IETF Logo Mail Archive

Re: [Sframe] [UNVERIFIED SENDER] Re: MLS Integration Question

Richard Barnes <rlb@ipv.sx> Wed, 01 February 2023 16:11 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6606FC14CF12 for <sframe@ietfa.amsl.com>; Wed, 1 Feb 2023 08:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.883
X-Spam-Level:
X-Spam-Status: No, score=-6.883 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gKMzh_8wejx for <sframe@ietfa.amsl.com>; Wed, 1 Feb 2023 08:11:08 -0800 (PST)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B376C14CE46 for <sframe@ietf.org>; Wed, 1 Feb 2023 08:11:08 -0800 (PST)
Received: by mail-wm1-x331.google.com with SMTP id k16so13073915wms.2 for <sframe@ietf.org>; Wed, 01 Feb 2023 08:11:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TxmL4Mpqau5Zo60Q1/uuMbiGyS7Q6UubA2lQ3egFwLk=; b=5k6bMG01d0pqDV+pfiWaoqJ8fIPXvDofIE4ebrq9v6Y3AvETInYxpmoSP5oAG3Kz+v Tt2TuhVRybZXGhmwIFSQS1hjMC4TnAiKwAtpKT20k24cbm8jB1YDtr+l+Bqyv7OBMqa/ g0KohMpxKqwRfv9t+gDwa2J7xOjoP2O8qisKn4YFut4ArCDVLv+/qqb0CH/aeRerWgrb BKJkt2prp4/a6y2sRusw5X6vocR0nf+7oZTJtsyw9NyV1Hp6q9vkUYIrX/HuMxUUcEL3 RXDn0j8DB7/H1Rf3g0jpTr1qizHGpvJp0IXOUIJfw52tU4tGqvEWYrfDk2xpp1YNS3Bo CZzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TxmL4Mpqau5Zo60Q1/uuMbiGyS7Q6UubA2lQ3egFwLk=; b=QAMn58jGGv01k8QeCkGvmlexflNL8xpla3nv+YjJJ7Pj23H1leuHZAaQsZaZmxKbDh HXF0KD8Aowa5/MfIk/DyHyhVH6UV85wHMJg/WMJSqT5rDZg12sNMUGXFZV1hCDFIhxOx 5ooHbJn/ZldwdLLZltDSdFQKq33T1+4LIWCQvk0PXgIJ06yNkCsCyR2cuiZrDrB59qvC H8wCz2NuWMG3igfLVkeXGhrBfS4/d+Zo8CD3I9Y78c91f2sCl47mCPmT9mLtczAZIArf MGjKPlpqekXbvvZ2f85ryp2fDinvgCydPFsoIkHXdFmAGZ9PEg6YP2Z0XCjLoGVR2Khs J0Mw==
X-Gm-Message-State: AO0yUKXOGdNAM1v/v9EdpIkQSdkTj6JTkogyZq42iin89zQLdwrMUqe/ L/zn7NADcsHxRL5hWxCiOd5jFW7adYy/JGnipw0EUQ==
X-Google-Smtp-Source: AK7set+MmF96JAUMa4wg0UeTmXn7RTcMBcI2gHEeiR367FYkiIs3eopFQp5gUZtIgOPwSVRbr0YLJAnZE06JpVkt1Qk=
X-Received: by 2002:a05:600c:491c:b0:3dc:5a0f:6a6a with SMTP id f28-20020a05600c491c00b003dc5a0f6a6amr170337wmp.73.1675267865811; Wed, 01 Feb 2023 08:11:05 -0800 (PST)
MIME-Version: 1.0
References: <de394d35aa2b4909876434abf42cde0f@amazon.com> <CAL02cgQTwgCbOUJArZivkFsvt0Fu_X=KOszdwajUf1Y6Y9V5ZQ@mail.gmail.com> <27cfc82e95b94a0badd4f57fa7000372@amazon.com>
In-Reply-To: <27cfc82e95b94a0badd4f57fa7000372@amazon.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 01 Feb 2023 11:10:54 -0500
Message-ID: <CAL02cgS1SeojuinrpH8j2dapaxHf43hxae=zAdVVQPMxS0VMnQ@mail.gmail.com>
To: "Alwen, Joel" <alwenjo@amazon.com>
Cc: "sframe@ietf.org" <sframe@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000badd205f3a5b2ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/lI3_5kosvD2xSLzV1FKWF7HVjWc>
Subject: Re: [Sframe] [UNVERIFIED SENDER] Re: MLS Integration Question
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2023 16:11:12 -0000

Hi Joël,

I posted an alternative approach in this PR, to include the KID in both the
key *and* nonce:

https://github.com/sframe-wg/sframe/pull/92

`sframe_secret = HKDF-Extract(base_key, 'SFrame 1.0 ' + KID)`

Wrt (1) - I like this better than your proposal because it segregates both
the key and the nonce, rather than only the nonce space, and it doesn't
require a new identifier (SSRC).  Is there some reason you want to be able
to have multiple non-overlapping nonce streams with the same key, or would
it be tolerable to have different keys?

Wrt (3) - The above proposal seems like a compromise between the two
ideas.  On the one hand, there's still only one export from MLS (of a
base_secret).  On the other hand, even though there's still some HKDF
inside the SFrame box, it's HKDF'ing that is standard across SFrame uses,
not specific to keying with MLS.

How does that strike you?

