Re: [MLS] protections for MLS "handshake" messages
Raphael Robert <raphael@wire.com> Wed, 21 November 2018 17:33 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0C1130DC1 for <mls@ietfa.amsl.com>; Wed, 21 Nov 2018 09:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.46
X-Spam-Level:
X-Spam-Status: No, score=-1.46 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9HAcy2aufjd for <mls@ietfa.amsl.com>; Wed, 21 Nov 2018 09:33:29 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4660D12426E for <mls@ietf.org>; Wed, 21 Nov 2018 09:33:29 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id f4so5528736edq.10 for <mls@ietf.org>; Wed, 21 Nov 2018 09:33:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=yUxnqxEk5zi+qO8R4RGzVsO7OpVxBAYN8V5mph3Aj9s=; b=RDmpAwVS75dONF16fjxzJ4znmzQ1CSD3ZzG7594rjvoKin+eFQsIq171VeQ5RRq70e gSM2kcmrs8lhFSSmz40b9GcIICkJiLcQvkXKWan7RvWh4vwmJkk6oMr1gDInVNZqKkuC o0qh2P0VBrdYc5avBd8Y1clR98kkS4rBIobLCSdfDkZoPvsJjFygbzbX/GzZzupZAhGd hehtMdmMPObCISMzd8URexGGKBpx8AWYcypHb8+v/a7we+lU1GEiR+8NyWka7OJG1uJE H/q/WdI9e8D0Pwokh7u2twu8K2YyDnYzuPFCfLmxjruOnPFEMS+hmapw0OGgK0RV56hU 9phg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=yUxnqxEk5zi+qO8R4RGzVsO7OpVxBAYN8V5mph3Aj9s=; b=MV4ICVGQ6ZhzUCVCwwG5LzT3qtHaqqvKkBh3bF3vwXSs8xNy7gem1C1oO2UVr8TBGu 36AateQl79d4WU4wMML5E8zul2x/+faxeaWW9YvpIM9KflKnnwkfkJkQnpX5agIMWCsy 0f+Vkt3bDsFsww4Nv7r5o8XSHTRpfFjQQer8QxavdDB3RfzAnGk7psuoghyaYtFaNJM5 GIOhlYFJQMU/t7SwO+zcrttcDx79NLfCCdl8KW3qGvPIMy91b6i1AIC+zmSSqhl9uDcd CPkU0RGEu3jVEQEFhou3zVywK0B6c5KF5zSyDXT+aNxMSvBpoOeuOw702Lf9VT4MIpUk ARgw==
X-Gm-Message-State: AA+aEWbW7Nn/a8uwHcVy5vtBDIQRvR6zmVYQ4/JBHC0E7BPsskn1pToe u/QxsOOxAMPgZc515ZHHIykd3DcznsQ=
X-Google-Smtp-Source: AFSGD/UhWeqZnSwg14fm1gkGR4Uh27r9T4CNWL7GoayFAQt5PixQw+8nZzf7nPh5EHDDx076DcGuig==
X-Received: by 2002:a50:b667:: with SMTP id c36mr6719691ede.190.1542821606866; Wed, 21 Nov 2018 09:33:26 -0800 (PST)
Received: from rmbp.wire.local (h-62.96.148.44.host.de.colt.net. [62.96.148.44]) by smtp.gmail.com with ESMTPSA id p30sm11736191eda.68.2018.11.21.09.33.25 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Nov 2018 09:33:25 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Wed, 21 Nov 2018 18:33:24 +0100
References: <87fu0fxjhi.fsf@fifthhorseman.net>
To: mls@ietf.org
In-Reply-To: <87fu0fxjhi.fsf@fifthhorseman.net>
Message-Id: <8A6F8888-9FAB-47E9-ADF3-FE7995F13D3B@wire.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/i8NkIeFaAzmojXmoGybTIOuaH28>
Subject: Re: [MLS] protections for MLS "handshake" messages
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 17:33:31 -0000
At IETF 103 we discussed the possibility of encrypting handshake messages and also the fact that this might hinder the caching of public keys of the tree (caching would alleviate the cost of adding new members/devices to a conversation). I was wondering if we couldn't use a proxy re-encryption scheme to achieve both goals: - the proxy would be able to cache parts of the handshake messages, yet still not have access to the plaintext of handshake messages - the proxy would re-encrypt that data from epoch to epoch The keys for the encryption would be derived through the key schedule (and therefore from the group secret). This means the keys inherit the FS and PCS guarantees of the group secret. In typical proxy re-encryption schemes, Alice wants to share data with Bob and asks the proxy to re-encrypt the her ciphertext for Bob. In that scenario Alice only knows Bob's public key, but not his private key. This limitation is not applicable with handshake messages, as both private keys can be known and this might simplify things. It would be interesting to hear from cryptographers about the feasibility of such a scheme as well as from folks who have successfully implemented similar schemes. Raphael > On 19 Jul 2018, at 18:45, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > In today's session, there seemed to be an open question that wasn't > explicitly addressed, so i wanted to raise it on the list. > > for lack of a better term, we're dividing MLS messages into > "application" messages and "handshake" messages. (i think we need > a better term for "handshake", but i'll use it here for consistency with > the current discussion) > > I believe we should provide encrypted cover, and a mechanism for padding > of handshake messages, not just for application messages. > > We want encrypted cover because i'd like the DS not to be able see > whether a given message is a handshake message or an application > message. > > and if it is a handshake message, i want to be able to make a handshake > message that shows up for a group of K people to look the same to an > observer as a handshake for a group of K+1 people (this motivates the > request for padding. > > I recognize that some of this might come into conflict with richard > barnes' vision of a DS that stores a cache of messages from each > participant in a given group for future replay -- so i think we need > further dicsussion on it. > > --dkg > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls
- [MLS] protections for MLS "handshake" messages Daniel Kahn Gillmor
- Re: [MLS] protections for MLS "handshake" messages Joseph Lorenzo Hall
- Re: [MLS] protections for MLS "handshake" messages Paul Rösler
- Re: [MLS] protections for MLS "handshake" messages Katriel Cohn-Gordon
- Re: [MLS] protections for MLS "handshake" messages Daniel Kahn Gillmor
- Re: [MLS] protections for MLS "handshake" messages Eric Rescorla
- Re: [MLS] protections for MLS "handshake" messages Richard Barnes
- Re: [MLS] protections for MLS "handshake" messages Eric Rescorla
- Re: [MLS] protections for MLS "handshake" messages Benjamin Kaduk
- Re: [MLS] protections for MLS "handshake" messages Eric Rescorla
- Re: [MLS] protections for MLS "handshake" messages Richard Barnes
- Re: [MLS] protections for MLS "handshake" messages Daniel Kahn Gillmor
- Re: [MLS] protections for MLS "handshake" messages Daniel Kahn Gillmor
- Re: [MLS] protections for MLS "handshake" messages Eric Rescorla
- Re: [MLS] protections for MLS "handshake" messages Richard Barnes
- Re: [MLS] protections for MLS "handshake" messages Raphael Robert