IETF Logo Mail Archive

Re: [MLS] Authentication

Raphael Robert <raphael@wire.com> Fri, 07 September 2018 20:45 UTC

Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB36A12F18C for <mls@ietfa.amsl.com>; Fri, 7 Sep 2018 13:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2GS4ZK4Pawg for <mls@ietfa.amsl.com>; Fri, 7 Sep 2018 13:45:38 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C53B128C65 for <mls@ietf.org>; Fri, 7 Sep 2018 13:45:38 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id e1-v6so7091551wrt.3 for <mls@ietf.org>; Fri, 07 Sep 2018 13:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=e9O/ET467QQTT7bP6au36+AWg3yd+XEpzKI56hCVh8c=; b=vCf+ajtDUOkSUA+BACBlqJYV1kIjsSxxrCZM4T1K18dNOLC5wkzc4TB7OF28IJ8JCn dIG3Wv/x5pNK/av6TJk/9CZ8wUgNHcHc74x9FwEI450NslK6gFLExdeGmLVNaklpY9xR 4bQyf2DoFSBVJ99LkuNwgu3ikTGQjxWMNZp3117vJ3R/O6YE89ITxm51zIZtowxQdtgc f2unWnt7lky4Sf4FfnhJScN4mNodL+StLRzhKtv5CH9LXV2bTz4vjHU/3ZnNAepybMhc ONhkqbHyhjIQaei7uMpQ99WMd9icOX7/60A3q/i+yA/e0vmSDOdBzncxL0LHYstIHxfP 4ZCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=e9O/ET467QQTT7bP6au36+AWg3yd+XEpzKI56hCVh8c=; b=kshmKyiFCKVs6NRbahDf0hFd6IMt21lpDgiMKvtiUyqc4cwR24YwVOLJTFgE7esGO0 RqARWbGG4Jqm22jiYbCZkvK8/W72naSn9teIUjLyoCGp+HDysprv2L0rg7TOAAFhmgjy nIxEEqXB6+I7yKcoCKnO50mAi+1it2+/27uCgcBxCN7H1GSe55d2UbnGt6pGuA06j2Se SluvbKFixq3T/FhYw9asy7v3u/g+Vm1luisAipfvmqwTJvwroqE61TILeBFD9EP70JIe nA7zteTKXCn9DxD1AhB8NB2qYqiALCpwuP27qoqwotHSYl8kMSpY8CfmtsCeaEPn9gqQ cdLA==
X-Gm-Message-State: APzg51BjFSUan1urOAQf96pJr1Jd7d139A6yYpssvhqcjiR3KRHYhQuA TOMRSc96zzJ0bL8Tdhs5xFNnXg19xlP8VA==
X-Google-Smtp-Source: ANB0Vdagv+v2xhD4224dKGDqakntt2SLHrs906xk8nZUgAr/jXKihQBm733p+GUnlyf/1Ux1jYLsYw==
X-Received: by 2002:adf:b69a:: with SMTP id j26-v6mr7456833wre.55.1536353136227; Fri, 07 Sep 2018 13:45:36 -0700 (PDT)
Received: from [10.10.1.109] (149.red-88-18-51.staticip.rima-tde.net. [88.18.51.149]) by smtp.gmail.com with ESMTPSA id y17-v6sm11985833wrh.49.2018.09.07.13.45.35 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Sep 2018 13:45:35 -0700 (PDT)
From: Raphael Robert <raphael@wire.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 07 Sep 2018 22:45:33 +0200
References: <CAL02cgQeVdvpUrjbaQn67MoYMb1tzBZCPPsz3cvDpQxZ_kJijQ@mail.gmail.com>
To: mls@ietf.org
In-Reply-To: <CAL02cgQeVdvpUrjbaQn67MoYMb1tzBZCPPsz3cvDpQxZ_kJijQ@mail.gmail.com>
Message-Id: <1E76A31F-5F2D-496C-BAC3-4C8CF8D2ECDC@wire.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/v4ZqKnmJmHSnkQUFgV2RG3cCvwg>
Subject: Re: [MLS] Authentication
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2018 20:45:41 -0000

Thanks for the detailed write-up, Richard!

