Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modest cleanup of operational requirements #216

Merged
merged 3 commits into from
Nov 7, 2023
Merged

Modest cleanup of operational requirements #216

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
73db8b7
Minor editorial
ekr Oct 21, 2023
808d5c7
Minor tweaks to the operational considerations
ekr Nov 5, 2023
a710b82
Merge branch 'main' into operational_requiremnets
beurdouche Nov 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 43 additions & 31 deletions draft-ietf-mls-architecture.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -868,13 +868,14 @@ Applications can strengthen connectivity among parallel groups by requiring
periodic key updates from a user across all groups in which they have
membership.

Applications can use the PSK mechanism to link healing properties among parallel
groups. For example, suppose a common member M of two groups A and B has
performed a key update in group A but not in group B. The key update provides
PCS with regard to M in group A. If a PSK is exported from group A and injected
into group B, then some of these PCS properties carry over to group B, since the
PSK and secrets derived from it are only known to the new, updated version of M,
not to the old, possibly compromised version of M.
MLS provides a pre-shared key (PSK) that can be used to link healing
properties among parallel groups. For example, suppose a common
member M of two groups A and B has performed a key update in group A
but not in group B. The key update provides PCS with regard to M in
group A. If a PSK is exported from group A and injected into group B,
then some of these PCS properties carry over to group B, since the PSK
and secrets derived from it are only known to the new, updated version
of M, not to the old, possibly compromised version of M.

## Asynchronous Usage

Expand Down Expand Up @@ -954,12 +955,13 @@ before the old credential becomes invalid.
> **RECOMMENDATION:** Proactively rotate credentials, especially if a credential
> is about to become invalid.

## Recovery After State Loss
## Recovery After State Loss {#state-loss}

Group members whose local MLS state is lost or corrupted can reinitialize their
state by re-joining the group as a new member and removing the member
representing their earlier state. An application can require that a client
performing such a reinitialization prove its prior membership with a PSK.
performing such a reinitialization prove its prior membership with a PSK
that was exported from the prevoius state.

There are a few practical challenges to this approach. For example, the
application will need to ensure that all members have the required PSK,
Expand Down Expand Up @@ -1053,12 +1055,13 @@ to potentially interoperate.
The protocol has a built-in ability to negotiate protocol versions,
ciphersuites, extensions, credential types, and additional proposal types. For
two deployments to interoperate, they must have overlapping support in each of
these categories. A `required_capabilities` extension can help maintain
these categories. The `required_capabilities` extension
(Section 7.2 of {{!RFC9420}}) can promote
interoperability with a wider set of clients by ensuring that certain
functionality continues to be supported by a group, even if the clients in the
group aren't currently relying on it.

MLS relies on the following network services. These network services would need
MLS relies on the following network services, that need
to be compatible in order for two different deployments based on them to
interoperate.

Expand Down Expand Up @@ -1097,9 +1100,12 @@ interoperate.
- If an application chooses not to allow assisted or external joining, it may
instead provide a method for external users to solicit group members (or a
designated service) to add them to a group.
- If the application uses external PSKs, or uses resumption PSKs that all
members of a group may not have access to, there must be a method for
distributing these PSKs to group members.
- If the application uses PSKs that members of a group may not have
access to (e.g., to control entry into the group or to prove
membership in the group in the past, as in {{state-loss}}) there
must be a method for distributing these PSKs to group members who
might not have them, for instance if they joined the group
after the PSK was generated.
- If an application wishes to detect and possibly discipline members that send
malformed commits with the intention of corrupting a group's state, there
must be a method for reporting and validating malformed commits.
Expand All @@ -1109,7 +1115,7 @@ two implementations to interoperate:

- The maximum total lifetime that is acceptable for a KeyPackage.

- How long to store the resumption secret for past epochs of a group.
- How long to store the resumption PSK for past epochs of a group.

- The degree of tolerance that's allowed for out-of-order message delivery:
- How long to keep unused nonce and key pairs for a sender
Expand All @@ -1121,6 +1127,10 @@ two implementations to interoperate:
example, Commit messages that arrive before a proposal they reference, or
application messages that arrive before the Commit starting an epoch.

If implementations differ in these parameters, they will interoperate
to some extent but may experience unexpected failures in certain situations,
such as extensive message reordering.

MLS provides the following locations where an application may store arbitrary
data. The format and intention of any data in these locations must align for two
deployments to interoperate:
Expand Down Expand Up @@ -1162,9 +1172,9 @@ deployments for them to interoperate:
external joins.

- A policy for when two credentials represent the same client. Note
that many credentials may be issued authenticating the same identity
that many credentials may be issued attesting the same identity
but for different signature keys, because each credential
corresponds to a different device (client) owned by the same
corresponds to a different client owned by the same
application user. However, one device may control multiple signature
keys -- for instance if they have keys corresponding to multiple
overlapping time periods -- but should still only be considered a
Expand All @@ -1177,9 +1187,9 @@ Finally, there are some additional application-defined behaviors that are
partially an individual application's decision but may overlap with
interoperability:

- If there's any policy on how or when to pad messages.
- When and how to pad messages.

- If there is any policy for when to send a reinitialization proposal.
- When to send a reinitialization proposal.

- How often clients should update their leaf keys.

Expand Down Expand Up @@ -1461,11 +1471,13 @@ the following compromise scenarios:
- The attacker has access to all secrets of a user for all groups (full state
compromise)

The MLS protocol provides per-sender chains of AEAD keys that are generated from
Group Secrets. These keys are used to protect MLS Plaintext messages which can
be Group Operation or Application messages. The Group Operation messages offer
an additional protection as the secrets exchanged within them
are public-key encrypted to subgroups with HPKE.
The MLS protocol provides per-sender chains of symmetric authenticated
encryption with additional data (AEAD) {{!RFC5116}} keys that are
generated from Group Secrets. These keys are used to protect MLS
Plaintext messages which can be Group Operation or Application
messages. The Group Operation messages offer an additional protection
as the secret exchanged within the TreeKEM group key agreement are
public-key encrypted to subgroups with HPKE.

### Compromise of AEAD key material

Expand Down Expand Up @@ -1512,16 +1524,16 @@ either of these cases. As every member of the group can compute the AEAD keys
for all the chains (they have access to the Group Secrets) in order to send and
receive messages, the authentication provided by the AEAD encryption layer of
the common framing mechanism is weak. Successful decryption of an AEAD
encrypted message only guarantees that a member of the group sent the message.
encrypted message only guarantees that some member of the group sent the message.

### Compromise of the Group Secrets of a single group for one or more group epochs

The attack scenario considering an adversary gaining access to a set of Group
secrets is significantly stronger. This can typically be the case when a member
of the group is compromised. For this scenario, we consider that the signature
keys are not compromised. This can be the case for instance if the adversary has
access to part of the memory containing the group secrets but not to the
signature keys which might be stored in a secure enclave.
An adversary who gains access to a set Group secrets--as when a member
of the group is compromised--is significantly more powerful. In this
section, we consider the case where the signature keys are not
compromised, which can occur if the attacker has access to part of the
memory containing the group secrets but not to the signature keys
which might be stored in a secure enclave.

In this scenario, the adversary gains the ability to compute any number of AEAD
encryption keys for any AEAD chains and can encrypt and decrypt all messages for
Expand Down
Loading