Re: [Sframe] MLS Integration Question
Richard Barnes <rlb@ipv.sx> Fri, 27 January 2023 20:44 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2C1AC14CE4A for <sframe@ietfa.amsl.com>; Fri, 27 Jan 2023 12:44:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AoEzRxO1OoPe for <sframe@ietfa.amsl.com>; Fri, 27 Jan 2023 12:44:06 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31228C151711 for <sframe@ietf.org>; Fri, 27 Jan 2023 12:43:59 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id m15so4252423wms.4 for <sframe@ietf.org>; Fri, 27 Jan 2023 12:43:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hidyLqJY91I8QAvXdIjSq+YL0Pd/TtXaFpgIVwrbw34=; b=6PpjpEIn7xLiA/jR+xgDeyyHjHcU1hGXN1LrBE2I+/f5aFd0eoC+xNGL7BoMYh+Tgx xv5fU0q52VLsrYn0vWjLhcCZWUXVo3KYDt5nWjNCKz75hQIAVKup5605vGnf8qNlb1wW CrhXyeqwOuFXwsr0AKNeAGuYn0Agok2GuZuGS9k3+O7PP8bjP4d/j9Yk4k3VOSlbPWU8 5kkLLkuknPoQf44Cy3ne1yuBU3MIdtap7tlknL1DTIQ0voMEfBIaRcmNJoiOxGHZdm9e DU5m+vuyUvvW7JTXPLIiz/9qu+EpuBnLtYhtKCL63rDcoi7haF08LvIz0YNSK8uFFGEb FABQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hidyLqJY91I8QAvXdIjSq+YL0Pd/TtXaFpgIVwrbw34=; b=n/uI2N1ncGw4oqLIQvr7MQ9iY//6W6T/jRuOuqRsK/OpZUafgg/nqFWmWEofj+5w7K uudHB2u1OnETkzoOSQTVDWSmlpP1ZegaYw2fmfHpgw13U0Ipe/eDCw0LwVHZZiIQZ8KS V7GTm7RGii7mkRHDd4idGPqUrFU5TBq8iK/99e5azNZW54BgQcixWlaxpGAk14KC/r6i YiEt1rChoKkvtPMqH8uL+lohLTF8YLxLIml3fEAMvyJJu30b9msUA2PwSbzD6OgguWgA zbJtpm/g4SQMtIw8xNgeGRXP8zvRChQy3aV5mOORACuiRCETQbpkLhb8JUoY/Xz4gOyE h4YQ==
X-Gm-Message-State: AFqh2kpPR15+uJ/pzC0GsuteAd5fHC4ARpwjBzJ4rTHbWqnn3ZyVZaJQ hmKkeHH6173YNi1UbxqcbMzZUeAqiwXvz2QPTEd9Mxu0TQo6ZGTc
X-Google-Smtp-Source: AMrXdXtuhrESi/lZV5tMM1jrAslmgEhatNMM9eTRSMJK6Yn/T2e/tlHyAXDW34o9prXHe1eqF3euhLofpsmoiGZcjDQ=
X-Received: by 2002:a05:600c:538f:b0:3d3:56e6:4f08 with SMTP id hg15-20020a05600c538f00b003d356e64f08mr2258368wmb.119.1674852236800; Fri, 27 Jan 2023 12:43:56 -0800 (PST)
MIME-Version: 1.0
References: <de394d35aa2b4909876434abf42cde0f@amazon.com>
In-Reply-To: <de394d35aa2b4909876434abf42cde0f@amazon.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 27 Jan 2023 15:43:45 -0500
Message-ID: <CAL02cgQTwgCbOUJArZivkFsvt0Fu_X=KOszdwajUf1Y6Y9V5ZQ@mail.gmail.com>
To: "Alwen, Joel" <alwenjo=40amazon.com@dmarc.ietf.org>
Cc: "sframe@ietf.org" <sframe@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0451305f344ec8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/7aiVcMJk6eCQPmd73mAU85-Nyro>
Subject: Re: [Sframe] MLS Integration Question
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2023 20:44:06 -0000
Hi Joël, (Accidentally sent this unicast, retransmitting to the list) Glad this is looking useful to you, and thanks for the nudge to make some updates to the document. 1. The problem you describe is definitely real. In addition to A/V, there are things like endpoints with multiple cameras that don't share state. I wrote up the solution that we're using in Webex, which is basically what you suggest -- stealing a few more bits of KID to indicate the context within the sender. Unfortunately, I apparently forgot that we had moved the MLS keying into the main spec, so I only wrote up the solution in the separate predecessor document: https://github.com/bifurcation/sframe-mls/blob/main/draft-barnes-sframe-mls.md#multiple-sender-contexts If that looks good to you, let's work on getting it ported over to draft-ietf-sframe-enc. 2. This situation seems a