IETF Logo Mail Archive

Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule

Richard Barnes <rlb@ipv.sx> Tue, 18 August 2020 19:21 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D97493A0A83 for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 12:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tk7r3k_sEKOM for <mls@ietfa.amsl.com>; Tue, 18 Aug 2020 12:21:41 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC6BB3A0A79 for <mls@ietf.org>; Tue, 18 Aug 2020 12:21:41 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id m7so19341354qki.12 for <mls@ietf.org>; Tue, 18 Aug 2020 12:21:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fe50VgcC9Dh4BlXx99VjCdwIoaLbJrpkCXOuN49Dh9g=; b=PD8yLJ7KNkY/+18f+V9Pkiar2VV0y9B2X3Y5RR3EUTtb+E0tCq3YVWdEqQ/60eB0Uu f+hn8yreVTU9O8YuBcp6rAZkw0DEJhPvHee/zJDdHHevC4C1i6WLrg76xtBBUbhyyzbT nbN4LANyZ9jh/qccZNjvBT/enedBfeFkX900hv6FAOM8HDfQFxgqDkKJp8EcftAbJB/k OgGt0H3xB3lKH7HitZC67bFWuDL7DMGJ892LL924dkCzZ8QeXULMf+8lpRq6PufciAOt AIswNW0/LvLxDLyOvP6hTqFX+dQ4ynDsHLLVWQIPcpjMwP077vIuHlFcTj5idUCCa/Um LWlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fe50VgcC9Dh4BlXx99VjCdwIoaLbJrpkCXOuN49Dh9g=; b=O/tnxjqqNbDZ6WOUdR9iWVdI3abbvQ9LEhUjO766ziiY97xh6qJ1RyiGfdJSmQHcKz ncY93coLq2UGAJ3VlFc6gcmP0FW1NwLaIiexrQ4yYAIgkgkOpz9RBYyBfs/hmWt4rQJ6 pufdWR45XTS6Qpa++EX0COU/IluCIPK5eEeQE8ofLWUsJvI5D+v+4WVhUaPtu6QWyR0u cImOggKrwMsREVorJ5cpl8aFCqqisvEyTcWL6VQ2HUjwWh/BVBHsXZJgcDEI2gd6V7/v 5HzwaXWKs4xWyQ0q1gMI0Jl1nuKLcfQIc65uD/Lw2M6oSm2mnX/zYX7Y1qiXqKZv780y 4BpA==
X-Gm-Message-State: AOAM5303f3/jj0MN7Sx+2Z98GyiHxYKRt2gPGs1Ml3QYkDsxAuILdGVe w2XrTuRtSKGKX7KuQqcYwRIijp8UXD59tlkLAMhUxqhLy5paRA==
X-Google-Smtp-Source: ABdhPJxOTU/R5lZodfuwS3UbbHaqeUO0j7jvgX1jjYY8HiXFt6CD4I6zlI4mZGysLvb5tGgy2YNooHAksmwoxtKWtkA=
X-Received: by 2002:a37:8287:: with SMTP id e129mr16611766qkd.132.1597778500634; Tue, 18 Aug 2020 12:21:40 -0700 (PDT)
MIME-Version: 1.0
References: <7d7283b6-8c70-d045-81c2-f552219869ad@wickr.com> <CABP-pSSBcf_BUXPp=uxWMpBviBday8-utGzo=ksPG4Ei=_x3ag@mail.gmail.com>
In-Reply-To: <CABP-pSSBcf_BUXPp=uxWMpBviBday8-utGzo=ksPG4Ei=_x3ag@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 18 Aug 2020 15:21:20 -0400
Message-ID: <CAL02cgSx7es1KT0VTnZfaw5-J4DNys72=5uU2+qOC5R9G6ijXA@mail.gmail.com>
To: Brendan McMillion <brendan=40cloudflare.com@dmarc.ietf.org>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f5e0a005ad2bcb06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/zttzNfWJ7sOzbmGDfApmuIsZ-tw>
Subject: Re: [MLS] MLSPlaintext packets aren't authenticated using symmetric key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 19:21:45 -0000

Brendan: I think you might have the wrong premise in mind here.  The
proposal we have been discussing would authenticate *both* that Alice is
the sender of the message *and* that she's a member of the group.  So other
members of the group could only impersonate Alice if they had compromised
her signing key.


On Tue, Aug 18, 2020 at 12:35 PM Brendan McMillion <brendan=
40cloudflare.com@dmarc.ietf.org> wrote:

> So to that end, how
>> about we modify MLS such that MLSPlaintext packets coming from group
>> members
>> must also be authenticated using something from the application key
>> schedule.
>
>
> My objection to this is that Alice can still be impersonated by members in
> the group, if we only have symmetric forward-secure authentication.
>
> There's been some discussion in the past about using forward-secure
> signatures that might be worth looking into instead, which would fully
> address this attack vector:
> https://mailarchive.ietf.org/arch/msg/mls/o3fmIul_4s6STmnqmz514cjADpw/
>
>
> On Tue, Aug 18, 2020 at 7:36 AM Joel Alwen <jalwen@wickr.com> wrote:
>
>> Hey everyone,
>>
>> Something thats been bugging Marta Mularczyk and Daniel Jost and me for a
>> bit
>> now is that handshake messages sent out as MLSPlaintext packets are only
>> authenticated using signatures, but not using the group's key schedule.
>> For
>> non-members that makes sense but for group members that's weaker than
>> need be.
>>
>> Suppose Alice is in a group using signing key pair (spk, ssk). I corrupt
>> her to
>> learn ssk. Now I loose access to her device again. Later she generates a
>> fresh
>> key package with her same spk but a new HPKE key for her leaf. She sends
>> out and
>> update proposal for her new key package and someone commits to the update.
>>
>> Expected result: she (and the group at large) has achieved PCS again.
>>
>> Actual result: using her stolen ssk I can still forge a new proposal's
>> (sent as
>> MLSPlaintext packets) coming from Alice. Some things I could do with this
>> power:
>>  - I can generate a new key package kp for Alice using her spk and some
>> HPKE key
>> she doesn't know. Then I forge an update proposal for Alice with kp. If
>> it gets
>> committed I've effectively kicked her out of the group.
>>  - I could forge Add's and Remove's coming from Alice, so I could trick
>> the
>> group into thinking Alice is trying to Add my account to the group or
>> remove
>> some other group member.
>>
>> Lemme know if I've missed something here in that scenario...
>>
>>
>> If I didn't miss anything and the attacks really work as advertised then
>> IMO
>> this is kinda weak sauce and worth avoiding if possible. So to that end,
>> how
>> about we modify MLS such that MLSPlaintext packets coming from group
>> members
>> must also be authenticated using something from the application key
>> schedule.
>> Now the above attacks fail. As soon as Alice's update is gets committed I
>> no
>> longer know the group's key schedule and so can't forged packet from
>> Alice. More
>> generally, this brings the PCS guarantees when using MLSPlaintexts
>> frameing in
>> line with what we're getting from MLSCiphertext packets.
>>
>> Any thoughts?
>>
>> - Joël
>>
>>
>>
>> PS. For concreteness, we could probably extend the current mechanism for
>> getting
>> concistancy (the confirmation_tag) to also provide symmetric key
>> authentication.
>> E.g. include most of the MLSPlaintext content into whats being tagged by
>> confirmation_tag. That would cover the case of a commit packet and
>> doesn't even
>> grow the size of MLSPlaintext packets over the current design.
>>
>> For a proposal packet we could also have a confirmation_tag but this one
>> is
>> computed using the *current* epoch's confirmation_key and
>> confirmed_transcript_hash.
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email