Re: [MLS] welcome_secret
Richard Barnes <rlb@ipv.sx> Mon, 03 August 2020 22:58 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F35153A1103 for <mls@ietfa.amsl.com>; Mon, 3 Aug 2020 15:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vd6wcEdcYPzP for <mls@ietfa.amsl.com>; Mon, 3 Aug 2020 15:58:56 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04ADA3A0D66 for <mls@ietf.org>; Mon, 3 Aug 2020 15:58:55 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id q128so4425072qkd.2 for <mls@ietf.org>; Mon, 03 Aug 2020 15:58:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8LKE+cmhAm+3Qq7nusP+onKCnsYcr9qCIsVOP94OWeE=; b=0zfOetaCt/xL+Lx7Y3se9zIxgme2OPglUwJVcBMWij9lLdugPfdlQhh0Mkup5n84vD 5CbYgj3ffQROk0hV35iNio6kCX+3XDdSyl1fySdjLg6pXMdhQ7bwnsQKwKlAs+jzcKlB f+DrqFP/jarBpcj3nt8hh3TduRFncQbDZeE+5n+SrNgow96tWj/nXCNoWeHzw8JsEqm4 f6C5U7yogRanIkusohClMXdri55ge3bSmWjY/VvcPfjq4/+sYxkVV8EPd1ArV58MfNLe ckQcyo6UwjiI4MkjZ/iox/gX51P3eE5GaG8thytuHHrJBifg3HbtoL/h0XykLn5qWGoe szvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8LKE+cmhAm+3Qq7nusP+onKCnsYcr9qCIsVOP94OWeE=; b=Jkwa/HWmJvHlSYLXcvsVOpVR2pvV9JMnjrL59j2upSwgHPYfmKjxscGDe3HDMuQX5V WGJKueALw10yBAQ14EIPJUa7Kyq+uN83az1k1RbchhU83VZq7q3FXVNbpg3tEr/7t1hX 6k4QGZhLkxHhOEbLx3QNk+uzHCtubyEiww4uGSpNun6lRPDhSKLC50QrqWLT0OI+FvxR BnimbAQYlr/LDXghDfa0+ItNQ9WDcoCXrk7LyUkOS6iSg9rzy2B+o53B8jn/NBE0DWdK 3GHIpK5vkxhFrwrk2VwtRwDCPV4M80aeGuaMStku7qAnwIHwY5GBmGQgwsZW06NPLDgZ UwFw==
X-Gm-Message-State: AOAM533BRL41KalHRyek2h3Essrw3Vv+GEJ6sxu/mKmZxt/maifijKzo fysSOmvxsAHmwHaEaY6htOGZIuqyAIgwvmpUS+6FxAIekVtF9Q==
X-Google-Smtp-Source: ABdhPJwiG/jCrKocBndlwjn52JpgJARHKcbK8B0BB2Jmzsx2A57Fek+vUGf7J71nZmfhAkeHf/k/BkF9xa2DJg8BhiA=
X-Received: by 2002:a37:b5c5:: with SMTP id e188mr16094921qkf.159.1596495534671; Mon, 03 Aug 2020 15:58:54 -0700 (PDT)
MIME-Version: 1.0
References: <ca00bc59-32e4-1ab6-8ac6-d5b4f285b013@aalto.fi>
In-Reply-To: <ca00bc59-32e4-1ab6-8ac6-d5b4f285b013@aalto.fi>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 03 Aug 2020 18:58:42 -0400
Message-ID: <CAL02cgSY3tGA+eQOspjr0v88UPCJke5hgmDg63p3Pn7deCCTsg@mail.gmail.com>
To: Chris Brzuska <chris.brzuska@aalto.fi>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003adef405ac011538"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/tlO4Pq9k5UaEiIkFdywnLYGEXJU>
Subject: Re: [MLS] welcome_secret
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 22:58:58 -0000
Hi Chris, I think you might be misunderstanding the encryption of the Welcome message a bit. The GroupSecrets are encrypted with HPKE to the public keys of the new joiners; there's no shared key for the GroupSecrets. Still, HPKE does make it possible to supply a PSK. So you could provide the PSK ID on the outside of the Welcome, then use the (combined) PSK as a PSK for the GroupSecrets decryption *and* for the key schedule. A few observations about that, though: 1. It would be marginally more efficient, since you're giving the same PSK IDs to everyone 2. It would leak to the DS the PSK IDs for the PSKs in use 3. If you have multiple PSKs, you would need to combine them *and* combine their IDs, since HPKE only has a single PSK input / PSK ID input 4. Would you want separate derived PSKs for HPKE and for the key schedule? On the other hand, if you don't use the PSKs with HPKE (just with the key schedule / GroupInfo decryption), then you do leak the member_secret and a path_secret to someone who has compromised an init_key, but if they don't know the PSK, they still can't join the group. For me, while including the PSK at the HPKE stage does seem like it would add some conceptual cleanness, the additional complexity seems a bit daunting, and I don't live the privacy leak. --Richard On Fri, Jul 31, 2020 at 3:22 AM Chris Brzuska <chris.brzuska@aalto.fi> wrote: > Hi all, > > I think that the current derivation of the welcome_secret (used to > encrypt the Group_Info) performs additional operations which are not > needed, and its use is not optimal from a security perspective (and not > necessary from an efficiency perspective). In the current version, we > encrypt the joiner_secret (without PSK) and then derive the > welcome_secret from the joiner-secret. > > Case 1: If the welcome_secret is not derived from the PSK, then one can > use the same symmetric-key for encrypting the Group_Info than for > encrypting the Group_Secrets. There is no efficiency loss, since for all > new members, the same symmetric key for encrypting the Group_Secrets is > used. In the case that the welcome_secret does not depend on the PSK, it > is not needed at all. > > Disadvantage of this: The PSK does not protect the GroupInfo, as > mentioned by Konrad. > > Additional Disadvantage of current version: Performs additional > unnecessary key derivations which do not add security/efficiency. > > Case 2: If we want to make the welcome_secret depend on the PSK, we do > not need to make it depend on the group_secrets. Making the > welcome_secret depend on the group_secrets does not add any security. > Instead, we only need to derive it from the PSK and the symmetric-key > which was sent to all group members. In this case, it makes sense that > both, the Group_Secrets and the Group_Info will be encrypted with the > same key rather than different keys. In this case, both the > Group_Secrets and the Group_Info will be protected by the combination of > PSK knowledge and knowing the secret-key for the PKE. > > Advantage of this: The PSK protects both the GroupInfo and the > GroupSecrets. > > Chris > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] welcome_secret Chris Brzuska
- Re: [MLS] welcome_secret Richard Barnes
- Re: [MLS] welcome_secret Chris Brzuska
- Re: [MLS] welcome_secret Richard Barnes