IETF Logo Mail Archive

Re: [MLS] Stupidest possible message protection

Raphael Robert <raphael@wire.com> Mon, 03 December 2018 15:46 UTC

Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29DA5130E4B for <mls@ietfa.amsl.com>; Mon, 3 Dec 2018 07:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkeZ2qa70t-b for <mls@ietfa.amsl.com>; Mon, 3 Dec 2018 07:46:30 -0800 (PST)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7656112D7EA for <mls@ietf.org>; Mon, 3 Dec 2018 07:46:30 -0800 (PST)
Received: by mail-wm1-x331.google.com with SMTP id y185so7279045wmd.1 for <mls@ietf.org>; Mon, 03 Dec 2018 07:46:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=eEEs5iMLitSBgYvaGgxiqlYQsz7kEcDqytWgX6AtVPo=; b=pVQol+2e3JgMU9FQJ3DSBYm1Y1tglIRN3LNNeSoZuuyoQDjgx4iu0+q2u4KPpbI9bl qOPUwcCOWxnvnftGoFiusLJ9XX5QKup4PMcDIzxgcrnMhyE3tQWFThpdIdIHI2k79oxQ wT6yqEZNTU/PnZiFbiQ1kQgubQS15lBevqgXg2enfZUyd9CwbcSK55aQRI68OSDvpTkl utn8nOlOQCDk84VDHyyCrKbtyHyMtBWqwPXZ2QB9BzGLFR0OFnEtD8SShWmfEQxwT/Oe R6VytmPhwX6msDd3nNn1Es4859I0x/fv4gfj+gzt95xnxlMPD4Eb53GGYPWqOwZF73gi UVkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=eEEs5iMLitSBgYvaGgxiqlYQsz7kEcDqytWgX6AtVPo=; b=bH2CYPe8SFf/RHeiprjhsBH9B8ZoiO6/EGypuRRFfEwr4cecBlfVdkqgVl6AiCvze3 ydSNRzjiI/kn/l/vRwmDproA9oURYO88uegJ4+puxPVpqX9EePErmsOqW5It6YW25NxP fDMOgk6H7YdgU0DbAVBBNFVgKOfj/qI8PtyL+pYAYO+eRqABqlfw6/J7oHtcc5TZZsGp xVjJDWZ4pynfCrv/E2SAUMYiS37orXfNVZEywcEBe0D47KZr4jrsHaJqn7JGnH6cyrtW iLS8lSxZcDTldkTwRXd6uNU8Nl5CR6Sfxh9awDR/QsyrKcNHefeqIwwQjl4CExQjXS45 fYtg==
X-Gm-Message-State: AA+aEWYxUmgAqrn1ujjTQT8Iq9np5nA32mEapdsv0dauRH7NMu+bkb0i 04E3MpVetYoQFzcKYkYO9iEq9slJJIw=
X-Google-Smtp-Source: AFSGD/WZNctXEfDIqV6g8PJaa8PdU02P3NqVhWn9RtcQKzttQcrhb2sqBhBLGbOsrUgeDR7VkFGmsw==
X-Received: by 2002:a1c:a4c3:: with SMTP id n186mr8501402wme.89.1543851988062; Mon, 03 Dec 2018 07:46:28 -0800 (PST)
Received: from [10.19.48.1] (ec2-35-157-152-32.eu-central-1.compute.amazonaws.com. [35.157.152.32]) by smtp.gmail.com with ESMTPSA id o8sm10915811wrx.15.2018.12.03.07.46.26 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Dec 2018 07:46:27 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_70070139-304A-441D-9C0E-A11030D1D1EB"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Mon, 03 Dec 2018 16:46:25 +0100
References: <CAL02cgTjD==YgS848sBWEGrBBkNMAtbUXJuV6RrDmak_+Mu6fw@mail.gmail.com> <6369845D-4139-4043-90F8-08AFAD4EE47B@gmail.com> <CAL02cgQFUNYVQHFni9JkwRn7Zo9kL52KyazAuL+YQVFBQT1RHg@mail.gmail.com>
To: mls@ietf.org
In-Reply-To: <CAL02cgQFUNYVQHFni9JkwRn7Zo9kL52KyazAuL+YQVFBQT1RHg@mail.gmail.com>
Message-Id: <D43F3ED4-E2FF-46C1-B10A-0C6169137738@wire.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/hFiT2VUhq1tYuoOh-b5CQcRmfU4>
Subject: Re: [MLS] Stupidest possible message protection
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 15:46:34 -0000

I agree with Richard that letting clients choose is a good idea. I think that for the sake of simplicity clients should choose whether to encrypt HS messages or not right at group creation (and prevent downgrade attacks by committing to extra state in the group state, just as mentioned). We can always explore later how we would handle “HS message protection agility”, if this turns out to be necessary.

The tree
————

The parts of the HS messages that would have to be in cleartext are mentioned on Richard’s slides [1] on the last slide ("Expose information for server assist”). The exposed bits are marked in orange.
This exposes the public DH keys of the tree to the server, as well as the structure of the tree. It allows the server to cache that data and make it available to new clients/members, so that existing clients/members don’t have to upload that data again. New clients/members can selectively download parts of the tree or all of it.

