Re: [MLS] Use Cases for avoiding Forward Secrecy
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 28 February 2018 23:03 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA86D127023 for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 15:03:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUePavs5lbPZ for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 15:03:33 -0800 (PST)
Received: from mail-ot0-x229.google.com (mail-ot0-x229.google.com [IPv6:2607:f8b0:4003:c0f::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D44B126FDC for <mls@ietf.org>; Wed, 28 Feb 2018 15:03:33 -0800 (PST)
Received: by mail-ot0-x229.google.com with SMTP id l5so3842819otf.9 for <mls@ietf.org>; Wed, 28 Feb 2018 15:03:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=8Xc+524sI/+KovON+PWgxvWD8MmXiVEJfVGj0BNbFcY=; b=L4ZKyepmHyowC51TNs0+2Z/tC99eLMuM9Xuh8xSxv4hd+efcBA1AOQW9RH2TYTASpa cknazvev7SR6sCt/ATgC+/ldHY6vwvDVJa5jkxWh78v+r9JSA7bkr+jQOB86XsHXaff8 ffeS0QryK5CCXE4AXLyAXYIgFltVw+nhZ/OIGStVP1TyjqZ52+jXTL9SPLFbrJNU6uMx x3YTSxp7htIP3ejqGYle81NI/C0sM8XQgP5HkzZmrzLhfkx7w7WZKT6Y1V+tUuRMSyf2 hbywh2kDHBF14XSz9p/XzhfpokKsUVctYLct3jAZiPYyjH+GboBmWCsRoTXA3QjrJJLC 0/UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=8Xc+524sI/+KovON+PWgxvWD8MmXiVEJfVGj0BNbFcY=; b=BpUQzBaDASp4GjALNWXlwF1f/xUlf+S4EMjmGyOgQZbf4kSBFlUuOgYokZE/Obwwxs Y59pnxUzkbeL9kZMVTfgy5lKRV7eiKfrFB8BnM1hHu1/rzb5QN7t3Qm/ciQiXR5QCRly /qgxT+OBbX2o7V5kyVij8a4wf12+TFbKDJyopjkQlWqOxH5X8avnG9/2Raj4EuFbNibJ EzcB6RyNwLi9Z4mr1dwCuLxmjaT6sMmF0330HnSDCiGe0wxXvxzqNgvxXNqVnlUU+5PI JUrew/WKtrfye0Sg2mBa2CclM9Itku+8id8xD9y7kgn05vugM8Noy+e6PjFEyhOSY/gl fRvQ==
X-Gm-Message-State: APf1xPApU8+L7yTucdURJxQ4tf9JO0TbQXXaaYfFM7uEyjNO6wa1/W6A qZxHM0zEVJel3SxaHvBI1PBDzUADJoN0FVkChyA=
X-Google-Smtp-Source: AG47ELuaBSxXYPJYHuRGxnwCv2USNTMhG5yR3x/Dmj6viSnFehb9d6PO/qqVo6sY3BN965/BrLNSecyEUvpC6J6bStw=
X-Received: by 10.157.37.113 with SMTP id j46mr13830658otd.218.1519859012751; Wed, 28 Feb 2018 15:03:32 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.5.5 with HTTP; Wed, 28 Feb 2018 15:03:31 -0800 (PST)
In-Reply-To: <20180228222800.0a978ded@T-200>
References: <CAKHUCzxOwmPrpUUj6HSRMcxiXtRmT05OapeBQdRA49bSWum6yQ@mail.gmail.com> <f10d4e2c-7b4c-b841-eadf-056e1729c713@cs.tcd.ie> <CAMm+LwjJxdTJcPBCNh3JsjDeWODFuS3FwUPz_ztvzKpkU7X8DA@mail.gmail.com> <20180228222800.0a978ded@T-200>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 28 Feb 2018 18:03:31 -0500
X-Google-Sender-Auth: UEf9Gaj0a50rm9aNQj5AfVCHW88
Message-ID: <CAMm+LwjGfQj2K1krkKMfL3ZwBj0XCXK7VTkfmRDTt4d18MOk3w@mail.gmail.com>
To: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="001a113d0cf490577505664dc008"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/kKfK_691_0SLauElRQ8-OgkkH-8>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 23:03:35 -0000
On Wed, Feb 28, 2018 at 5:28 PM, Dennis Jackson <dennis.jackson@cs.ox.ac.uk> wrote: > > If however we are working at the message layer, we will often want to > > support an asynchronous mode in which one party sends some data and > > another picks it up later. That does not prevent us working end to > > end but it does prevent us using PFS. > > This is incorrect. You may want to review the design of Signal, or > indeed the current MLS draft. No it is completely correct. The P in PFS stands for Perfect . If Alice creates a message for Bob using only her knowledge of Bob's public key then it is not going to be PFS because a compromise of Bob's private key is a breach. What Signal is doing is sending messages based on Bob's key plus state from previous communications that Alice and Bob have stored. Now that is providing some form of Forward Secrecy but only a marketing person would claim it was 'Perfect'. The cost of this shared state is far from trivial at the protocol level as both the sending and receiving device have to be in synchronization. What happens when Alice and Bob have a dozen devices? Then we have 144 sets of shared state.
- [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Raphael Robert
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Stephen Farrell
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dennis Jackson
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Eric Rescorla
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dennis Jackson
- Re: [MLS] Use Cases for avoiding Forward Secrecy Jon Millican
- Re: [MLS] Use Cases for avoiding Forward Secrecy Stephen Farrell
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Richard Barnes
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Russ Housley
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Jon Millican
- Re: [MLS] Use Cases for avoiding Forward Secrecy Sean Turner
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Katriel Cohn-Gordon
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Eric Rescorla
- Re: [MLS] Use Cases for avoiding Forward Secrecy Nadim Kobeissi
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Stephen Farrell
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Nadim Kobeissi
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker