Re: [MLS] Improving client authentication

Konrad Kohbrok <konrad.kohbrok@datashrine.de> Wed, 20 January 2021 12:34 UTC

Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1050C3A11BB for <mls@ietfa.amsl.com>; Wed, 20 Jan 2021 04:34:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E17VTkt670RJ for <mls@ietfa.amsl.com>; Wed, 20 Jan 2021 04:34:51 -0800 (PST)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [IPv6:2001:67c:2050::465:101]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01DCB3A11BC for <mls@ietf.org>; Wed, 20 Jan 2021 04:34:50 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4DLQ2d1pMDzQlWQ; Wed, 20 Jan 2021 13:34:49 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de [80.241.56.116]) (amavisd-new, port 10030) with ESMTP id 2MELhC_77rUS; Wed, 20 Jan 2021 13:34:45 +0100 (CET)
Date: Wed, 20 Jan 2021 13:34:42 +0100 (CET)
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>, Raphael Robert <raphael=40wire.com@dmarc.ietf.org>
Cc: ML Messaging Layer Security <mls@ietf.org>
Message-ID: <2030165147.99189.1611146082580@office.mailbox.org>
In-Reply-To: <186C9715-C8E7-4F59-99F4-66B2D86AAAB4@inria.fr>
References: <D6B0B977-776C-49B5-BB7D-312D7674FF4F@wire.com> <186C9715-C8E7-4F59-99F4-66B2D86AAAB4@inria.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-MBO-SPAM-Probability:
X-Rspamd-Score: -5.77 / 15.00 / 15.00
X-Rspamd-Queue-Id: D797D1857
X-Rspamd-UID: 5e9ef9
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/gu6FoLE-2OI8VY-BbGrUtCSMDYs>
Subject: Re: [MLS] Improving client authentication
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 12:34:53 -0000

Hi everyone,

In light of this discussion, I've re-opened PR #439 (https://github.com/mlswg/mls-protocol/pull/439), which proposed to make identities unique on a per-group basis. I've changed the PR to include signature keys as well. I'd appreciate any feedback!

