IETF Logo Mail Archive

Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

Brendan McMillion <brendan@cloudflare.com> Tue, 18 August 2020 22:08 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF5733A0E1F for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 15:08:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7EUb0zDf9Lm1 for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 15:08:37 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14EB83A0E1D for <mls@ietf.org>; Tue, 18 Aug 2020 15:08:37 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id 2so19815693qkf.10 for <mls@ietf.org>; Tue, 18 Aug 2020 15:08:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HJiWAV7EPNuskQsBTVllkI2c/4VtdMG3NCpPBDhcmAI=; b=dGhLRqViQEQgTJgF3FI1KVKfI+/ahsadxn6nEcf8eA1hRU/ijx5hyovECoeY4JCYUO 3eBWNDnKmEXIn9WazWACHWg3pAuRUXBQmJw8Z09v4hi/JibUwKr1o8W8VD7EP3nMoOe9 PlYHPylUj8h7nApBdG4t6dcqmBcqfkMpiWJYU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HJiWAV7EPNuskQsBTVllkI2c/4VtdMG3NCpPBDhcmAI=; b=MQ4sL6vl8rpyailu/2HsZ0uQGaQy3ON8P3r9uMY+3txuvYWi0rHy2QiYakbZ3ZOcIO cTg1Bzu3Xrki4iwJY1o5Bs0qMUnGTvm0p0uhZDk40vXQW9nOK8McUq3tLWNO3mCmpJLc 0b1iGGalcrimJppTeGPeOq0KT7PMNdoA3akONaJVY7/dsIy3tp4dJa2SPw3KFM1tbTYv oLOM1iGs2Pl8wXXxdCnTJC8/5DDnSDtwmZ24DEJAJrSOzltAPeL/nZ3bXq9O4TUjYQd5 xwmuV2ZS3qPlu+/WGRIl1vOdjDyyJZUn/q910TZlXTTjfKs//ND+r3hZcflPmH1eEBpv sFDA==
X-Gm-Message-State: AOAM533FU5wGSm6lEIuHASHXC2NOYgKNuTuew2X37hPeMvPL+VUnU8Ub ROoN3q1y0gUIOfKPjGqRxVI5PWyOGE0z0eZE7E99jgObIBjniQ==
X-Google-Smtp-Source: ABdhPJz1u1jOJp/MIMs+W7WBFLSabrDsPoaoAHQQNBHWJm7eS3XS6T8s0O9QxtTLyapq00dvR6hdHXR2kWutPfC3K7k=
X-Received: by 2002:ae9:ef8d:: with SMTP id d135mr18479627qkg.109.1597788515874; Tue, 18 Aug 2020 15:08:35 -0700 (PDT)
MIME-Version: 1.0
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <CABP-pSSBcf_BUXPp=uxWMpBviBday8-utGzo=ksPG4Ei=_x3ag@mail.gmail.com> <CAL02cgSx7es1KT0VTnZfaw5-J4DNys72=5uU2+qOC5R9G6ijXA@mail.gmail.com>
In-Reply-To: <CAL02cgSx7es1KT0VTnZfaw5-J4DNys72=5uU2+qOC5R9G6ijXA@mail.gmail.com>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Tue, 18 Aug 2020 15:08:24 -0700
Message-ID: <CABP-pSRM8D0h4Jg7-V03t59s=AHHAhthUx1X1rMY7Di_oSRwgQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ea6c6b05ad2e208f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/tnyPfo4h2dmiMAr8l3etmqLtVTw>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 22:08:40 -0000

>
> Brendan: I think you might have the wrong premise in mind here.  The
> proposal we have been discussing would authenticate *both* that Alice is
> the sender of the message *and* that she's a member of the group.  So other
> members of the group could only impersonate Alice if they had compromised
> her signing key.
>

Sorry to change arguments, but I think you're right that I missed the
point. I actually don't think we should do anything here. That's because:
if Alice's long-term signing key is compromised, how can she be
impersonated? In all of these ways:

   1. An outsider can send a message to an existing group.
   2. An insider can send a message to an existing group.
   3. An attacker can generate new KeyPackages and intercept Welcome
   messages intended for her.
   4. An attacker can forge her existence in a group she's not in.

The PR you opened only addresses attack vector #1. You still have all the
other attack vectors and to address them, Alice needs to rotate her
long-term signing key. Rotating the long-term signing key should be the
resolution here, not heading off an individual attack.

