Re: [MLS] Deniability -> "recording"?
Raphael Robert <raphael@wire.com> Thu, 23 January 2020 16:50 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F175F120121 for <mls@ietfa.amsl.com>; Thu, 23 Jan 2020 08:50:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i22Mz2uIn8Ev for <mls@ietfa.amsl.com>; Thu, 23 Jan 2020 08:50:57 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0D3D1200F7 for <mls@ietf.org>; Thu, 23 Jan 2020 08:50:56 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id t23so3296097wmi.1 for <mls@ietf.org>; Thu, 23 Jan 2020 08:50:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+pYnQM5SPakBXTVXfKTlAohixRn41yUQ9LVMZq0jZdM=; b=fYhCFhSFKrRaz0a5EwSvfbqFqtG7FsjYbXECmrjwXxRgLDWTgQHgZL7pzet5xdcnFT SQ1ro3xASpsIna9/BOuZ4Ut/d3w0/owE1AtBDrrfo9UKtowAQ1N59NOsfFh/s3hBAQqA VM98c50sULKaL/mYmySlyxcJsz2zFNQ9Zoos6Yysd6jbexU+hNm/7N0HEk+6PLdZJWfr 39B/x1WNNERdHFTyIvxVefb4cCMBD1zuiVwEHQdeMaoNo9KBfKpSL2KnaA2TsqhZqizB eLtB8BkMauQCTd4hBv8EM86nekzN/EL3oashrPFV9ZOutvAPjQn/6F7W4mLSSRh2avsN tKfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+pYnQM5SPakBXTVXfKTlAohixRn41yUQ9LVMZq0jZdM=; b=S6ZY9lV+fvRroSqEzc7TeV+dnlsnWetDeBtU5+TJVtdWT/mquB3ASkshk8PlsnSE74 kk3xrHRBwJJuc21FKZGTVeAuUu/mhlJSPkZsypYkzjVpn9hGrHsvTO4FuSeSEUyLHLc3 vL9lZhFG3rZ5+1B4Pns7yRN+aSTTYO8dUhhow0dv8LDNo+/1cQgzkUmoLRDg30swPOKE FHNUxQargCGu4RGB4Vwqe1XZ2VKM6TmDai4yOtMbS4rfNfcRk+nwyn6u2XIymsMm/ZOX zQRNbbUjoOA341Ayh5TvWrlC1G8SowJY+4LyTlxgvg0qoq1Yo5ZSf50SDpU//7jDqYx3 yvEA==
X-Gm-Message-State: APjAAAWxMCunKKuKX/fbVB1cWBywgU3rSVgQiGWQUVKt3z18dqCV43mP 9jj4MB1YtIVB6WFjaKSIABg0hw==
X-Google-Smtp-Source: APXvYqwl4q3Rl2JNr3nAGICpAQhvB2FhvQSW95rNBjvya7iqz9ghv2v5ygW8uL9O3Hne5io6Z6BG6Q==
X-Received: by 2002:a1c:3c89:: with SMTP id j131mr5195784wma.34.1579798255032; Thu, 23 Jan 2020 08:50:55 -0800 (PST)
Received: from rmbp.wire.local (h-62.96.148.44.host.de.colt.net. [62.96.148.44]) by smtp.gmail.com with ESMTPSA id a184sm3362954wmf.29.2020.01.23.08.50.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2020 08:50:53 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Message-Id: <3E30B070-68DB-4A56-A02C-E450B2033F54@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_79C168DD-2F86-4371-8732-39CB600631C1"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Thu, 23 Jan 2020 17:50:53 +0100
In-Reply-To: <2061064987.251760.1579790003975@mail.yahoo.com>
Cc: "jon@callas.org" <jon@callas.org>, "mls@ietf.org" <mls@ietf.org>, Cas Cremers <cas.cremers@gmail.com>
To: nalini.elkins@insidethestack.com
References: <2060195243.218290.1579787145340.ref@mail.yahoo.com> <2060195243.218290.1579787145340@mail.yahoo.com> <eefe9673-37e0-d244-14c5-dd34e4256cf7@gmail.com> <2061064987.251760.1579790003975@mail.yahoo.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/xGfYItjZMla_gmWENKUAioA8Cck>
Subject: Re: [MLS] Deniability -> "recording"?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 16:51:00 -0000
Just to rule out any misunderstanding: the deniable mode of MLS we are exploring is optional (as per the architecture document). Furthermore deniability should not invalidate the properties stated in the charter (in particular authentication). Deniable authentication simply means that members fully authenticate to each other within the group, but members cannot deliver a proof of this authentication to third parties outside of the group. Depending on the flavour of deniability this means that a member cannot prove to an outsider whether a specific message was sent in the group (message deniability), or whether a certain member was part of the group (membership deniability), etc… I hope this clarifies things a bit. Raphael > On 23 Jan 2020, at 15:33, nalini.elkins@insidethestack.com wrote: > > > > Cas, > > On Thursday, January 23, 2020, 05:59:49 AM PST, Cas Cremers <cas.cremers@gmail.com <mailto:cas.cremers@gmail.com>> wrote: > > > >Hi, > > > >The "recording" / "non-deniable" properties you are suggesting are not > >part of the desired properties described in the charter, so I think it > >is best to first try to meet the intended MLS