Re: [MLS] Potential issues with "add-only" commits in young groups

Cornelissen Eric <eric.cornelissen@aalto.fi> Thu, 06 August 2020 06:44 UTC

Return-Path: <eric.cornelissen@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6370A3A0AAE for <mls@ietfa.amsl.com>; Wed, 5 Aug 2020 23:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aoBPzZqpEJL for <mls@ietfa.amsl.com>; Wed, 5 Aug 2020 23:44:46 -0700 (PDT)
Received: from smtp-out-01.aalto.fi (smtp-out-01.aalto.fi [130.233.228.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EA223A0786 for <mls@ietf.org>; Wed, 5 Aug 2020 23:44:45 -0700 (PDT)
Received: from smtp-out-01.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 80D17115931_F2BA6D7B; Thu, 6 Aug 2020 06:44:39 +0000 (GMT)
Received: from exng4.org.aalto.fi (exng4.org.aalto.fi [130.233.223.23]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng4.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-01.aalto.fi (Sophos Email Appliance) with ESMTPS id 55FBE11596E_F2BA6C3F; Thu, 6 Aug 2020 06:44:19 +0000 (GMT)
Received: from exng7.org.aalto.fi (130.233.223.26) by exng4.org.aalto.fi (130.233.223.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Thu, 6 Aug 2020 09:44:19 +0300
Received: from exng4.org.aalto.fi (130.233.223.23) by exng7.org.aalto.fi (130.233.223.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Thu, 6 Aug 2020 09:44:18 +0300
Received: from exng4.org.aalto.fi ([fe80::4047:1ae:cfdf:c1a8]) by exng4.org.aalto.fi ([fe80::4047:1ae:cfdf:c1a8%18]) with mapi id 15.01.1979.003; Thu, 6 Aug 2020 09:44:18 +0300
From: Cornelissen Eric <eric.cornelissen@aalto.fi>
To: Richard Barnes <rlb@ipv.sx>
CC: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: [MLS] Potential issues with "add-only" commits in young groups
Thread-Index: AQHWaysOYLkshmHVlE2/Q1XWhkDVcqkpefyAgAEn/L8=
Date: Thu, 6 Aug 2020 06:44:18 +0000
Message-ID: <37a1560c423a4a36aaeb93d558b1552c@aalto.fi>
References: <e0d6ff151c464d9d9cf49af054df6cdf@aalto.fi>, <CAL02cgR286OaG9Sq3s86-dycGcnw5VYc+DqOxLstSyhMShDrzg@mail.gmail.com>
In-Reply-To: <CAL02cgR286OaG9Sq3s86-dycGcnw5VYc+DqOxLstSyhMShDrzg@mail.gmail.com>
Accept-Language: en-US, fi-FI
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.233.0.5]
Content-Type: multipart/alternative; boundary="_000_37a1560c423a4a36aaeb93d558b1552caaltofi_"
MIME-Version: 1.0
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:mime-version; s=its18; bh=gkqx4iBEwQ+cxEipzVnJNL9Mt94AO191XYGynHOSq5Q=; b=y+VqRakiWmby7IdafrJs6CZz55Jin7x1X+8piUHB1CGFyvue1SXiLe0FYc6bNPTfUmEdFiOMNMRkbCMNSZ8C1kqWIgkvJDExH4/LbmdYIeam2Ipa2evSU2waG/dMucVwIToN0IxsiY5tCep6lEi5gcwoivbX+bnPzPiaPPF3xLwXtsA++Y431ZwA9K4eEl8L0IwolhcdIUqRbNnGVDi8rhKEH6rKgq10VX+ZW9rma9Tug/DUKyO2My9L1yGSfHXrKSoQoVT13JIElytlIUdH5+HomOMDFUHYHoQ5Me4Jp+h1fAj32SDzRYjtf/HgOS35gSs9kE2uIwekUK7GPkrLvQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/wlB_JiGA3b4J2jchSfBufDp-KAI>
Subject: Re: [MLS] Potential issues with "add-only" commits in young groups
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 06:44:49 -0000

Hi Richard,


I will try to get in a PR to change the initial init_secret from being zero to being random.


Regarding #2, thanks for the clarification. If, as you say, a joiner does not learn the value at the root of the TreeKEM tree in the case of an "add-only" commit, then the attack I describe doesn't work. To me, it was not 100% obvious from the spec whether or not this was true or not (though it makes sense seeing that the joiner doesn't need to know that value).


