Re: [MLS] Stupidest possible message protection
Richard Barnes <rlb@ipv.sx> Mon, 03 December 2018 08:28 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9EE126C01 for <mls@ietfa.amsl.com>; Mon, 3 Dec 2018 00:28:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cjr1cIE40r0H for <mls@ietfa.amsl.com>; Mon, 3 Dec 2018 00:28:38 -0800 (PST)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5962812777C for <mls@ietf.org>; Mon, 3 Dec 2018 00:28:38 -0800 (PST)
Received: by mail-ot1-x336.google.com with SMTP id 32so10778391ota.12 for <mls@ietf.org>; Mon, 03 Dec 2018 00:28:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XP+hdFKjdoAs9wL/6CjtkUu2wne+ycVsLB6Nswop9HM=; b=VwADtIQEbh9tIkUYysJGiHloE/ILF3Z1SrOXnmLy1HLuRTLp7kKhKhiLATiol5Q8h6 ccsldGfNwWi0ur2t7jV46c5mycauygTCdCkZb+sNhZykcIBgKhUexr0J/9LIJdoDaExD kuX//LA2PGovQ21nA6SzVYj6vaNyFoObQrN/CvA/sQzT4iPzqm6D3c0jh8kpy8bLWO7o WJEMqR6dN2iEHX1V1/PM1TwWw8q1XUXaSSS6kjczrqFEOKnRCWaiSSRqZ6k3QyVTmJ6Z FH0dsBjRbyOos+C+8XwK9Sc9PaDK6KZkSPzdcknLgWCOvtumECSt2W9gT+BXCko1JK4s 6OFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XP+hdFKjdoAs9wL/6CjtkUu2wne+ycVsLB6Nswop9HM=; b=GPQpEYRAXSghkZYU4zBNyInNFMiEQF1UbZd81mH6JEbO/XpIP/FflCRY9m/il+8Uvp N6YKsNgW9SgKkopJRNtmmyZ9FFqbuqqYwt+SVdHKsYVO9spSkZXU9DfBdHeTx0VlU1uP tM1fAFL9T0H7W9wRv+FJyEhuwQkWH5fjf6v7KYrqW+PT2W7v3ybevm/bnDSjaSB1LPfN bzhG3YIvW/xkCEF4Ic3HtjIU3RJEwFKTEXWCFLNJpHYbH8lGkbl7CLVSYR0L6LcLpNx+ Uw+rL/bkx7838/r4XEUy/YYiSEZREqm2usj6j7bwHEcrJ9rRSVnNEArorqWsn3Bx6n1i PZMA==
X-Gm-Message-State: AA+aEWayzFc7aG7tlzH+QdWXSg9ROLaSuR0mK0d1MGz2YrKzIFlYuFwq o8GkJl46TKqadfy8iehTbiHERA1WDoZQwqlmE3SW1w==
X-Google-Smtp-Source: AFSGD/U58i4OZrly/NyLOhJj/7FfgfNhkPvmxSXs2kbZbnYdyuaK4CeLIzWDBzZAdkJabURhMVjWoqNcCRU3Y3Q0FrY=
X-Received: by 2002:a9d:1b0b:: with SMTP id l11mr10203483otl.162.1543825717528; Mon, 03 Dec 2018 00:28:37 -0800 (PST)
MIME-Version: 1.0
References: <CAL02cgTjD==YgS848sBWEGrBBkNMAtbUXJuV6RrDmak_+Mu6fw@mail.gmail.com> <6369845D-4139-4043-90F8-08AFAD4EE47B@gmail.com>
In-Reply-To: <6369845D-4139-4043-90F8-08AFAD4EE47B@gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 03 Dec 2018 03:28:18 -0500
Message-ID: <CAL02cgQFUNYVQHFni9JkwRn7Zo9kL52KyazAuL+YQVFBQT1RHg@mail.gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007d2227057c19efa3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/l-_Aq4G3bEId3JekuimF2yiwtxs>
Subject: Re: [MLS] Stupidest possible message protection
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 08:28:41 -0000
On Mon, Dec 3, 2018 at 3:01 AM Karthikeyan Bhargavan < karthik.bhargavan@gmail.com> wrote: > > One way to try to split this baby would be to try to evaluate what > information the server needs in order to provide its assistance, and leave > that unencrypted. This solution would of course require that we convince > ourselves that the unencrypted bits are actually not sensitive, and would > entail a fair bit of complexity in the encryption system. > > Let me poke a bit more at this option. What minimal information do you > think the server needs in order to provide its assistance? > If you take a look at Raphael's slides from the Bangkok meeting, there are a couple of different types of assistance the server might provide. Most of these revolve around the linear-size pieces of group state: The (public keys in the) tree and the roster. The server could cache a copy of the tree so that clients could download slices of it as needed. Clients would have to either trust the server to do this or arrange the hash in the GroupState so that the slices could be verified. That's where a lot of the complexity comes from. Arguably, there's no harm in exposing the tree, since it should just be all random key material. (Except in the case where you put a DH key from a UserInitKey at a leaf, in which case it can be used to correlate.) Exposing the roster is obviously problematic. Maybe Raphael has some ideas here. --Richard [1] https://datatracker.ietf.org/meeting/103/materials/slides-103-mls-sessa-efficiency-00 > > -Karthik > > > > > Another, simpler, approach we could take is to punt the decision to the > application. We would define in the document two options: > > > > 1. Send Handshake messages in the clear > > 2. Send Handshake messages encrypted as Application messages > > > > (And specify details like how you do Welcome+Add, how you disambiguate > Handshake from other Application messages.) But we would not specify which > of those paths a given application would do. > > > > What do folks think about that idea? Personally, I find it kind of > appealing in its simplicity, though I acknowledge it adds another variable > for interop testing / interop failure. And if you want to make an MLS API, > it's another switch to support. > > > > Cheers, > > --RIchard > > > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org > > https://www.ietf.org/mailman/listinfo/mls > >
- [MLS] Stupidest possible message protection Richard Barnes
- Re: [MLS] Stupidest possible message protection Watson Ladd
- Re: [MLS] Stupidest possible message protection Richard Barnes
- Re: [MLS] Stupidest possible message protection Katriel Cohn-Gordon
- Re: [MLS] Stupidest possible message protection Karthikeyan Bhargavan
- Re: [MLS] Stupidest possible message protection Richard Barnes
- Re: [MLS] Stupidest possible message protection Raphael Robert
- Re: [MLS] Stupidest possible message protection Russ Housley
- Re: [MLS] Stupidest possible message protection Katriel Cohn-Gordon
- Re: [MLS] Stupidest possible message protection Raphael Robert
- Re: [MLS] Stupidest possible message protection Richard Barnes
- Re: [MLS] Stupidest possible message protection Raphael Robert