Re: [Sframe] To tree or not to tree?
Joel Alwen <jalwen@wickr.com> Mon, 23 November 2020 13:45 UTC
Return-Path: <jalwen@wickr.com>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48AEF3A0B1C for <sframe@ietfa.amsl.com>; Mon, 23 Nov 2020 05:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQJHyOunjpYk for <sframe@ietfa.amsl.com>; Mon, 23 Nov 2020 05:45:00 -0800 (PST)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9864B3A0B1F for <sframe@ietf.org>; Mon, 23 Nov 2020 05:45:00 -0800 (PST)
Received: by mail-wr1-x429.google.com with SMTP id s8so18609371wrw.10 for <sframe@ietf.org>; Mon, 23 Nov 2020 05:45:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=3VD31X4Xxj5g45yo3SoyeF6457Cj3fgW6wELlpTpp54=; b=QCOA4SewKhRZ4a9NSMxAUtI0yKYxyHTv46g87gEeczo4y4lePa+CA+DyqNorE52Hho EEtmoX+QVZoM+pkykBzgM6+71vpGpEiatymuAddPCG0bgVrusBKBKfYdFw46ppB2lhFl Yi/izE9kpKnRgqSzR+6U2XT8gZm6/FgF42+dR3GDSP9W/OpytaoFy2tcDIISuFIyPXPM bVVlu/vkRnMJobwT2NO2wH55jS8bdOaVqQyJ5KacoVPWOv5jG1BC30FX3uRRWlCq6uBn mpVq0DhuaruNGMhBaylS6lifxXnAtB3gLaMEeQT8f8ZJpWPn7yohF62rWzIvF13P801j jIwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=3VD31X4Xxj5g45yo3SoyeF6457Cj3fgW6wELlpTpp54=; b=WX/ZoCis5YqssMlO5aSAIVzQHQzlIsYRcCTODV0NeD6zs/bThgsIkeE11eZGpkmXOb EHEJaVxFCfSwsTyey8SInFJcOz+bL0Jle/65lgpo9uWuqdyrRt8NFU1MGMcSvJuiDF78 27CqbQV+pTHWC/oTTrDbElDtR4uKDF/n2gPPubgQBUyxq1txSBTxZI8bbb2JQoDObZLp xORRdUXs79k1wZ6O1NPsQ1DQz0vcRS2qX6xAWbPhGtDvllU/zZcxjycibBQ11DoK95Fu vBPVEaEbTxeZxkpYs6yPEnNpU3VIq6N6+pnGD/48Y5Sb/D0ZZFo7qM/DPOCMOjfkh4lk gZfg==
X-Gm-Message-State: AOAM530+WQST7nld7RaEeeFRaqxRZtdA5GTKAkCCY0thw+9qiYRA8/gi 3a7BPvkgC4im3OnbU2x/hOiiJtH8C1lnzA==
X-Google-Smtp-Source: ABdhPJz4gP+qQwrVexymDLBe/LT2IFV5TBcuaByN/ifN6zJjyVJxoczddfovGY3rrPIeVP2yQAwsxQ==
X-Received: by 2002:adf:f3d1:: with SMTP id g17mr7844642wrp.201.1606139098843; Mon, 23 Nov 2020 05:44:58 -0800 (PST)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id z6sm17224741wmi.1.2020.11.23.05.44.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Nov 2020 05:44:58 -0800 (PST)
To: sframe@ietf.org, Raphael Robert <raphael@wire.com>, Richard <rlb@ipv.sx>
References: <cfec5ed2-9337-41d3-9ffb-749b791b48bd@cosmosoftware.io> <C383046A-E1AD-486A-AAFE-D42440CE1AAE@gmail.com>
From: Joel Alwen <jalwen@wickr.com>
Message-ID: <eec3754c-6a1e-b498-13d8-ce5a468d32d5@wickr.com>
Date: Mon, 23 Nov 2020 14:44:56 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <C383046A-E1AD-486A-AAFE-D42440CE1AAE@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/b3NVJJEqu5brccunCMun0NKv-gk>
Subject: Re: [Sframe] To tree or not to tree?
