], epoch_[n-1],
> "epoch", 4)
> >>>
> >>> That way, the DS could observe epoch changes, and observe how many
> messages were sent within each epoch.  But it wouldn't be able to
> understand the sequence unless it tracked things all along.
> >>>
> >>> A side benefit of this is that it allows the group to have forks in
> its history more cleanly, since different forks will have different epoch
> numbers.  That could allow some softness in the ordering requirement, as
> long as the group can eventually figure out which branch is the right one
> [2].
> >>>
> >>> Does this seem worthwhile to people?  The cost is a few extra hashes.
> To me, the completeness/consistency seems like a marginal benefit, but the
> clean forking seems pretty convincing.  If folks think this worthwhile, I'm
> happy to write up a PR.
> >>>
> >>> Thanks,
> >>> --Richard
> >>>
> >>>
> >>> [1] I would probably keep epochs at 4 bytes, because any more seems
> wasteful.
> >>> [2]
> http://mycours.es/gamedesign2012/files/2012/08/The-Garden-of-Forking-Paths-Jorge-Luis-Borges-1941.pdf
> >>> _______________________________________________
> >>> MLS mailing list
> >>> MLS@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/mls
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
>
>

v2.23.0 | Report a Bug | By Email