goals -- it's complex > >enough as it is. > > > Maybe we have a misunderstanding. From the charter: > > > o Message Confidentiality - Messages can only be read by members of the group > > o Message Integrity and Authentication - Each message has been sent by an authenticated sender, and has not been tampered with > > o Membership Authentication - Each participant can verify the set of members in the group > > > I just want to make sure that a group member cannot say after the fact that they were not a member of the group. Let's leave the "recording" participant out of the discussion. It is taken care of by complying with the Authentication statement above. > > > Nalini > > > On 1/23/20 2:45 PM, nalini.elkins@insidethestack.com <mailto:nalini.elkins@insidethestack.com> wrote: > > All, > > > >>> On 22 Jan 2020, at 20:59, Jon Callas <jon@callas.org <mailto:jon@callas.org>>> wrote: > >>> > >>> > >>> > >>>>> On Jan 22, 2020, at 7:54 AM, Raphael Robert > > <raphael=40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org>>> wrote: > >>>>> > >>>>> For general context: Deniability is something that is being > > discussed right now and we should send some update to the list as soon > > as we have sorted things a bit better. > >>>>> > >>> > >>> Please do. I have some tart opinions about deniability, and don't > > want to waste anyone's time before we know what we're really talking about. > >>> > >>> It's also probably best not to talk about things like courts and so on. > >>> > >>> There are a number of reasons, starting with jurisdictional issues. > > Inevitably, each of us will talk about legal issues through the lens of > > our own native jurisdiction and that lens is cracked with our own > > misunderstandings of law and procedure, not to mention that these things > > do change over time. A procedural stage setting of today may not be the > > setting of a decade from now. > >>> > >>> Lots of protocols talk about "deniability" and it's often a weird > > concept that is a term of art and doesn't mean at all what a reasonable > > person might think. I've had some discussions with people about the > > "deniability" of OTR and others, where it doesn't mean what any > > non-expert would think it does. > >>> > >>> There are other deniability issues that are peculiar.. A way that I've > > characterized this issue is that deniability assumes that your adversary > > is either stupid or good. By "stupid" I mean that they understand what > > deniability is, and might not even look for it. (e.g. hidden volumes in > > Truecrypt). By "good" I mean that you're going to give some mathematical > > explanation and they'll accept it. If the adversary is smart and evil, > > deniability can be a weakness, not a strength. > >>> > >>> Here's an example, again with Truecrypt hidden volumes. I once talked > > to some customs officials in a country that's not mine, and I asked them > > about hidden volumes. They said, "Oh, yeah, we know about hidden volumes > > and if we see Truecrypt, we *assume* there's a hidden volume. Why would > > anyone use Truecrypt and not have a hidden volume?" That might not be > > precisely evil, but it shows a basic issue. True evil would be that > > after getting to the hidden volume, they ask you to open up the hidden > > volume in the hidden volume. You reply that there's only one level of > > hidden volume and they reply (knowing that you're right, but because > > they're evil), "That's your story. This is open source software. Open up > > the other hidden volume." > >>> > >>> Another form of assumption as either smartness or evil is that if you > > have a ring signature that could have been made by Alice, Bob, or > > Charlie, they just assume that Alice made it and let Alice know that's > > they're working hypothesis since she's their suspect. (I don't want to > > go too far down this rathole, but it might be the smart way to bet. > > Suppose the signature was made at 4am Pacific or 12pm GMT and Alice is > > the only European in that set -- it's a reasonable hypothesis that Alice > > made it.) > >>> > >>> Thus, when we talk about deniability, let's talk about the specific > > security property and not an aspirational thing like "deniable" that > > might not work out the way we think. If the property is that a signature > > could be made by any element of a set, that's a nice property, even if > > there are externalities that can winnow that set down, even to a single > > member. > >>> > >>> Jon > >>> > > > >>I agree with the above. Ideally we would like to combine academic > > precision with common sense definitions and be clear about ?