[MLS] Malicious user segmenting the group
Jon Toohill <jtoohill@google.com> Mon, 22 October 2018 17:37 UTC
Return-Path: <jtoohill@google.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0DB1128D0C for <mls@ietfa.amsl.com>; Mon, 22 Oct 2018 10:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOQONLmEXShf for <mls@ietfa.amsl.com>; Mon, 22 Oct 2018 10:37:05 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B3551252B7 for <mls@ietf.org>; Mon, 22 Oct 2018 10:37:05 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id s6-v6so16947268ioa.11 for <mls@ietf.org>; Mon, 22 Oct 2018 10:37:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=fZPHB+Hvs6ykKsyka/YgUCm1amQkzo+XWxuCbOtZDls=; b=rWTcmWgKUfnLnsh2bfl5cTf4fm10Oc4HS/NySuxutwxS1MchQeZYXxjluSaxccYqqf CWZLzDZnf7/9p9JlF/0cQc1xYoBy4ZFk6BkO//qTLML8j3jLPStMxgXIt2ZZxSIGIU1N /lAQHnaxgqi2MNxqUXUnOIvkFHKYBL49RUHY1fZXfOtSrk2vxFzThWjSSRI6Rtsm5syc Pr2H/9mwsl4lp11l2Yx0/uFBX6JEuEdRHvhyAOoWwQ797sHO0Ka+cDuC5owq02B5CHAb 31ykCli+UGFbT3wLyt+NtvDfXKRVqqxhK4YYrGV1FxYK0nOd2Rf6JBAQZ8zNHTj1WZ/X in9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=fZPHB+Hvs6ykKsyka/YgUCm1amQkzo+XWxuCbOtZDls=; b=HErsMxjAqjBBlgSRe1XqdLviDEuxDbp8OK7Iuls+cDZVzMI5pIZ80Ne72Gkq3WBayO 7d6zBJPAuXquIepQtjlB7gf4ZmTV8GssIB9C6dYIn0iAK7kgk3WVuvcI4APD/ZJLFBsK 9/XRW8Royooos3fSNVTU3Azr+dMU/f+lYPk9rjTHDzm4ZMQNhMtdmRfraMkNNlWM6k4D xR418BUXMkC7KDrBpKjRjoAFHYeVcqfSE1gtET7TMae0m+lEEQmMgDFMJLENYLBakhJk LlsaAk8y+sHtf9ERbF8jIu1l2SMm+5GPUK8xny5PnpemiE1DNpqiJdYxys0HpEYOXDBv VFWQ==
X-Gm-Message-State: AGRZ1gK+58NkUwqZLZmjEXpX+noVNHMA+1BSGRsnb309oisKxx3MJx3X o5JCqqzj025rQnipnrdnhfR22n8XUkYP6a7bazJLZkZKdRgfxw==
X-Google-Smtp-Source: AJdET5f5mDmqyX31HDC+TG3pedDAy/Kp3rl+cM+J+ewhWCglCPpWP+hDyW+ysxHWqThsIxdnp18eZGyLXq/PK6gjXT4=
X-Received: by 2002:a6b:b2d8:: with SMTP id b207-v6mr8364295iof.147.1540229823766; Mon, 22 Oct 2018 10:37:03 -0700 (PDT)
MIME-Version: 1.0
From: Jon Toohill <jtoohill@google.com>
Date: Mon, 22 Oct 2018 10:36:37 -0700
Message-ID: <CA+tdQEvNiiVvJfeh51AWBPB-z9Jpymt4LHRRfCBdkYh6XnfkAQ@mail.gmail.com>
To: mls@ietf.org
Cc: Emad Omara <emadomara@google.com>, Gary Belvin <gbelvin@google.com>
Content-Type: multipart/alternative; boundary="0000000000008518010578d4b36c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/yunEGZr33omHKwt3OCiIDJ-yOXI>
Subject: [MLS] Malicious user segmenting the group
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 17:37:07 -0000
Hey MLS folks, I'm still skimming through the mailing list archives to get up to speed, so apologies if this has already been discussed & solved. I saw the following note in a recent version of the protocol draft: [[ OPEN ISSUE: It is not possible for the recipient of a handshake message > to verify that ratchet tree information in the message is accurate, because > each node can only compute the secret and private key for nodes in its > direct path. This creates the possibility that a malicious participant > could cause a denial of service by sending a handshake message with invalid > values for public keys in the ratchet tree. ]] > It seems like this could be solved by having the handshake message sender prove in zero knowledge (i.e. without revealing their secret or the parent secret) that they derived the parent public key correctly. ZK-SNARKs are one way of doing that, but my admittedly weak understanding is that generating proofs might be too computationally expensive for mobile devices. Does this seem like a worthwhile direction to investigate? Does anyone know of a more efficient construction that could be used in MLS? -Jon Toohill
- [MLS] Malicious user segmenting the group Jon Toohill
- Re: [MLS] Malicious user segmenting the group Richard Barnes
- Re: [MLS] Malicious user segmenting the group Raphael Robert