In the past, we usually considered the long-term signing key to be stored
somewhere more secure than everything else, such that it was very unlikely
to be compromised, or that it was rotated regularly. That's why we haven't
worried about this in the past.

On Tue, Aug 18, 2020 at 12:21 PM Richard Barnes <rlb@ipv.sx> wrote:

> Brendan: I think you might have the wrong premise in mind here.  The
> proposal we have been discussing would authenticate *both* that Alice is
> the sender of the message *and* that she's a member of the group.  So other
> members of the group could only impersonate Alice if they had compromised
> her signing key.
>
>
> On Tue, Aug 18, 2020 at 12:35 PM Brendan McMillion <brendan=
> 40cloudflare.com@dmarc.ietf.org <40cloudflare..com@dmarc.ietf.org>> wrote:
>
>> So to that end, how
>>> about we modify MLS such that MLSPlaintext packets coming from group
>>> members
>>> must also be authenticated using something from the application key
>>> schedule.
>>
>>
>> My objection to this is that Alice can still be impersonated by members
>> in the group, if we only have symmetric forward-secure authentication.
>>
>> There's been some discussion in the past about using forward-secure
>> signatures that might be worth looking into instead, which would fully
>> address this attack vector:
>> https://mailarchive.ietf.org/arch/msg/mls/o3fmIul_4s6STmnqmz514cjADpw/
>>
>>
>> On Tue, Aug 18, 2020 at 7:36 AM Joel Alwen <jalwen@wickr.com> wrote:
>>
>>> Hey everyone,
>>>
>>> Something thats been bugging Marta Mularczyk and Daniel Jost and me for
>>> a bit
>>> now is that handshake messages sent out as MLSPlaintext packets are only
>>> authenticated using signatures, but not using the group's key schedule.
>>> For
>>> non-members that makes sense but for group members that's weaker than
>>> need be.
>>>
>>> Suppose Alice is in a group using signing key pair (spk, ssk). I corrupt
>>> her to
>>> learn ssk. Now I loose access to her device again. Later she generates a
>>> fresh
>>> key package with her same spk but a new HPKE key for her leaf. She sends
>>> out and
>>> update proposal for her new key package and someone commits to the
>>> update.
>>>
>>> Expected result: she (and the group at large) has achieved PCS again.
>>>
>>> Actual result: using her stolen ssk I can still forge a new proposal's
>>> (sent as
>>> MLSPlaintext packets) coming from Alice. Some things I could do with
>>> this power:
>>>  - I can generate a new key package kp for Alice using her spk and some
>>> HPKE key
>>> she doesn't know. Then I forge an update proposal for Alice with kp. If
>>> it gets
>>> committed I've effectively kicked her out of the group.
>>>  - I could forge Add's and Remove's coming from Alice, so I could trick
>>> the
>>> group into thinking Alice is trying to Add my account to the group or
>>> remove
>>> some other group member.
>>>
>>> Lemme know if I've missed something here in that scenario...
>>>
>>>
>>> If I didn't miss anything and the attacks really work as advertised then
>>> IMO
>>> this is kinda weak sauce and worth avoiding if possible. So to that end,
>>> how
>>> about we modify MLS such that MLSPlaintext packets coming from group
>>> members
>>> must also be authenticated using something from the application key
>>> schedule.
>>> Now the above attacks fail. As soon as Alice's update is gets committed
>>> I no
>>> longer know the group's key schedule and so can't forged packet from
>>> Alice. More
>>> generally, this brings the PCS guarantees when using MLSPlaintexts
>>> frameing in
>>> line with what we're getting from MLSCiphertext packets.
>>>
>>> Any thoughts?
>>>
>>> - Joël
>>>
>>>
>>>
>>> PS. For concreteness, we could probably extend the current mechanism for
>>> getting
>>> concistancy (the confirmation_tag) to also provide symmetric key
>>> authentication.
>>> E.g. include most of the MLSPlaintext content into whats being tagged by
>>> confirmation_tag. That would cover the case of a commit packet and
>>> doesn't even
>>> grow the size of MLSPlaintext packets over the current design.
>>>
>>> For a proposal packet we could also have a confirmation_tag but this one
>>> is
>>> computed using the *current* epoch's confirmation_key and
>>> confirmed_transcript_hash.
>>>
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
>

v2.23.0 | Report a Bug | By Email