IETF Logo Mail Archive

Re: [MLS] Async Add

Brendan McMillion <brendan@cloudflare.com> Tue, 22 September 2020 15:09 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8DC3A0F8A for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 08:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.792
X-Spam-Level:
X-Spam-Status: No, score=-3.792 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pby9fSJ3feip for <mls@ietfa.amsl.com>; Tue, 22 Sep 2020 08:09:06 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C45C03A0F88 for <mls@ietf.org>; Tue, 22 Sep 2020 08:09:06 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id z2so15766190qtv.12 for <mls@ietf.org>; Tue, 22 Sep 2020 08:09:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TMby768gRx36QkTk/n055ouZ4mWeyuOA+0BUDSXx9RA=; b=pfBeEVPkz9ay4viHOPOVf0apeeez0LIoKGtK7Zeyx1lbVx37FjUcn0lCMR1DDlA1vJ 2VETXjrURjU7Riry/urHm1vzG2k734H1W9/kCLE06vCHFYE2pQi5475cof+8vhrDGQQ8 lRIjYmWjUq3DqwfsGpCUs9dPL4vnqbAXmRMZ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TMby768gRx36QkTk/n055ouZ4mWeyuOA+0BUDSXx9RA=; b=WJvMQMJu+EpCxhmEVkOuIcuwhwZW92ZBNPDMqHC5qFs+Xus6roz9wWIdVsqJTs+BSC U6O2qmF/BFHVPtB9wYTxmbVUhKOPi/eISd+K4lbUjuioAwwI9WeXIzxrwgrhRxwnX2Tc I3OujaboXt8Z82i5kLLPBwP0tmJIyeDuXlo0BiXjxLOot2zLYlAfBcCTCQyNcN2UP1hO yCGTOUoIu3wNFLz4o+jTzhH7G66ina/rH8sqEA5jWy+mdiFlMob8V0UhJ55CzY1z+AJw axd9lJ1OJbjmI6THDzNXPolTLMazzlmz1Co3fXG+IiSDcDs1o/jFy87RYWRrXwsBUtGb TBbg==
X-Gm-Message-State: AOAM530BiMIfdDGDuD/ICPpYzqsESuzeYqVErJM1ecGWdg7F+GCy9h1R +zMXyVUCBphH5uV/PlRy5bpxx8tU+xxQapUaZiKM+LPj4YBZixR+
X-Google-Smtp-Source: ABdhPJwGAYMVIHgKXZa/55RL5jEn1GZtmJ57LshNfhpgVbX++d+2DuM1QlLA854m24jTDuIMBbDOKO+ZenKvUdmshGs=
X-Received: by 2002:aed:2405:: with SMTP id r5mr4735154qtc.99.1600787345609; Tue, 22 Sep 2020 08:09:05 -0700 (PDT)
MIME-Version: 1.0
References: <474411EE-C4E8-4D01-B135-2632078C1423@wire.com> <52db4542-ed98-a10b-ac55-e49594504ded@wickr.com> <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com>
In-Reply-To: <CAL02cgQRrzvFKZrbPpH3b2CGv6FxP5XXtr4V=28CoXYR-bgwOg@mail.gmail.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Tue, 22 Sep 2020 08:08:54 -0700
Message-ID: <CABP-pSR5k=ahwS108iJA6qy-gG-PRHj2x3sRjLzWwQY9gTMyHg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018c22b05afe85953"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/msBMkX-sB6EUwlnkDSGrpym0bb8>
Subject: Re: [MLS] Async Add
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 15:09:09 -0000

>
> b. "Init with KEM" - You could generate a key pair off of the key
> schedule, use some KEM-based operations to derive the next init secret.
>

This is a really smart idea and seems like it wouldn't break PCS of the
group like the initial proposal or a public init secret would

On Tue, Sep 22, 2020 at 7:56 AM Richard Barnes <rlb@ipv.sx> wrote:

> Thanks for posting this, Raphael.  I agree with Joël that this is a
> feature that is likely to get some use.  And the PR is pleasantly short
> (though I think it might need a bit more elaboration).
>
> On the topic of entropy from the last epoch, I'm wary of the current
> all-zero approach.  It seems like there are at least two other approaches
> available:
>
> a. "Public init secret" - Alongside the regular init secret, derive a
> "public init secret" from the key schedule.  Then use this as the init
> secret for external commits.
>
> b. "Init with KEM" - You could generate a key pair off of the key
> schedule, use some KEM-based operations to derive the next init secret.  In
> the early days of MLS, we used DH for this.  Nowadays, we're KEM-only, but
> I think the HPKE exporter might be pressed into serving a similar purpose.
>
> Looking forward to the discussion...
>
> --RLB
>
>
> On Tue, Sep 22, 2020 at 9:24 AM Joel Alwen <jalwen@wickr.com> wrote:
>
>> My initial 2 cents: this is not just a corner case. MLS should specify
>> how to
>> support such functionality but as an optional mode and making explicit
>> the price
>> in security it entails.
>>
>>
>> I believe such a feature would be used quite a bit if it where available.
>> E.g.
>> My phone is the only device on my account. It breaks. I get a new one and
>> log
>> back in to my account. Now I want my re-join my old groups. In most
>> deployments
>> I'd expect that to be permitted by group policies. But how can I re-join
>> w/o the
>> help of someone else in the group actively "pulling" me in? If I'm not
>> mistaken
>> then this PR provides an answer.
>>
>>
>> The solution does come with a price though. Some things that come to mind:
>>
>>  - It seems to require storing public group state on the DS (or some other
>> server) which isn't great for E2E metadata protection.
>>
>>  - An external commit provides weaker security guarantees than a normal
>> commit.
>> It throws out the old init_secret. Ergo, if ever an HPKE sk to which one
>> of the
>> UpdatePath secrets was encrypted to leaks then the entire application key
>> schedule of the new epoch is compromised. (Not to mention that further
>> epochs
>> may also be compromised depending on the particulars of the execution.)
>> For
>> normal commits that's not the case because the adv. also needs the old
>> epoch's
>> init_secret.
>>
>>
>> - Joël
>>
>> On 21/09/2020 20:15, Raphael Robert wrote:
>> > Hi all,
>> >
>> > Over the course of the past weeks when assessing how well MLS would fit
>> into existing messengers, it became obvious that adding new members is
>> still problematic. The operation – while technically asynchronous – still
>> requires two parties to be online in many cases.
>> >
>> > Rather than writing a lot of prose here, I attached a presentation that
>> explains the problem and offers a potential solution.
>> >
>> > I also created the following PR:
>> https://github.com/mlswg/mls-protocol/pull/406
>> > I will bring this up at the interim tomorrow for discussion.
>> >
>> > Raphael
>> >
>> >
>> > _______________________________________________
>> > MLS mailing list
>> > MLS@ietf.org
>> > https://www.ietf.org/mailman/listinfo/mls
>> >
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email