IETF Logo Mail Archive

Re: [MLS] Hiding content type

Richard Barnes <rlb@ipv.sx> Fri, 24 July 2020 18:05 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 084F63A1105 for <mls@ietfa.amsl.com>; Fri, 24 Jul 2020 11:05:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgjoEtLJzCnN for <mls@ietfa.amsl.com>; Fri, 24 Jul 2020 11:05:10 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF943A1102 for <mls@ietf.org>; Fri, 24 Jul 2020 11:05:10 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id 11so9477096qkn.2 for <mls@ietf.org>; Fri, 24 Jul 2020 11:05:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iZg/iW+if3g6yjIOBhx9BmaO0pBVFB/ljcXDrezQAGc=; b=QQrYWSd6t3mez2OlBgbG9HbcmY2FZUOyYXko4Uanm7O6ygwiCr9XeycQlzGTIC5fVX VFQm1K1Yip/bVJYDovcWJIuHqJSoPyaTEHXIsIh60oziqCZBuuGo4Psue5hbxQ5CH6tB +JaP5/4Ck8J2b6fPIIyTzY80UHxmhATjQzEOz5WMrmyqYqn8G8tz3MbVcHswiaAXyb0q Hedb6M20dn6Z95soV5dXgKM11ohHL8DK6VtQDgbuwlZbxt5HMvJON6lFTVYcGCt+3H3i TMHkyaqKZqWoZtRv5yxzM8DTL8wGRCSU0x3Qpk9vmk35a3rNy3DtBmDZj2XEHzvHoctv CaFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iZg/iW+if3g6yjIOBhx9BmaO0pBVFB/ljcXDrezQAGc=; b=ZA11r3MysG1UkCitN1Q4ITBn8ajnDpWF1NajWIvPTrO2NYh9t1KRk/NFw4///AL9iS Dwets+TKx0K1f94XnzSIRPWqkOqRoQZxi/awg8tlPGIIvQqLeqdnLa7ifAI6zyyv1A7m wxEipbOtj8+W38//ceon33PT1UG3UOAoV2yPcnIjQHAtcAlyhK2+QZ1Z4rxl05JBOue8 hAD+ogibdRkY0ch+ubMjYtreVcIiXfTf4P/z6LsusxRRLJ5X4Wm72dVge8PzF2FEX9n1 qqnjYhMRKrxiIpCNyOB4VJ3McYovfO/LNAxsDDjcaf5X1UB3zfHXWKvuYOUx8pZEi6Wi 8GrQ==
X-Gm-Message-State: AOAM5317XP7nQ4dvdy8fsLNEOVaeTKF4Ed6lYAo3brXQzLuhSlJU9qD4 OhNyCoaQGg95d4GdUJEjNknVfgQXB6UiXx1uAvc7/kFvGlo=
X-Google-Smtp-Source: ABdhPJzSX9bKqXiQnX1IJjpUvrsASZGSfVsnP+HvICJYIGypLxyZNQz+eqiD63wKO09BTF7/qeNxnMZYZRLgu3vTYew=
X-Received: by 2002:a05:620a:125b:: with SMTP id a27mr12095393qkl.371.1595613909574; Fri, 24 Jul 2020 11:05:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgT4jBiJNCoRBsBc7hRWBX0qzmZjC8B8XmJnGcZXgEiCdg@mail.gmail.com> <CABP-pSTW=7jK2hRHLYwydOyrfimfqti0Rih=BoBpqBJDfqf4QQ@mail.gmail.com> <CAL02cgT0KWJ21m70q5cL7NKBB+-Cjvb63YpgnBGoisScNqQchQ@mail.gmail.com> <CABP-pSR2UxWkKk6a_T9vN4cv89zCchNbN4YN=dS_qm5Ye4AjJA@mail.gmail.com> <FCAAD638-E0F8-4A91-90F1-1A2F1233D88F@nps.edu>
In-Reply-To: <FCAAD638-E0F8-4A91-90F1-1A2F1233D88F@nps.edu>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 24 Jul 2020 14:04:42 -0400
Message-ID: <CAL02cgQBge9V3YEtnxRPOxLuMWQzg_Y1XD_cmEX=q94ou6fe7w@mail.gmail.com>
To: "Hale, Britta (CIV)" <britta.hale@nps.edu>
Cc: Brendan McMillion <brendan=40cloudflare.com@dmarc.ietf.org>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000047773305ab33d00a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/jZyE50z7eIF0ROw3exOebDQe_Ok>
Subject: Re: [MLS] Hiding content type
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 18:05:13 -0000

I'm honestly really confused by the worry about collisions here.  The
current epoch ID collides trivially -- it's just a counter!  And the group
ID is assumed to be public anyway.  So if your authentication scheme is
broken when you have a (group ID, epoch ID) collision, then your scheme is
already broken.

If we're going to block this change on this basis, then we need to see
clearly articulated an authentication scheme that is secure in the current
model, but broken in the case where epoch IDs are derived off of the key
schedule.