little different from the MLS reuse_guard situation, since it depends on whether MLS group memberships persist across restarts. In a system where MLS joins/leaves correspond to meeting joins/leaves, this is not an issue, because if the client crashes, then it will rejoin the group, and thus have a different base key. So your issue would only come up in a case where MLS state was preserved across restarts, but the CTR state was lost/corrupted. (Right?) In any case, it seems this is something an implementation could do using the context value discussed above -- generate a different context / set of contexts every time you restart. Maybe we could add a recommendation, but it seems like the application-defined context ID gives the application the tools it needs. 3. The main reason for the current design is API cleanliness -- you just export an SFrame key once when the epoch changes and generate the remaining keys internal to the SFrame library, instead of having interaction between the SFrame and MLS layers each time SFrame needs a new key. Hope that helps, --Richard On Thu, Jan 19, 2023 at 11:25 AM Alwen, Joel <alwenjo= 40amazon.com@dmarc.ietf.org> wrote: > _Hey everyone, > > > As Marta Mularczyk and I have been looking at using MLS to key SFrame > we came across the following two questions/suggestions for the SFrame > mailinglist. > > > 1) Section 5.2 recommends how KIDs can be defined when using MLS as the > key source. It domain separates between (epoch, leaf) pairs which is good. > But by "only" domain separating on this it seems to imply that when > encrypting frames from different streams (e.g. audio & video) from the same > sender implementations need to coordinate the counter values in the SFrame > header (lest the same IV is used more than once by the sender). So, to > make implementation easier / more flexible, we were thinking KID > should also domain separate streams. E.g. the KID has an extra byte > indicating the stream. That way encrypting different streams can be done > independently and concurrently. Does that sound like a good idea to > everyone? If so maybe we should update the SFrame MLS > integration recommendation accordingly. > > 2) Another question about how KIDs are derived in section 5.2: to avoid > reuse of the same key/nonce pairs in encryption due to "failure\crash -> > resumption" type scenarios maybe it would be a good idea to add a bit of > entropy (say a byte) into KID that then goes in to the base_key generation. > Basically, the suggestion is to have a similar mechanism to the nonce reuse > guard in MLS (only this time its a key reuse guard). > > > 3) Why recommend first generating sframe_epoch_secret as an Exporter and > then doing HKDF-Expand again to generate individual base_keys? Is there an > issue with just generating the base_keys directly as Exporter keys? > > > - Joël > > > > > Amazon Development Center Austria GmbH > Brueckenkopfgasse 1 > 8020 Graz > Oesterreich > Sitz in Graz > Firmenbuchnummer: FN 439453 f > Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz > > > -- > Sframe mailing list > Sframe@ietf.org > https://www.ietf.org/mailman/listinfo/sframe >
- [Sframe] MLS Integration Question Alwen, Joel
- Re: [Sframe] MLS Integration Question Richard Barnes
- Re: [Sframe] [UNVERIFIED SENDER] Re: MLS Integrat… Alwen, Joel
- Re: [Sframe] [UNVERIFIED SENDER] Re: MLS Integrat… Richard Barnes