--Richard

On Tue, Jan 31, 2023 at 9:13 AM Alwen, Joel <alwenjo@amazon.com> wrote:

> Hey Richard,
>
> 1. Re: domain (key, nonce) domain separation for sources from same user.
>
> > If that looks good to you, let's work on getting it ported over to
> draft-ietf-sframe-enc.
>
> While it looks like it works we have another suggestion. In section 4.3.2
> replace salt derivation with:
>
> sframe_salt = HKDF-Expand(sframe_secret, 'salt'+SSRC, AEAD.Nn)
>
> where + denotes string concatenation and SSRC = synchronization source.
> i.e. a unique ID for the stream (received from the encoder).
>
> This has 2 advantages over the KID construction in your draft doc.
> - It solves the problem once-and-for-all regardless of how keying is done
> rather than just solving it when integrating MLS with SFrame.
> - It leaves more room in the KID for other uses. (E.g. the random
> challenge we proposed in 2.)
>
>
> 2. Re: Crash/resumption leading to (key, nonce) reuse.
>
> Fair enough.
>
>
> 3. Re: calling MLS.export for each sender separately
>
> Both solutions have advantages. An advantage of using MLS.export for each
> sender is that this way one can build an application using black-box an
> SFrame library and a MLS library without needing an HKDF.Expand dependency
> (MLS & SFrame do all HKDFing for them).
>
>
> - Joël & Marta
>
>
>
> ------------------------------
> *From:* Sframe <sframe-bounces@ietf.org> on behalf of Richard Barnes <
> rlb@ipv.sx>
> *Sent:* Friday, January 27, 2023 9:43 PM
> *To:* Alwen, Joel
> *Cc:* sframe@ietf.org
> *Subject:* [EXTERNAL] [UNVERIFIED SENDER] Re: [Sframe] MLS Integration
> Question
>
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
> Hi Joël,
>
> (Accidentally sent this unicast, retransmitting to the list)
>
> Glad this is looking useful to you, and thanks for the nudge to make some
> updates to the document.
>
> 1. The problem you describe is definitely real.  In addition to A/V, there
> are things like endpoints with multiple cameras that don't share state.  I
> wrote up the solution that we're using in Webex, which is basically what
> you suggest -- stealing a few more bits of KID to indicate the context
> within the sender.  Unfortunately, I apparently forgot that we had moved
> the MLS keying into the main spec, so I only wrote up the solution in the
> separate predecessor document:
>
>
> https://github.com/bifurcation/sframe-mls/blob/main/draft-barnes-sframe-mls.md#multiple-sender-contexts
>
> If that looks good to you, let's work on getting it ported over to
> draft-ietf-sframe-enc.
>
> 2. This situation seems a little different from the MLS reuse_guard
> situation, since it depends on whether MLS group memberships persist across
> restarts.  In a system where MLS joins/leaves correspond to meeting
> joins/leaves, this is not an issue, because if the client crashes, then it
> will rejoin the group, and thus have a different base key.  So your issue
> would only come up in a case where MLS state was preserved across restarts,
> but the CTR state was lost/corrupted.  (Right?)  In any case, it seems this
> is something an implementation could do using the context value discussed
> above -- generate a different context / set of contexts every time you
> restart.  Maybe we could add a recommendation, but it seems like the
> application-defined context ID gives the application the tools it needs.
>
> 3. The main reason for the current design is API cleanliness -- you just
> export an SFrame key once when the epoch changes and generate the remaining
> keys internal to the SFrame library, instead of having interaction between
> the SFrame and MLS layers each time SFrame needs a new key.
>
> Hope that helps,
> --Richard
>
> On Thu, Jan 19, 2023 at 11:25 AM Alwen, Joel <alwenjo=
> 40amazon.com@dmarc.ietf.org> wrote:
>
>>  _Hey everyone,
>>
>>
>> As Marta Mularczyk and I have been looking at using MLS to key SFrame
>> we came across the following two questions/suggestions for the SFrame
>> mailinglist.
>>
>>
>> 1) Section 5.2 recommends how KIDs can be defined when using MLS as the
>> key source. It domain separates between (epoch, leaf) pairs which is good.
>> But by "only" domain separating on this it seems to imply that when
>> encrypting frames from different streams (e.g. audio & video) from the same
>> sender implementations need to coordinate the counter values in the SFrame
>> header (lest the same IV is used more than once by the sender).  So, to
>> make implementation easier / more flexible, we were thinking KID
>> should also domain separate streams. E.g. the KID has an extra byte
>> indicating the stream. That way encrypting different streams can be done
>> independently and concurrently. Does that sound like a good idea to
>> everyone? If so maybe we should update the SFrame MLS
>> integration recommendation accordingly.
>>
>> 2) Another question about how KIDs are derived in section 5.2: to avoid
>> reuse of the same key/nonce pairs in encryption due to "failure\crash ->
>> resumption"  type scenarios maybe it would be a good idea to add a bit of
>> entropy (say a byte) into KID that then goes in to the base_key generation.
>> Basically, the suggestion is to have a similar mechanism to the nonce reuse
>> guard in MLS (only this time its a key reuse guard).
>>
>>
>> 3) Why recommend first generating sframe_epoch_secret as an Exporter and
>> then doing HKDF-Expand again to generate individual base_keys? Is there an
>> issue with just generating the base_keys directly as Exporter keys?
>>
>>
>> - Joël
>>
>>
>>
>>
>> Amazon Development Center Austria GmbH
>> Brueckenkopfgasse 1
>> 8020 Graz
>> Oesterreich
>> Sitz in Graz
>> Firmenbuchnummer: FN 439453 f
>> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
>>
>>
>> --
>> Sframe mailing list
>> Sframe@ietf.org
>> https://www.ietf.org/mailman/listinfo/sframe
>>
>
>
>
> Amazon Development Center Austria GmbH
> Brueckenkopfgasse 1
> 8020 Graz
> Oesterreich
> Sitz in Graz
> Firmenbuchnummer: FN 439453 f
> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
>
>
>

v2.23.0 | Report a Bug | By Email