--Richard

On Tue, Jul 14, 2020 at 10:38 AM Hale, Britta (CIV) <britta.hale@nps.edu>
wrote:

> Ensuring the most conservative design by default seems advisable; however
> it is not clear that this proposal for hiding content type is actually
> doing that. Indeed, if an application is concerned about hiding the content
> type, would not that same type of application also be concerned about
> collisions?
>
>
>
> As Brendan notes, we are not talking about accidental collisions here.
> Pre-computation is entirely possible, such as by a malicious group member,
> so the window of attack is not limited to one epoch.
>
>
>
> If this is this PR particular is of particular interest to some, then it
> would be good to see a clarifying explanation as to the security it
> achieves (i.e. why this is “security by design” despite introducing such
> collision possibilities), or a concrete use-case. Alternatively, are we
> really limited to a 64-bit field, or can that length be adjusted to
> mitigate the introduced problems?
>
>
>
>
>
>
>
> A clarifying point for those following this thread: some references in the
> email chain state that this is encryption of the epoch ID. That is not the
> case. The proposal being discussed is about a hash thereof (hence
> discussion on collisions).
>
>
>
> Britta
>
>
>
>
>
> *From: *MLS <mls-bounces@ietf.org> on behalf of Brendan McMillion
> <brendan=40cloudflare.com@dmarc.ietf.org>
> *Date: *Monday, July 13, 2020 at 9:37 AM
> *To: *Richard Barnes <rlb@ipv.sx>
> *Cc: *Messaging Layer Security WG <mls@ietf.org>
> *Subject: *Re: [MLS] Hiding content type
>
>
>
> As far as collision resistance, I'm not too worried about collisions among
> 64-bit random values, especially as the scope for collision is fairly
> small, arguably just one epoch.
>
>
>
> The issue isn't with accidental collisions, it's with malicious ones. An
> attacker can purposefully (and quickly) generate commits that create
> duplicate epoch ids, and send them to a client to corrupt their group state.
>
>
>
> I think the idea here is to be conservative by default.  There are systems
> in which you can hide the metadata you're talking about with things like
> mixnets and dropboxes.
>
>
>
> It's not just being more conservative, you're making changes specifically
> for very niche use-cases where I don't think the security of the whole
> system has been thought through. Maybe you have an example in mind, but I
> can't think of a system where this change provides any additional privacy.
>
>
>
> On Mon, Jul 13, 2020 at 10:56 AM Richard Barnes <rlb@ipv.sx> wrote:
>
> On Mon, Jul 13, 2020 at 10:57 AM Brendan McMillion <brendan@cloudflare.com>
> wrote:
>
> With respect to using an opaque epoch id, I believe this was proposed in
> #245 <https://github.com/mlswg/mls-protocol/pull/245> and consensus was
> against it because it makes it more difficult to implement the DS. It's
> also not clear to me what security properties you want from an opaque epoch
> id, because the current PR doesn't provide collision resistance and I'd
> expect this to be a source of confusion and bugs.
>
>
>
> I think the discussion on #245 got derailed a bit by the focus on
> non-linear epochs.  The point here is that even in a case where you have
> linear history, I think there's intrinsic value in the epoch ID being
> opaque because it gives intermediaries less opportunity for ossification.
>
>
>
> As far as collision resistance, I'm not too worried about collisions among
> 64-bit random values, especially as the scope for collision is fairly
> small, arguably just one epoch.
>
>
>
>
>
> With respect to encrypting the content type, it also seems to me that this
> would cause issues because different content types have different delivery
> guarantees. Specifically: messages are allowed to be unordered and lossy,
> proposals are allowed to be unordered but not lossy, and commits are both
> ordered and not lossy. In the deployment scenarios we've talked about, the
> DS essentially always needs to know the content type to provide this.
> Conversely, you don't get much additional privacy from encrypting the
> content type because an eavesdropper can see the epoch id change and infer
> which message was a commit, or see a dropped message getting re-sent and
> infer it was a proposal.
>
>
>
> I don't disagree that there are different guarantees you need, but like I
> said, I think the idea here is to be conservative by default.  There are
> systems in which you can hide the metadata you're talking about with things
> like mixnets and dropboxes.  Keeping the ciphertext as opaque as possible
> keeps the door open to running MLS over those systems without MLS's own
> metadata undermining their privacy properties.
>
>
>
> FWIW, in the systems I'm looking at building, this PR does not make any
> difference, because clients use separate channels for Proposals/Commits vs.
> application data and the server doesn't check.
>
>
>
> --Richard
>
>
>
>
>
>
>
> On Mon, Jul 13, 2020 at 8:56 AM Richard Barnes <rlb@ipv.sx> wrote:
>
> Hi all,
>
>
>
> Recall that PR#349 does two things (1) use an opaque epoch ID, and (2)
> encrypt the content type of the message (application / proposal / commit)
> [1].
>
>
>
> There was some discussion on the call last week that encrypting the
> content type might not be that useful, since an application that relies on
> a server to assure ordering of commits will need to at least be able to
> tell commits from other things.  Of course, even if the content type is
> encrypted by default, the application can add it back in authenticated
> data, or in some unauthenticated wrapper.
>
>
>
> Net of those considerations, I'm personally still inclined to merge the
> PR, to have a conservative baseline.  But those on the call thought it
> would be useful to pose this to the group, so please speak up if you have
> concerns.
>
>
>
> --Richard
>
>
>
> [1] https://github.com/mlswg/mls-protocol/pull/349
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>
>

v2.23.0 | Report a Bug | By Email