Re: [MLS] Blocking Update messages for breaking post-compromise security
Alexander Sherkin <Alexander.Sherkin@darkmatter.ae> Mon, 22 April 2019 22:05 UTC
Return-Path: <prvs=008f8c96c=Alexander.Sherkin@darkmatter.ae>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4346212012C for <mls@ietfa.amsl.com>; Mon, 22 Apr 2019 15:05:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJC15W8cMZC8 for <mls@ietfa.amsl.com>; Mon, 22 Apr 2019 15:05:05 -0700 (PDT)
Received: from smtpext3.darkmatter.ae (smtpext3.darkmatter.ae [185.180.84.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23D51203D6 for <mls@ietf.org>; Mon, 22 Apr 2019 15:05:03 -0700 (PDT)
IronPort-SDR: XYlIPK8hmFbT0Z7bSqIPUczmyxo04xDLookGG3mHvHk+kFKPBBuoNndbWedjGxKzikFEBSZ0gi TfP5i96Y49dG2tHsB9LYfn0SB2qJNyX03C2hfT5Dodl5FAVR94bdAjaHVTWlVBWGfKhBeALpIy eLxi8EEm+5eqYM2zlCAEgEtCWHSHzxEQN59+5KZEq6xv7fhmxPz9SB8uw2IE62a7jI2RoBy3gc JWx3DU+L6M/2X4kpLdQl/8uPUkB8oRD6+aMDzQw19jAQW40kVIZlzB8avs69um7d2Wyq2sMgNG R9w=
IronPort-PHdr: 9a23:IBUjjBWCEsi5nIQvzzTygYX083zV8LGtZVwlr6E/grcLSJyIuqrYZRSBv6dThVPEFb/W9+hDw7KP9fy5ACpcv93Y7S5KMMQVEUNc0YNOx01oKfXGIHWzFOTtYS0+EZYKf35e1Fb/D3JoHt3jbUbZuHy44G1aMBz+MQ1oOra9QdaK3Iy42O+o5pLcfRhDiiajbrNuNhW2qhjautULjYd4Jas91wbFrmFHdulXym9kOFKekhfh7cu04JJv7j5ctv08+8JcS6n2Y7g0QblFBzk6Lm4549HmuwPeRgWV/HscVWsWkhtMAwfb6RzxQ4n8vCjnuOdjwSeWJcL5Q6w6VjSk9KdrVQTniDwbOD4j8WHYkdJ/gaRGqx+8vRN/worUYIaINPpie67WYN0XSXZdUstXSidMGZ23YZcRAOUdPOZYt4j9qEUIrRuiHgmnGefjxiZVinPqwaE21uIsGhzE0gM9BdIDqHTaosvoOqcOX+67z6fIwjfCb/xZxTjw85LIfgwjofyWQb58bcjcxE8yHA3FlFWQronlMiuJ2+QJrWea4PBvVeSyhGE5sQF6vyWhxscyhYnThYIVy1bE/jh+zYspId23VkF6bsSiEJRNqS6aLZF6TN4iQ252oiY6ybwGuZigcScX0psn3R3fa/mdfIiU/hLsSvyRLS1ii317Yb+ygQu5/0anyu35TMa00VBKozJBktnNsHAN1ALc5dWGSvt75EuuxTGP1wXL5uFYL0E0lLbbK4I/zb4qjJYcrUPDHirulEX3kqCWaksk9vKv6+T9bbXqvoKTOJVuigH9N6QhgNC/AfgmPQgURWSU4/qz2bv+9kP6WLVHluA6nrXDvJzEO8gWqbS1DxJP3osn9xqzFyqq3MgCkXUZMl5IdwiLgormNl3UJP30EfGyiEm2njhx3fDJJLjhD43ILnjEjbjuY65w61VZyAov1dBf4I9UCq0ZLPLzREDxsNvYAwc6MwOqw+fnE8xx2Z0RWGKTHKOVKr7dvkWS5uIsJumDfpMVuCrjJPg//fLhl2E2lUccfamvw5QXdGi1Eul6L0mDf3bgnNgMHX0XsgYkSOHmlEWOUTtJaHazW6I86Cs7CIWjDYrbWo2thKKO3SihEZ1Qe29JFEqMHW31eYWERfgMciGSIs5nkjEfSLeuUZUh1RKrtADg17pnMvTb+jcCuZ35ytd5//fTmg0q9TxoE8Sd1HmAQH9xnmwSWjA226V/rlZnyliZyqV4jPtYFdtc5/NNTAg2L4LTz+t/C9rqQALOYs+JSEq6QtWhGTwxS9Yxw8QVbkZ8Bdqikh7D0zCtA78PmLzYTKAzp4/Z1nS5AMN00X+OgKQkhlUhR8JVPEWpgalw8wWVDInMxRa3jaGvII0Y0T7E8muO1yK1vExCUw92GfHsWX0Pb03aoM6/3UPPVbyvD5wrOxFCzMeeNqZQLNTk2wYVDMz/McjTNjri01y7AgyFk/bVNNLn
X-IPAS-Result: A2kJAAD0Ob5c/1oB4ApjAxkBAQEBAQEBAQEBAQEHAQEBAQEBgVMCAQEBAQELAYEOAVeBEoEsCoQElTWCGXFKh12NGhSBKxcWBwQECwEcAQoMgUmCdQIXhjA2Bw4BAwEBAQQBAQEBAgEBAQGBBQyCOikBEAQxHC8LBAEBAQEBAQEBASQBAQEBAQEBAQEBAQEBAQEBAQEBAQEUAjMICQMpAQEBAQMBAQMBHQIIASUTCAIJEAIBCA0EAQMBAQYBAQEYAQYDAgICBRAPAR8DBggBAQQOBAEIBoMVghenKoEvhUeEVRCBMgGEYF2DQnYQgxs/hCM+gmEBAQKBLAESAQ0ZBwkKFQIGCYJDglcEilMHASUkggmEP4duhFGCMoV5BwKCClSEPgErUYQqhUWCJCOCC16FS4xginKCMIRUS498AWYwWg8IMxpzgmwJgQ2BBBeBAQECRYIDhRSFP3KOL4EigSEBAQ