Regards,

Eric

________________________________
From: Richard Barnes <rlb@ipv.sx>
Sent: Wednesday, August 5, 2020 6:58:49 PM
To: Cornelissen Eric
Cc: mls@ietf.org
Subject: Re: [MLS] Potential issues with "add-only" commits in young groups

Hi Eric,

Thanks for the analysis, and the detailed, clear writeup.  I agree that there are some real issues here, and with the solution approach.  Just to align on a couple of details:

#1 is clearly a problem.  Good catch.

#2 is less clear to me.  You lose me when you say ""add-only" commits allow new group members (ONLY) to learn the value at the root of the TreeKEM tree".  How do you think this happens?  As I understand the spec, this is not the case.  New members are added to the "unmerged_leaves" array at the root, but they are not told the root secret or root private key.

In any case, I agree that we should change the initial init_secret from being zero to being random.  I think I had set it to zero out of a general caution against requiring fresh entropy, and likely under the theory that the first commit would change it (before `path` was optional).  But it is clearly necessary now.  If you would like to send a PR, I would be happy to review.

Thanks,
--Richard



On Wed, Aug 5, 2020 at 9:27 AM Cornelissen Eric <eric.cornelissen@aalto.fi<mailto:eric.cornelissen@aalto.fi>> wrote:

Hi All,


Quick introduction: my name is Eric, I have submitted a few issues in the MLS GitHub and I did an analysis of MLS for my Master's thesis last academic year, now I'm doing a research project related to MLS with C. Bruzska.


During this project I found a potential issues with "add-only" commits if used in the early lifetime of a group. I found two particular issues that I think are most important to look at and which I will describe both here.


Note 1: Neither of the issues I describe hold when a PSK is used, hence I will only consider scenarios where PSKs are not used.

Note 2: In both attacks the attacker must record the (encrypted) Welcome message(s) send out for a group (i.e. I'm assuming a network adversary).

Note 3: I use "add-only" commit to denote an commit that does not populate the path value of a commit and "full" commit to denote a commit that does populate the path vale of a commit. This, I suppose, deviates slightly from the draft.

Note 4: I attached diagrams explaining the attacks, I hope they are understandable :)


  1.  When using an "add-only" commit for the first commit (see attachment 01.jpg for a diagram)

The first issue is w.r.t. using an "add-only" commit as the very first commit of a new group. To the best of my knowledge this would result in the input to the key schedule being to two all-zero vectors. Namely, the init_secret for the first commit is always the all-zero vector and the commit_secret will be an al-zero vector because an "add-only" commit was used.


Now, this would allow ANYONE to derive the joiner_secret and welcome_secret for the first commit. With the welcome_secret we can decrypt the Welcome message for the user(s) being added to the group. From the Welcome message we can construct the GroupContext that is used in the key schedule (GroupContext_[n] is a subset of the GroupInfo in the Welcome message).


With all this information ANYONE can compute all of the keys produced by the key schedule for the first epoch and read any communication that happens in this epoch. Furthermore, if another "add-only" commit is used the input to the key schedule for the next epoch is also known to the attacker(!) as commit_secret will again be an al-zero vector, and we know the init_secret.


  1.  When using a "Full" commit followed by "add-only" commits (see attachment 02.jpg for a diagram)

The second issue arises from the fact that "add-only" commits allow new group members (ONLY) to learn the value at the root of the TreeKEM tree in some earlier epoch E. In general this is not a problem, because they won't know the init_secret for epoch E-1. However, if only the very first commit for a group is a "full" commit new group members do know the init_secret for epoch E-1, as it is always the all-zero-vector.


>From here the attack proceeds very similarly to the other attack. Imagine a group is created by Alice. Alice adds Bob to the group with a "full" commit (hence init_secret = 0 and commit_secret ≠ 0). Next, Alice adds Charlie to the group with an "add-only" commit (not updating the TreeKEM tree). Next, Alice adds Eve to the group also with an "add-only" commit (again not updating the TreeKEM tree).


At this point, Eve learn sthe value at the root of the TreeKEM tree. Since this hasn't changed since the first epoch, Eve can find the commit_secret for the first commit of the group. This, together with the fact that init_secret is the all-zero vector, allows Eve to compute the joiner_secret and welcome_secret for the first commit. Hence, Eve can now carry out the attack described first to obtain all the keys for the epoch in which Bob was added.


Furthermore, because the commit_secret for the next commit is the all-zero vector, Eve can compute the joiner_secret and welcome_secret for the second commit as well. Hence, Even can carry out the attack described first again. In fact, even is able to do this until she reaches the commit in which she was added herself.



I believe the easiest way to mitigate these attacks (and any attacks like it) is by requiring that the init_secret of the first commit is a randomly sampled value. Alternatively, the first two commits of a group could be required to be "full" commits.


Eric.


_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls