Re: [MLS] Async Add
Brendan McMillion <brendan@cloudflare.com> Tue, 22 September 2020 15:09 UTC
Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8DC3A0F8A for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 08:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.792
X-Spam-Level:
X-Spam-Status: No, score=-3.792 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pby9fSJ3feip for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 08:09:06 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C45C03A0F88 for <mls@ietf.org>; Tue, 22 Sep 2020 08:09:06 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id z2so15766190qtv.12 for <mls@ietf.org>; Tue, 22 Sep 2020 08:09:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TMby768gRx36QkTk/n055ouZ4mWeyuOA+0BUDSXx9RA=; b=pfBeEVPkz9ay4viHOPOVf0apeeez0LIoKGtK7Zeyx1lbVx37FjUcn0lCMR1DDlA1vJ 2VETXjrURjU7Riry/urHm1vzG2k734H1W9/kCLE06vCHFYE2pQi5475cof+8vhrDGQQ8 lRIjYmWjUq3DqwfsGpCUs9dPL4vnqbAXmRMZ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TMby768gRx36QkTk/n055ouZ4mWeyuOA+0BUDSXx9RA=; b=WJvMQMJu+EpCxhmEVkOuIcuwhwZW92ZBNPDMqHC5qFs+Xus6roz9wWIdVsqJTs+BSC U6O2qmF/BFHVPtB9wYTxmbVUhKOPi/eISd+K4lbUjuioAwwI9WeXIzxrwgrhRxwnX2Tc I3OujaboXt8Z82i5kLLPBwP0tmJIyeDuXlo0BiXjxLOot2zLYlAfBcCTCQyNcN2UP1hO yCGTOUoIu3wNFLz4o+jTzhH7G66ina/rH8sqEA5jWy+mdiFlMob8V0UhJ55CzY1z+AJw axd9lJ1OJbjmI6THDzNXPolTLMazzlmz1Co3fXG+IiSDcDs1o/jFy87RYWRrXwsBUtGb TBbg==
X-Gm-Message-State: AOAM530BiMIfdDGDuD/ICPpYzqsESuzeYqVErJM1ecGWdg7F+GCy9h1R +zMXyVUCBphH5uV/PlRy5bpxx8tU+xxQapUaZiKM+LPj4YBZixR+
X-Google-Smtp-Source: ABdhPJwGAYMVIHgKXZa/55RL5jEn1GZtmJ57LshNfhpgVbX++d+2DuM1QlLA854m24jTDuIMBbDOKO+ZenKvUdmshGs=
X-Received: by 2002:aed:2405:: with SMTP id r5mr4735154qtc.99.1600787345609; Tue, 22 Sep 2020 08:09:05 -0700 (PDT)
MIME-Version: 1.0
References: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com> <52db4542-ed98-a10b-ac55-e49594504ded@wickr.com> <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com>
In-Reply-To: <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Tue, 22 Sep 2020 08:08:54 -0700
Message-ID: <CABP-pSR5k=ahwS108iJA6qy-gG-PRHj2x3sRjLzWwQY9gTMyHg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018c22b05afe85953"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/msBMkX-sB6EUwlnkDSGrpym0bb8>
Subject: Re: [MLS] Async Add
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 15:09:09 -0000
> > b. "Init with KEM" - You could generate a key pair off of the key > schedule, use some KEM-based operations to derive the next init secret. > This is a really smart idea and seems like it wouldn't break PCS of the group like the initial proposal or a public init secret would On Tue, Sep 22, 2020 at 7:56 AM Richard Barnes <rlb@ipv.sx> wrote: > Thanks for posting this, Raphael. I agree with Joël that this is a > feature that is likely to get some use. And the PR is pleasantly short > (though I think it might need a bit more elaboration). > > On the topic of entropy from the last epoch, I'm wary of the current > all-zero approach. It seems like there are at least two other approaches > available: > > a. "Public init secret" - Alongside the regular init secret, derive a > "public init secret" from the key schedule. Then use this as the init > secret for external commits. > > b. "Init with KEM" - You could generate a key pair off of the key > schedule, use some KEM-based operations to derive the next init secret. In > the early days of MLS, we used DH for this. Nowadays, we're KEM-only, but > I think the HPKE exporter might be pressed into serving a similar purpose. > > Looking forward to the discussion... > > --RLB > > > On Tue, Sep 22, 2020 at 9:24 AM Joel Alwen <jalwen@wickr.com> wrote: > >> My initial 2 cents: this is not just a corner case. MLS should specify >> how to >> support such functionality but as an optional mode and making explicit >> the price >> in security it entails. >> >> >> I believe such a feature would be used quite a bit if it where available. >> E.g. >> My phone is the only device on my account. It breaks. I get a new one and >> log >> back in to my account. Now I want my re-join my old groups. In most >> deployments >> I'd expect that to be permitted by group policies. But how can I re-join >> w/o the >> help of someone else in the group actively "pulling" me in? If I'm not >> mistaken >> then this PR provides an answer. >> >> >> The solution does come with a price though. Some things that come to mind: >> >> - It seems to require storing public group state on the DS (or some other >> server) which isn't great for E2E metadata protection. >> >> - An external commit provides weaker security guarantees than a normal >> commit. >> It throws out the old init_secret. Ergo, if ever an HPKE sk to which one >> of the >> UpdatePath secrets was encrypted to leaks then the entire application key >> schedule of the new epoch is compromised. (Not to mention that further >> epochs >> may also be compromised depending on the particulars of the execution.) >> For >> normal commits that's not the case because the adv. also needs the old >> epoch's >> init_secret. >> >> >> - Joël >> >> On 21/09/2020 20:15, Raphael Robert wrote: >> > Hi all, >> > >> > Over the course of the past weeks when assessing how well MLS would fit >> into existing messengers, it became obvious that adding new members is >> still problematic. The operation – while technically asynchronous – still >> requires two parties to be online in many cases. >> > >> > Rather than writing a lot of prose here, I attached a presentation that >> explains the problem and offers a potential solution. >> > >> > I also created the following PR: >> https://github.com/mlswg/mls-protocol/pull/406 >> > I will bring this up at the interim tomorrow for discussion. >> > >> > Raphael >> > >> > >> > _______________________________________________ >> > MLS mailing list >> > MLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/mls >> > >> >> _______________________________________________ >> MLS mailing list >> MLS@ietf.org >> https://www.ietf.org/mailman/listinfo/mls >> > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Async Add Raphael Robert
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Brendan McMillion
- Re: [MLS] Async Add Richard Barnes
- Re: [MLS] Async Add Joel Alwen
- Re: [MLS] Async Add Richard Barnes