X-IronPort-AV: E=Sophos;i="5.60,383,1549915200"; d="png'150?scan'150,208,217,150";a="3152597"
Received: from ForcepointDLP ([10.224.1.90]) by keys-ext2.darkmatter.ae (PGP Universal service); Tue, 23 Apr 2019 02:04:58 +0400
X-PGP-Universal: processed; by keys-ext2.darkmatter.ae on Tue, 23 Apr 2019 02:04:58 +0400
Received: from ActiveEmail (ActiveEmail [127.0.0.1]) by ActiveEmail.localdomain (Service) with ESMTP id DB9C71800094; Tue, 23 Apr 2019 02:01:35 +0400 (+04)
Received: from email.darkmatter.ae (adkdcsvmc002.darkmatter.uae [10.224.74.12]) by ActiveEmail.localdomain (Service) with ESMTPS id AE26D1800093; Tue, 23 Apr 2019 02:01:35 +0400 (+04)
From: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae>
To: Emad Omara <emadomara@google.com>
CC: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: [MLS] Blocking Update messages for breaking post-compromise security
Thread-Index: AdT2Fq8EwGQ6z+aDQLeq2OeQXxI1ZAAKXJsAAMFatJA=
Date: Mon, 22 Apr 2019 22:04:57 +0000
Message-ID: <557a3023828245169ebb15939aa5d172@darkmatter.ae>
References: <f57fdfc23287463cb3ad3713faaf25b4@darkmatter.ae> <CAHo7dC8+T15Wd3C8DPYzeNNBNQ=kLVbqrNpVnaE73me6cs1tgw@mail.gmail.com>
In-Reply-To: <CAHo7dC8+T15Wd3C8DPYzeNNBNQ=kLVbqrNpVnaE73me6cs1tgw@mail.gmail.com>
Accept-Language: en-CA, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.224.74.90]
x-exclaimer-md-config: 77ff947c-8af8-48f1-8d81-f67dcf75dbee
MIME-Version: 1.0
Content-Language: en-US
Content-Type: multipart/related; boundary="_009_557a3023828245169ebb15939aa5d172darkmatterae_"; type="multipart/alternative"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/sok2JoUwwA7CGv_NK0TfyFSfa30>
Subject: Re: [MLS] Blocking Update messages for breaking post-compromise security
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 22:05:08 -0000
Hi Emad,
Thank you for your comments. Please find a couple of comments below inline.
Thanks.
Alex.
Alexander Sherkin
Software Architect
[cid:imageb2e661.PNG@37550bb1.42913d22]<http://www.darkmatter.ae>
2 Robert Speck Parkway, Suite 1610
Mississauga ON L4Z 1H8
Canada
MT+1 416 414 7117<tel:+1%20416%20414%207117>
EMAlexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>
darkmatter.ae<http://darkmatter.ae>
[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
From: MLS [mailto:mls-bounces@ietf.org] On Behalf Of Emad Omara
Sent: April 18, 2019 11:41 PM
To: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae>
Cc: mls@ietf.org
Subject: Re: [MLS] Blocking Update messages for breaking post-compromise security
On Thu, Apr 18, 2019 at 11:55 AM Alexander Sherkin <Alexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>> wrote:
Hi Emad,
Could there be a setup where each A’s point of presence (device) participates as a separate leaf in the ratchet tree? The advantage of such approach may be to avoid the key synchronization problem between points of presence.