Here are my two cents:

1. SIGMA or Katz-Yung? 

No opinion yet, other than SIGMA might offer more options as you mentioned.

2. Pubkeys in roster? 

I think this begs the question what a public key stands for. Its scope could be a) per participant, b) per device of participants, c) per conversation, d) a combination of c + d. Additionally, it could be short-lived as you mention, meaning it could be rotated within a conversation.
I think we should start with public keys (regardless what they stand for) that might be short-lived, but assume the rotation happens out-of-band.

3. Clients store roster? 
4. Roster in-band or out? 

These two questions are somewhat linked. I think we want to achieve several goals here:

 - protocol simplicity (points to in-band roster stored on clients)
 - protocol efficiency (points to having the roster stored on a server, so that clients don't have to upload several MBs just to invite someone to a large group conversation)
 - anonymity (again points to the in-band solution)
 
The last point probably deserves more explanation: With client-side conflict resolution not being a likely option for MLS, the assumption is that a server will assist with message ordering and other tasks. This makes it a somewhat centralised system, even if it doesn't preclude federation as such.
If the server is tasked to fan-out a message encrypted under a key established by MLS, observable metadata on that server will include either the identity or an alias of the recipients of that message. As such, anonymity is not something that can be achieved on the observable metadata level.
However, there might still be the option of not storing the group member list in clear text on the assisting server. This would address scenarios where such group membership lists could be a risk: one-off server breaches (without any persistent compromise), improper deletion mechanisms, etc.

A possible solution could be the following:
 - servers can store anonymised ratcheting trees (meaning the identity of members is not part of it), this helps when adding or removing participants
 - the roster is either in-band or encrypted on a server
 - we assume there is a viable solution to guarantee integrity (additional Merkle trees were mentioned)
 
There is a follow-up question to this: If the server doesn't know the roster, how can it be tasked to do a proper fan-out of a message to the group?

Possible solutions are:
 - The client sending the message also send the list of recipients (roster) to the server along with the message
 - The roster is stored encrypted on the server and the server receives the decryption key along with the message, uses it for the sole purpose of fanning-out the message and forgets it immediately afterwards
 
In other words: before we can clearly answer questions 3 & 4, we need to answer the other questions I mentioned as well.
 
5. What to KDF?

Adding as much as possible into the KDF sounds like it makes things more robust, but doesn't this imply total message ordering? (Something that might or might not be necessary with TreeKEM)

> On 7 Sep 2018, at 00:00, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Hey all,
> 
> I've been stewing about authentication for a little while, and I think I've gotten to a point where I have coherent-enough thoughts to share with the group.  (Though by no means final)  The attached PDF has some slightly stream-of-consciousness thoughts about authentication for MLS, but it ends up with (1) some crypto protocols with a degree of validation and (2) a loose proposal and some questions for the WG.
> 
> Leaving the crypto details and protocol details for the PDF, the questions for the WG are as follows:
> 
> 1. Is there any reason to prefer one of the two constructions in the document over the other?
> 
> 2. The protocol enables agreement on a "roster" of participants.  Should that roster include only identities of participants, or also their public keys?
> 
> 3. Can we rely on clients keeping around a copy of the roster, so that they can then use it to authenticate future messages?
> 
> 4. Should the roster be distributed by the MLS protocol, or should MLS just provide a pointer?
> 
> 5. Other than the roster, what information should we enforce group agreement on?
> 
> The doc has some thoughts on the arguments on either side of all of these questions.  
> 
> The next step here is to generate a pull request that makes a concrete proposal.  If folks have thoughts about the overall plausibility of the analysis here, or thoughts on the design trade-offs highlighted above, that would be helpful as I work on fleshing this out.  Hope to have a PR in flight in time for the interim.
> 
> Thanks,
> --Richard
> <group-authn.pdf>_______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.46.0 | Report a Bug | By Email | System Status