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 13:45:02 -0000
To start with, I think forward secrecy (FS) within epochs can be valuable for SFrame. (E.g. for long or repeating convo's with the same set of participants.) Further responses are inline... > Raphael Robert <raphael@wire.com> Fri, 20 November 2020 16:23 UTC In other > scenarios, where a fixed set of participants have reoccurring calls it might > well be that there won’t be an epoch change for a considerable time (because > no one joins or leaves the group). > ... > Option 3 could be much simpler, namely it would be enough to use a unique > session ID to derive a base key that is unique to the session: > > sframe_epoch_secret = MLS-Exporter("SFrame 10 MLS", "", AEAD.Nk) > session_secret = HKDF-Expand(sframe_epoch_secret, session_id, AEAD.Nk) > sender_base_key[index] = HKDF-Expand(session_secret, > encode_big_endian(index, 8), AEAD.Nk) > > This is easy to implement and efficient but a little more error-prone since > forward secrecy will only be achieved if session_id is unique between > sessions. Re-using the same value will not yield forward secrecy. I might not get what your saying, but if I did then I don't think this gives any FS, even between sessions, as long as they use the same value for sframe_epoch_secret regardless of the choices of session_id. (And if they dont use the same sframe_epoch_secret value then I don't see how the value of session_id matters for FS.) Suppose sframe_epoch_secret is used to derive sender_base_key[i]. After session i is done participants still need to be able to reproduce sframe_epoch_secret if they want derive sender_base_key[i+1] for session i+1. In that case they could just as well recompute sender_base_key[i] again too. So no there's no FS for session i. Alternatively they could pre-compute all sender_key_base values for potential future epochs but that seems inelegant to me. Bellow I describe my preferred solution to precomputing and storing all potentially useful sender_key_base values. >> On 20 Nov 2020, at 16:17, Richard Barnes <rlb@ipv.sx> wrote: >> 1. SFrame uses the same secret tree as MLS (export at the leaves) >> 2. SFrame exports a single secret, then makes its own secret tree >> 3. SFrame exports a single secret, then uses a simpler scheme (like the current one) ATM I'm leaning towards option 2 or 3 (though not with a "simpler" schedule, just different one more aligned with SFrame use cases). When it comes to an SFrame epoch (i.e. a time period during which no one joins/leaves the session) I think there are two constraints that informing which FS symmetric key schedules are acceptable: a. Parties shouldn't need to explicitly coordinate who will use which key/nonce pairs during the epoch. b. Ciphertexts in the media streams may be dropped and/or delivered out of order. The tree-based symmetric key derivation hierarchy in MLS was explicitly designed to accommodate these constraints and while being relatively efficient so, to me, it looks like a good solution for SFrame as well. Thus option 2 doesnt sound bad to me. Having said that, Raphael highlights the case where epochs may be broken up into sessions (e.g. when the same set of parties on an old call want to resume their convo in a new call). If that's an important enough scenario to cater too then the following Option 3 solution might be better. Namely, use one binary tree per session and string the roots of the trees together in a symmetric ratchet (i.e. a chain). This would minimize the state participants need to maintain between sessions (effectively a single secret) while still giving us FS between (and within) sessions despite them being part of the same epoch. For the sake of concreteness: chain_secret[0] = MLS-Exporter("SFrame 10 MLS", "", AEAD.Nk) chain_secret[i] = HKDF-Expand(chain_secret[i-1], "chain", AEAD.Nk) session_secret[i] = HKDF-Expand(chain_secret[i], "sesion"+session_id, AEAD.Nk) and session_secret[i] is the secret at the root of the i-th sessions tree-based symmetric key schedule. The j-th leaf of the tree initiates a symmetric ratchet that defines the key/nonce pairs used to encrypt the j-th SFrame stream in the session. So packet number k of SFrame stream j in session i is encrypted using the key/nonce pair at position k in symmetric ratchet rooted at the leaf j of the i-th tree; namely the one rooted at secret session_secret[i]. Yet between session i and i+1 participants only need to store chain_secret[i+1]. - Joël
- [Sframe] Partial decodability and IDUs Sergio Garcia Murillo
- Re: [Sframe] Partial decodability and IDUs Justin Uberti
- Re: [Sframe] Partial decodability and IDUs Sergio Garcia Murillo
- Re: [Sframe] Partial decodability and IDUs Richard Barnes
- Re: [Sframe] Partial decodability and IDUs Bernard Aboba
- Re: [Sframe] Partial decodability and IDUs Sergio Garcia Murillo
- Re: [Sframe] Partial decodability and IDUs Bernard Aboba
- Re: [Sframe] Partial decodability and IDUs Sergio Garcia Murillo
- Re: [Sframe] Partial decodability and IDUs Sergio Garcia Murillo
- Re: [Sframe] Partial decodability and IDUs Magnus Westerlund
- Re: [Sframe] Partial decodability and IDUs Sergio Garcia Murillo
- Re: [Sframe] Partial decodability and IDUs Bernard Aboba
- Re: [Sframe] To tree or not to tree? Joel Alwen