This is actually the current assumption in the architecture document, each device is represented as a separate client, however we are also currently looking into using a virtual client mode where all devices are presented in a single node.
[Alex] Does it mean that I do not need to control all A’s devices, and preventing just one device from sending Updates will make attack successful?
Do you see the mechanism of removing users who did not send Updates recently should be part of the protocol or should it be driven by the app?
Well, I see this as just a recommendation to the app, not sure what can be done at the protocol layer!
[Alex] Say I want to integrate MLS into my app and follow the recommendation of kicking devices that have not sent Update recently. This means that devices that have been offline for a while (vacation, etc) will be unable to participate in the group after they are back online. Ideally, as an app developer, I would want these devices to be able to re-join gracefully so we are back in “Self-Add” problem domain.
I guess the app may allow devices to re-join by sending all users Add command essentially resetting the ratchet tree, but is it the best approach? Should there be more guidance from the protocol? Or should the protocol explicitly state when devices should remove inactive leaf nodes? If this decision is not part of the protocol, it may not be clear what post-compromise security properties are guaranteed by the protocol.
Thank you.
Alex.
Alexander Sherkin
Software Architect
[cid:image001.png@01D4F924.1963D960]<http://www.darkmatter.ae/>
2 Robert Speck Parkway, Suite 1610
Mississauga ON L4Z 1H8
Canada
MT+1 416 414 7117<tel:+1%20416%20414%207117>
EMAlexander.Sherkin@darkmatter..ae<mailto:Alexander.Sherkin@darkmatter.ae>
darkmatter.ae<http://darkmatter.ae>
[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
From: Emad Omara [mailto:emadomara@google.com<mailto:emadomara@google.com>]
Sent: April 17, 2019 5:12 PM
To: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>>
Cc: mls@ietf.org<mailto:mls@ietf.org>
Subject: Malware[SUSPICIOUS MESSAGE] It may trick victims into clicking a link and downloading malware. Do not open suspicious links.Re: [MLS] Blocking Update messages for breaking post-compromise security
Hi Alex,
I think the attack makes sense, however it assumes the attacker has some sort of control for the network of all A's devices in order to perform the DoS. One mitigation we discussed before that could help in this attack is to force the max update window, so if a client has issued any update in the last N days, the app can decide to kick it out of the group, ot at least issue a warning to other users.
Emad
On Wed, Apr 17, 2019 at 1:58 PM Alexander Sherkin <Alexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>> wrote:
Hello,
I think we briefly discussed this problem in the context of “inactive users”, but I want to bring this up again for discussion.
Let’s assume an attacker compromises user A and recovers user A’s cryptographic state including the leaf secret.. After user A is compromised, the attacker no longer controls user A. User A will eventually send an Update message, and the attacker will no longer have access to the root key. We get post-compromise security property.
However, let’s assume that after compromising user A and recovering user A crypto state, the attacker performs a denial of service attack on user A Update messages (or all messages from user A). The attacker then observes the traffic. The attacker will be able to decrypt Update messages from other participants and decrypt data-carrying messages as long as other participants include user A in their ratchet trees.
As an interesting thought experiment, we can try to apply the same attack to one-on-one use case when double ratcheting is used.. To prevent ratcheting, the attacker has to block messages from one of the participants. Practically, this means that the attacker destroys the possibility of two participants having a conversation; hence, data collected by the attack will be one participants’ monologue and may not be as valuable. In contrast, when 1 out of 1000 users is isolated, 999 remaining users will continue having productive conversation creating valuable data that the attacker may intercept and decrypt.
If the above attack vector makes sense, should we consider excluding users who did not send Update messages recently enough from the ratchet tree?
Thank you.
Alex.
Alexander Sherkin
Software Architect
[cid:image001.png@01D4F5C7.2D8B06D0]<http://www.darkmatter.ae/>
2 Robert Speck Parkway, Suite 1610
Mississauga ON L4Z 1H8
Canada
MT+1 416 414 7117<tel:+1%20416%20414%207117>
EMAlexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>
darkmatter.ae<http://darkmatter.ae>
[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls
- [MLS] Blocking Update messages for breaking post-… Alexander Sherkin
- Re: [MLS] Blocking Update messages for breaking p… Emad Omara
- Re: [MLS] Blocking Update messages for breaking p… Alexander Sherkin
- Re: [MLS] Blocking Update messages for breaking p… Emad Omara
- Re: [MLS] Blocking Update messages for breaking p… Alexander Sherkin