>the threat > > model too. I also agree that we should leave aside legal considerations > > for all the reasons you mentioned and focus on >the social aspect of the > > facets of deniability. > > > >>We’ll chew through the existing material to see what could make sense > > in terms of properties and how we could achieve them in >practical > > terms. Obviously not all aspects of deniability are straight forward in > > a group messaging protocol, all the more so since >MLS has strong > > authentication guarantees that 1:1 protocols might not have. > > > > Without getting into any solutions, I just wanted to put forth some > > common sense requirements. I hope that I am understanding how > > deniability might work. Please correct me if I have any misconceptions. > > > > Companies doing financial transactions and wishing to use MLS might have > > a hard time if there were some aspects of deniability. For example, if > > you do a stock trade, it is required to be recorded. If the stock > > trading company cannot prove that it was indeed you that did the trade, > > then it becomes quite problematic. > > > > Also, for example, if you are getting advice from a medical professional > > and they wish to know that it is indeed you that they are talking to. > > This is important for privacy and other issues. One does not wish to > > give health information to just anyone. > > > > I believe I had stated in this group before that the "recording" would > > be done by a completely transparent group member known to all parties. > > For example, when you call a business and you receive the message "You > > are on a recorded line." There are quite a few use cases for such a > > scenario in the business and medical worlds. > > > > I would support a common sense explanation of the various aspects of > > deniability along with what cryptographic schemes would do and not do, > > if I am am making any sense! I would be happy to work in a team > > dedicated to this effort. > > > > Thanks, > > > > Nalini Elkins > > CEO and Founder > > Inside Products, Inc. > > www.insidethestack.com > > (831) 659-8360 > > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org <mailto:MLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls> > > > > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
- [MLS] Deniability without pairwise channels. Mathias Hall-Andersen
- Re: [MLS] Deniability without pairwise channels. Raphael Robert
- Re: [MLS] Deniability without pairwise channels. Jeff Burdges
- Re: [MLS] Deniability without pairwise channels. Jon Callas
- Re: [MLS] Deniability without pairwise channels. Raphael Robert
- Re: [MLS] Deniability without pairwise channels. nalini.elkins@insidethestack.com
- Re: [MLS] Deniability -> "recording"? Cas Cremers
- Re: [MLS] Deniability -> "recording"? Dave Cridland
- Re: [MLS] Deniability -> "recording"? nalini.elkins@insidethestack.com
- Re: [MLS] Deniability -> "recording"? Benjamin Beurdouche
- Re: [MLS] Deniability -> "recording"? Konrad Kohbrok
- Re: [MLS] Deniability -> "recording"? Dave Cridland
- Re: [MLS] Deniability -> "recording"? Konrad Kohbrok
- Re: [MLS] Deniability -> "recording"? Raphael Robert
- Re: [MLS] Deniability -> "recording"? Nalini J Elkins
- Re: [MLS] Deniability -> "recording"? Raphael Robert
- Re: [MLS] Deniability without pairwise channels. Sofía Celi
- Re: [MLS] Deniability without pairwise channels. Sofía Celi
- Re: [MLS] Deniability without pairwise channels. Natanael