Re: [MLS] Malicious user segmenting the group
Richard Barnes <rlb@ipv.sx> Mon, 22 October 2018 18:10 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975A1128B14 for <mls@ietfa.amsl.com>; Mon, 22 Oct 2018 11:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFRrj6pFiBQZ for <mls@ietfa.amsl.com>; Mon, 22 Oct 2018 11:10:48 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9AA6124BE5 for <mls@ietf.org>; Mon, 22 Oct 2018 11:10:48 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id s69-v6so32973180oie.10 for <mls@ietf.org>; Mon, 22 Oct 2018 11:10:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GfCLNiqEh5JXz1DSBrGoV7f23jSJaxXbodSh7xTCo8Q=; b=QqW3gFpNl877sQMAtUASpuNA8T2S5/F9aJoMWg+hQd0MfPg20tCpDNdbmuS3z80fUF NzCib9g+Ot6Q9q1HYjOIC95G6n33HBY6th37J5baD16MFJP+SsZUHbQ/EiQR5LN+R+7W wqp7640O2b7BFPzLye5p5zhfgtqYfo3O3GWgqsKHShjpETMBdFNNuC0NWG0bGsAx4HSe HLjxpclAA8Ktosqb3CrDkeemfu4QWPCVjv4vp2H1SgwzWcGyUNTya5BjCPVup7jSRTF1 ilazAdrmBnsce+sglbQFJgXF3Ju/5QmtV34zTG6Ct+s7EKYN9u1TsJOEkivYeC/jqe6Y KV6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GfCLNiqEh5JXz1DSBrGoV7f23jSJaxXbodSh7xTCo8Q=; b=PmSh4GVX8I2PU/Hk49Ircw21W1aEd2fu+P0t+9R+vY9tzFRE0iZSUsBF2FmlxwK2jt UEeDZG4GP8ntvra1U2KZ9DVH6OiDJk/a7PJqnJtb153h9jdqsOY1TejWOXPIope7qSMD 0ddO8lJ9KfonJ2PLsrzEjxgHMmnawmbzyal7436mlBiMbYUEPAnA6+Feg7Rpt/71ckOa rBAnhMU2+L7m5P8MK03tuKpl03VLzfyjUv+EvzqxlRcqiPTFnIpN1qSBbzLrdTssMmQ7 nft9v9jv84P1v5q/yF/uOo52MQIquoPFt4WilaXv8ewdR6/iUoU940ITZBs5c0Ge8Sma ytog==
X-Gm-Message-State: ABuFfogaNHjFKimCT9eANWZZYGCZ6DOfO2cSrp1U1X0IPiQ1q6GY25bl Sj1vpL1kP+P9vZiEWSDXbPmzWxAYvzzUwZDC13Ef4slI
X-Google-Smtp-Source: ACcGV63GA1H+D+0nKY5ka+TzVVJym3WQxj3twvAQUENCefZmPGXEYWqOKZHHFbx3Ov2zE/3pHTWNE+svTayhNwIpF8w=
X-Received: by 2002:aca:540c:: with SMTP id i12-v6mr25942157oib.49.1540231847229; Mon, 22 Oct 2018 11:10:47 -0700 (PDT)
MIME-Version: 1.0
References: <CA+tdQEvNiiVvJfeh51AWBPB-z9Jpymt4LHRRfCBdkYh6XnfkAQ@mail.gmail.com>
In-Reply-To: <CA+tdQEvNiiVvJfeh51AWBPB-z9Jpymt4LHRRfCBdkYh6XnfkAQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 22 Oct 2018 14:10:33 -0400
Message-ID: <CAL02cgSdSoYKQhU94Qedh2XN=8usNnkJGAKziashYz+HRF9ZpA@mail.gmail.com>
To: jtoohill=40google.com@dmarc.ietf.org
Cc: mls@ietf.org, Emad Omara <emadomara@google.com>, gbelvin@google.com
Content-Type: multipart/alternative; boundary="000000000000204dba0578d52cde"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/oNJ-50DLOXhvfcjETqJjsherA3k>
Subject: Re: [MLS] Malicious user segmenting the group
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 18:10:51 -0000
Hi Jon, This is definitely an active issue. See my message earlier today about authentication / key confirmation. There have been some discussions of ZKPs for this, but AFAIK, no workable proposal has emerged. The problem is that what you want to prove is that a sequence of keys are the result of transforming a chain of hashes from hash outputs to key pairs -- if you want to do a ZKP with a general hash function, the ZKP is very expensive, and if you adapt the hash function to have nicer proof properties, you lose some of the cryptographic properties you would want. My current thinking is that we should probably try to address this at the protocol level. In some of the pre-BoF discussions, we had talked about doing some specification of ACK / NACK messages. Now that at least some endpoints can recognize a bad message, it seems like we could define a NACK that says "that handshake message was invalid" and basically let endpoints veto invalid messages. If someone wants to come up with a concrete proposal, I would love to discuss further. --Richard On Mon, Oct 22, 2018 at 1:37 PM Jon Toohill <jtoohill= 40google.com@dmarc.ietf.org> wrote: > Hey MLS folks, > > I'm still skimming through the mailing list archives to get up to speed, > so apologies if this has already been discussed & solved. I saw the > following note in a recent version of the protocol draft: > > [[ OPEN ISSUE: It is not possible for the recipient of a handshake message >> to verify that ratchet tree information in the message is accurate, because >> each node can only compute the secret and private key for nodes in its >> direct path. This creates the possibility that a malicious participant >> could cause a denial of service by sending a handshake message with invalid >> values for public keys in the ratchet tree. ]] >> > > It seems like this could be solved by having the handshake message sender > prove in zero knowledge (i.e. without revealing their secret or the parent > secret) that they derived the parent public key correctly. ZK-SNARKs are > one way of doing that, but my admittedly weak understanding is that > generating proofs might be too computationally expensive for mobile > devices. Does this seem like a worthwhile direction to investigate? Does > anyone know of a more efficient construction that could be used in MLS? > > -Jon Toohill > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Malicious user segmenting the group Jon Toohill
- Re: [MLS] Malicious user segmenting the group Richard Barnes
- Re: [MLS] Malicious user segmenting the group Raphael Robert