Right now I can think of 3 problems that should be further assessed:

1) How sensitive is a tree with only public keys? Does it leak more than the obvious statistical metadata (such as: group size, frequency of updates/add/removes, etc.)? If the leaf keys contain the same DH public key as UserInitKeys that are published on the server (because the clients did not yet perform an update), those leaves could be correlated with an identity of the members (see also further below in the roster section).

2) What if the server is not honest and modifies the tree? The remedy that has been proposed is to use an additional Merkle tree to verify the integrity of the ratcheting tree. The root of the Merkle tree would be transmitted as an encrypted commit hash in a Welcome HS (see penultimate slide of [1]).

3) What if the server is honest, but cannot distinguish between valid and invalid HS messages (and therefore caches the wrong values)? This problem could theoretically be solved with ZK proofs (mentioned in a different thread on the ML), but the preliminary conclusion is that ZK proofs would most likely be too expensive. Instead, the server could do versioning and discard version based on a sufficient number of NACKs received from different clients. Potentially clients could also request a specific version that is identified by the commit hash.
Note that this is also a problem for clients even when fully encrypted HS messages are used. Clients cannot always know if a HS message is valid or not (see relevant thread on the ML).

The roster
—————

The roster is unambiguously considered sensitive data, as it is essentially the members list of a group. The DS is the server part tasked with delivering messages, therefore the DS needs some notion of where to deliver messages to as they come in from clients. A few possibilities exist:

1) The roster is public anyway: In that case no special protection is needed on the HS level.

2) The recipient list is sent to the DS in real-time with every message that is sent out by a client. In that case the roster is only temporarily visible to the DS for the time of the fanout. This is probably similar to observable metadata in terms of scope, as long as the DS doesn’t not persist the recipient list anywhere.
2a) Similar to 2), but the participant list is stored on the DS encrypted with a key that is only held by clients and shared with the server every time a message is sent (and the server forgets the key immediately after the fan-out). This solutions does not have any FS as such, unless we can come up with more fancy schemes such as proxy re-encryption (see separate thread on the ML).

3) A fancy and privacy-preserving pubsub scheme? Suggestions are welcome, but keep in mind that most messengers use push notifications for smartphones (Apple push notifications and Google FCM) that require messages to be actively pushed to them, rather than listening for messages that fly by.

If the DS doe not have any knowledge of the roster whatsoever, we probably have to think about DoS attacks against a group. For example, an evicted member could still spam the group with (invalid) messages, because in a naive implementation the evicted member just needs to know the group ID to ask the server to fan out messages.
There might be privacy-preserving ways to prove group membership, such as re-using the root key pair of the ratcheting tree as a signing key pair. The server could verify those signatures and come to the conclusion the signing member must know the current private root key, as opposed to an evicted member. Further (and more formal) scrutiny would be good here.

In a nutshell, these are the ideas I’ve heard and discussed with folks so far. If I missed something or if you think there are alternative ways to better solve these problems, please chime in here or on the other relevant threads of the ML. 

Raphael


[1] https://datatracker.ietf.org/meeting/103/materials/slides-103-mls-sessa-stuff-00

> On 3 Dec 2018, at 09:28, Richard Barnes <rlb@ipv.sx> wrote:
> 
> 
> 
> On Mon, Dec 3, 2018 at 3:01 AM Karthikeyan Bhargavan <karthik.bhargavan@gmail.com <mailto:karthik.bhargavan@gmail.com>> wrote:
> > One way to try to split this baby would be to try to evaluate what information the server needs in order to provide its assistance, and leave that unencrypted.  This solution would of course require that we convince ourselves that the unencrypted bits are actually not sensitive, and would entail a fair bit of complexity in the encryption system.
> 
> Let me poke a bit more at this option. What minimal information do you think the server needs in order to provide its assistance?
> 
> If you take a look at Raphael's slides from the Bangkok meeting, there are a couple of different types of assistance the server might provide.  Most of these revolve around the linear-size pieces of group state: The (public keys in the) tree and the roster.  The server could cache a copy of the tree so that clients could download slices of it as needed.  Clients would have to either trust the server to do this or arrange the hash in the GroupState so that the slices could be verified.  That's where a lot of the complexity comes from.
> 
> Arguably, there's no harm in exposing the tree, since it should just be all random key material.  (Except in the case where you put a DH key from a UserInitKey at a leaf, in which case it can be used to correlate.)  Exposing the roster is obviously problematic.  Maybe Raphael has some ideas here.
> 
> --Richard
> 
> [1] https://datatracker.ietf.org/meeting/103/materials/slides-103-mls-sessa-efficiency-00 <https://datatracker.ietf.org/meeting/103/materials/slides-103-mls-sessa-efficiency-00>
> 
>  
> 
> -Karthik
> 
> > 
> > Another, simpler, approach we could take is to punt the decision to the application.  We would define in the document two options:
> > 
> > 1. Send Handshake messages in the clear
> > 2. Send Handshake messages encrypted as Application messages
> > 
> > (And specify details like how you do Welcome+Add, how you disambiguate Handshake from other Application messages.)  But we would not specify which of those paths a given application would do.
> > 
> > What do folks think about that idea?  Personally, I find it kind of appealing in its simplicity, though I acknowledge it adds another variable for interop testing / interop failure.  And if you want to make an MLS API, it's another switch to support.
> > 
> > Cheers,
> > --RIchard
> > 
> > 
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org <mailto:MLS@ietf.org>
> > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.35.0 | Report a Bug | By Email | System Status