Re: [MLS] Double-use of the same key

Richard Barnes <rlb@ipv.sx> Thu, 20 August 2020 21:05 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE45D3A1418 for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 14:05:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytJTbxTu959S for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 14:05:15 -0700 (PDT)
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC1323A0DF1 for <mls@ietf.org>; Thu, 20 Aug 2020 14:05:14 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id dd12so1628246qvb.0 for <mls@ietf.org>; Thu, 20 Aug 2020 14:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=y8vG64fayeAXruweKpq/a49kwWZ3zMCKwnBG+F4UW2g=; b=dqrcbcDzelrdmmY/lKDYaz/FjwLgXMGjnDFrNegC+/QJPRW5N3FhFybKvGPO4C7mQ5 ncPT0m8kkKSd1LKJK+3HKz2iMxKKx8xW6NsaBZnUG4yZ6NbQccjyEbcp88GbXCk/Hlaz h/K2l5jqJb/hvEWTfg+VUwTo57HniFO99ciTRuX3j5GZ6IHd1lVsqvWk8LchtoUH4ws0 1XwkKd1QTamh33XTB+BhrGaK3vM14XWdL7cNniUtB58T9wAHKSwd0DF9WTh7sxq0fYdY 3rrWPrm5nJWD0Ysn0QHS3canncR0gzovR9SgynF94908Pfo1P2Dmr68bMkAvVIB6QG/W BEvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=y8vG64fayeAXruweKpq/a49kwWZ3zMCKwnBG+F4UW2g=; b=pLsYh+h3k8vnGXl2QFlvY5+EsKA24FqphluaIurPONuBzaUDAYYnmMa5LWqH4+/qtX EAlVMsEZ6BiP2Hs8+1pLtxYbQLjcshoDkqtU5zHupacpK2xCHHqM1d5Hei6NYuDIw1uX V5kDPMiNlRetvxSL/ZiNpHJBJ/1byV/vkIyWxcM+i06qk+bfUHnQlK890puy4JSt9AMu Wd1s4hssqqi3jGm0RS64Yw1Vg20b6PYvnBR5/+5tQ+TG7OVNl1fTNdfimmEeFwdkd4Uv gAfjCIxqvCeQGa0P5pHtTk4l//DmNQ9Ve/ZuxQQ6Kx1oKCDvO0SYs8mtb1pq9wOwuoGB /efg==
X-Gm-Message-State: AOAM531QYht4ny5zUF8aXzzlZ3/sB8587FxpsPvOQac1jgb9VhNA3+/+ m+PwJoA0fLZfzO0eopB2vE85302bKm/qS9Lu0HJhLQ==
X-Google-Smtp-Source: ABdhPJya0GNz5ADfVEU9xXZijP/o9TCJq28/qE0aRSb2gYJwdEH8hWIgHRuPTYqsAOca5ZR3j1YF1ZycWY/oJrI2Vvg=
X-Received: by 2002:ad4:4503:: with SMTP id k3mr735717qvu.43.1597957513729; Thu, 20 Aug 2020 14:05:13 -0700 (PDT)
MIME-Version: 1.0
References: <504ca35e-ca0a-47db-a861-774867c169b9@aalto.fi>
In-Reply-To: <504ca35e-ca0a-47db-a861-774867c169b9@aalto.fi>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 20 Aug 2020 17:04:52 -0400
Message-ID: <CAL02cgRHMjbmy+e=BPjsc5B-F3tpLADdjPUiQCgcek4nZTs7rQ@mail.gmail.com>
To: Chris Brzuska <chris.brzuska@aalto.fi>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8f5d805ad55792e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/qtpXmj4giywhQYnSj1aGvUK10Ug>
Subject: Re: [MLS] Double-use of the same key
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 21:05:18 -0000

Argh, we *used* to have an Expand call there, but got rid of it because the
first step of DeriveKeyPair was also Expand.  But now that we're delegating
to the KEM here, it probably makes sense to add it back, especially since
the first step of DeriveKeyPair is now Extract.

https://github.com/mlswg/mls-protocol/pull/397

I think I owe Konrad a beer since he initially proposed it and I reverted
it :)

--Richard

[1]
https://github.com/cfrg/draft-irtf-cfrg-hpke/blob/master/draft-irtf-cfrg-hpke.md#derivekeypair-derive-key-pair

On Thu, Aug 20, 2020 at 2:40 PM Chris Brzuska <chris.brzuska@aalto.fi>
wrote:

> Hey all,
>
> I realized that that path_secret is now used to key two different
> cryptographic primitives which violates key separation. Namely, the
> path_secret is used to key the two functions ExpandWithLabel and
> KEM.DeriveKeyPair.
>
> Downsides:
>
>    - Violates the good crypto practice of key separation via HKDF.Expand
>    which we use in other parts of MLS.
>    - Moves MLS outside the scope of provable security, because crypto
>    assumptions assume that a key is only used in one cryptographic primitive
>    and not in two.
>
> Chris
>
> path_secret[n] = ExpandWithLabel(path_secret[n-1],
>                                    "path", "", KEM.Nsk)
> node_priv[n], node_pub[n] = KEM.DeriveKeyPair(path_secret[n])
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>