Cheers,
Konrad



> Benjamin Beurdouche <benjamin.beurdouche@inria.fr> hat am 09.12.2020 10:23 geschrieben:
> 
> 
> Hi Raphael, Hi all,
> 
> I finally had time to have a look at your proposal and I agree with it. I think this is a nice improvement.
> 
> See more inline:
> 
> 
> 
> > On 29 Nov 2020, at 18:13, Raphael Robert <raphael=40wire.com@dmarc.ietf.org> wrote:
> > 
> > 
> > Hi all,
> > 
> > Recently there was some discussion about identities and credentials in MLS [1][2], in particular whether identities and signatures should be unique per group. The architecture draft defines things as follows:
> > 
> > "Formally, a Client is a set of cryptographic objects composed by public values such as a name (an identity), a public encryption key and a public signature key. Ownership of a Client by a user is determined by the fact that the user has knowledge of the associated secret values. When a Client is part of a Group, it is called a Member and its signature key pair uniquely defines its identity to other clients or members in the Group. In some messaging systems, clients belonging to the same user must all share the same identity key pair, but MLS does not assume this.
> > 
> > Users will typically own multiple Clients, potentially one or more per end-user devices (phones, web clients or other devices...) and may choose to authenticate using the same signature key across devices, using one signature key per device or even one signature key per group.”
> > 
> > In other words: while not encouraged, clients can have the same identity and the same signature key. As such, they become mostly indistinguishable from each other, except for their index in the tree. This was initially worded that way to clearly support real-world use cases where clients indeed have the same credential and MLS can just be used as a key negotiation protocol that builds on top of that. So far this has not received a lot of scrutiny, but I can see scenarios where this can clearly lead to attacks. A first scenario is described by Britta in [2]. Another attack – where attackers use said indistinguishability for impersonation – could go as follows:
> > 
> > - Alice has two devices, A1 and A2. Both devices use the same credential, meaning they have the same identity and signature key.
> > - An attacker briefly compromises A2 and creates a legitimate key package.
> > - The attacker then creates an UpdateProposal with that key package and uses the index of A1 as the sender in the MLSPlaintext framing, as well as a RemoveProposal for A2.
> > - Other members receive and process these proposals, and to them the UpdateProposal looks like it was issued by A1 (since the index is the one from A1 and the signature key is shared between A1 and A2).
> > - Finally one of the other members sends a Commit referencing the proposals, seemingly evicting A2 from the group.
> > - The attacker however still knows the HPKE private leaf key of A1 and is therefore still part of the group and can act as a passive attacker until A1 is evicted.
> > - Incoming messages will look broken for A1, but it might take a while before A1 notices, if ever.
> > 
> > Besides UpdateProposals, A2 could also send a full Commit or application messages in the name of A1. Maybe other attacks could be mounted that way.
> 
> To start with, I agree this is a valid threat that we should consider.
> 
> This attack is something that we have known for a while and is part of multiple variants of
> this problem, but there are no clear solutions in the context of a strong threat model.
> This is simply because for MLS we have a significantly stronger threat model than all other
> messaging systems have as we often consider active malicious insider and full state device
> compromises which lead to many-group compromises.
> 
> For instance, if I am correct, the attack you mentioned is valid because it works across devices,
> so the natural solution is key separation. But this solution would not work - even if there were
> one signature key per group on the device - in the case where you consider that compromising
> the device will lead to a compromise of all signature keys on the device (of all groups).
> 
> Is this a reason for not doing anything here? No. Even though we can’t achieve perfect security,
> especially in the context of strong attackers performing targeted attacks, **I am very inclined
> to agree with you and force requiring the signature key to be unique per group** as it provides
> better defense in depth. This makes me immediately think about the problem of detecting the key-reuse
> which is not an easy task to handle. An honest DS would be helpful as it could help check that all
> the stored key packages for a user have different signature public keys, but that’s not perfect
> and my intuition is that the best case is a situation where we can prove some security only in
> the absence of an attack and not in cases of compromise. Note that this problem of key reuse
> detection already exists and is not new, so that can’t be an argument against *requiring* unique keys.
> 
> > I think these kind of attacks are bad enough to look at things again. I propose the following:
> > 
> > 1. Restrict the sharing of credentials: Identities and signature keys MUST each be unique per group.
> 
> I am in favor of doing this. As you note below, we can also leverage OS keystores and
> hardware features to limit the ability of the attacker to compromise all keys (including across groups) at once.
> In that situation we can reduce the risk to an attacker being able to sign arbitrary things
> without having access to the actual key, which is good for both FS and PCS.
> 
> 
> > 2. Solve the use case of per-user devices differently.
> > 
> > Regarding the latter, I think we already have all the ingredients we need. The protocol spec has the following definition of credentials:
> > 
> > struct {
> > CredentialType credential_type;
> > select (Credential.credential_type) {
> > case basic:
> > BasicCredential;
> > 
> > case x509:
> > Certificate chain<1..2^32-1>;
> > };
> > } Credential;
> > 
> > We can use the fact that a whole chain can be provided for the X509 type. So in case an application wants to use a per-user certificate, this certificate could just move up in the chain and sign a per-device certificate that has a unique identity and signature key. And btw, the same chain could also be allowed for the BasicCredential type with a small spec change.
> 
> I also agree with this, intermediates can be used in a very efficient way.
> 
> Something less relevant to this discussion but I want to mention it here...
> This raises an issue that I have seen a lot over the last few years: we need something
> which performs a similar role to the WebPKI but doesn’t have the complexity of X.509.
> Note that half of the attacks against TLS implementations are actually attacks against
> ASN1/X.509 parsers, and we don’t really need this complexity for MLS.
> 
> We should probably use X.509 in many cases because it is well supported by HSMs
> but in the long run, I think we should create WG and start thinking of a replacement to
> X.509 for places (not the Web) that don’t need the complexity.
> 
> 
> 
> > Why is this better than before? Isn’t this just shifting the problem, because the per-user certificate could still issue an arbitrary number of per-device certificates?
> > 
> > Firstly, impersonation attacks become harder (if not impossible) because the signature keys used to sign handshake & application messages are no longer shared across multiple devices.
> > 
> > Secondly, the (private) signature key of the per-user certificate is now only used very rarely, namely in the situation where a new per-device certificate needs to be issued. This opens up new possibilities to better protect that key: it doesn’t have to be on the device necessarily, or it could be stored in a secure enclave, or it could be encrypted with a passphrase the user needs to provide, etc. None of these protection mechanisms could be applied to the per-device certificate, because its signing key needs to be readily available at all times (e.g. mobile messaging apps typically do operations in the background without requiring any action from the user, like sending end-to-end encrypted delivery receipts).
> > 
> > Thirdly, we could limit the validity of the per-device certificate. As mentioned above, that signature key is still relatively exposed and might as accessible to an attacker as the rest of the group state during a brief compromise. Limiting for how much time a per-device certificate is valid, would at least mitigate the risk a bit. We could allow updates to the per-device certificate under the condition that a) the UpdateProposal is signed with the old certificate, b) that the identity doesn’t change and c) that the per-user certificate is still the same.
> > 
> > I think the above proposal would make authentication in MLS better while still catering for the initial use cases.
> 
> Overall, I think these proposals are good and we I suggest we do this !
> Thanks for looking into it.
> 
> Ben.
> 
> 
> > 
> > Raphael
> > 
> > 
> > [1] https://github.com/mlswg/mls-protocol/pull/439
> > [2] https://mailarchive.ietf.org/arch/msg/mls/6tjSWyAesfU125IFRDfMhRLtsPM/
> > 
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls