[MLS] Tree of application secrets

Hubert Chathi <hubertc@matrix.org> Mon, 10 August 2020 20:26 UTC

Return-Path: <hubertc@matrix.org>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF0E63A0DFB for <mls@ietfa.amsl.com>; Mon, 10 Aug 2020 13:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=matrix.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYetQdJAkz-F for <mls@ietfa.amsl.com>; Mon, 10 Aug 2020 13:26:07 -0700 (PDT)
Received: from polemos.matrix.org (polemos.matrix.org [94.237.46.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE013A0D61 for <mls@ietf.org>; Mon, 10 Aug 2020 13:25:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=matrix.org; s=polemos; h=Content-Transfer-Encoding:From:Message-ID:Subject:Date: MIME-Version:To:Content-Type:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/oFoBbhHEsJq2ifgpDke+0kf1USdNNPBSM/iAbVK8Zc=; b=ndybk/X4j2BuesD+DjDqxWFzzF t2MDoyAXZwCadzNeu/E6m+qZ54TDMuHPC3Sddo1pJJIPQtB1FXbFksWaMUwNcJQbKOqIRA0mu+yxp P0+tC8uffsgH7QzxFzOQbBlorhO5Pkztm8Qi4UaE924UASZN+hyUZJk9L+me1nMOfSaBWreY3ygiL dMhMz3VrW+aS3bBxBz5Bi5dqW0LovE5Qd12RuFob3/CJYaDaQaRXIbM7jY5M7ozLh4V+PDZIc2tum /+OOocirAc2pjWZ5xfcIhVoyI2yivSZZs2fz88OcQnTFwuZbUWSwEqdnUFJuK2bJI1hzPJSyw9Loq EysbL0RLj9wzga/g0HjFuHX9F6CiJ8PxXOC4yh46LGkAP2UeCQ9MuieUQRZkjyGFoPfl/5w8bILts r36Pdxg65n2B3puwx9JIjWhFIYzRksqNNTEMEVnOw/5p9jpnFIZzYmNUyPoSdYH2KFGpwefoTXTdQ 67qOOewzAgCKJFjLXQ4hWLuLkM2i8AKi66EtTa6MZ7xce833i3o98yMcJHrnZv9JBhfw3MTyDab/s ZDtE50Nd87qUlQaFqYJeIjhj4gZ8KNYjIJ6n/7ClPzRL3FYfDviG23btnIub6tqkKrclFSsWoLs73 fXGwveJTa3lo3WUYtMV9OLfB/QHD1T9L7c0y97ej0=;
Received: from [127.0.0.1] (helo=localhost) by polemos.matrix.org with esmtp (Exim 4.89) (envelope-from <hubertc@matrix.org>) id 1k5EMl-0004G6-8x for mls@ietf.org; Mon, 10 Aug 2020 20:25:55 +0000
Content-Type: text/plain; charset="utf-8"
To: mls@ietf.org
User-Agent: SOGoMail 3.2.6
MIME-Version: 1.0
Date: Mon, 10 Aug 2020 21:25:55 +0100
Message-ID: <ecf-5f31ad80-5-6e3e3300@109329388>
X-Forward: 45.58.213.43
From: "Hubert Chathi" <hubertc@matrix.org>
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/m6bYOxxM_qCE5yJyu92kls3tfKQ>
Subject: [MLS] Tree of application secrets
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 20:26:13 -0000

The tree of application secrets (#astree) is used to derive an application secret for each sender.  However, only the leaf nodes are ever used; I don't see the internal nodes being used anywhere, and I don't see that deriving through a tree provides any extra security.  Would it be simpler to just derived the application secret for a sender using their leaf number (e.g. astree_node_[N]_secret = DeriveAppSecret(application_secret, "label", N, 0, Hash.length) using the same DeriveAppSecret as defined in that section)?  This would mean that if you need to derive the application secret for one of two senders, you'd only need to do O(1) work, rather than O(log(n)) work.