-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add authenticated_data to the mls message. #208
Conversation
draft-ietf-mls-protocol.md
Outdated
@@ -1273,6 +1273,7 @@ struct { | |||
opaque application_data<0..2^32-1>; | |||
} | |||
|
|||
opaque authenticated_data<0..2^32-1>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I would put this just below the content_type field, just to preserve parallelism (MLSCiphertext.ciphertext -> MLSPlaintext.operation/application_data
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also it would avoid interleaving plaintexts and ciphertexts...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. Done!
@bifurcation per our discussion in London, we agreed to accept this change. you mentioned other places need to be updated, which one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two big caveats:
- this AAD field is AEAD authenticated but does not seem covered by the signature, while probably should.
- we agreed to this change under the condition of a big flashing warning that the
send/receive_group_operation_with_aad
functions in the API MUST be separate from the normal ones at the api level. This is missing here.
draft-ietf-mls-protocol.md
Outdated
@@ -1388,6 +1390,7 @@ struct { | |||
ContentType content_type; | |||
opaque sender_data_nonce<0..255>; | |||
opaque encrypted_sender_data<0..255>; | |||
opaque authenticated_content[length_of_authenticated_content]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opaque
already encompass the length, I believe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was inspired by
opaque content[length_of_content];
above (in MLSCiphertextContent). Is that one also incorrect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can just be the same definition as in the MLSCiphertext
object. The only reason for the []
notation w.r.t. content is the weird encoding of MLSCiphertextContent
, which IIRC is about to get reverted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
I also renamed it to authenticated_data instead of authenticated_content, in order to keep the naming the same. (I was in the pickle here, since the data struct is called 'MLSCiphertextConterntAAD' and then the field inside is called authenticated_data. I initially thought that calling it authenticated_content will be better, but I believe it's better to keep the same name all over the place).
draft-ietf-mls-protocol.md
Outdated
@@ -1273,6 +1273,7 @@ struct { | |||
opaque application_data<0..2^32-1>; | |||
} | |||
|
|||
opaque authenticated_data<0..2^32-1>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also it would avoid interleaving plaintexts and ciphertexts...
Can you clarify which part is missing the AAD? |
@beurdouche i think you're wrong here. In {{content-signing-and-encryption}}, we have the following:
I think this is ready to go as soon as @psla fixes the two minor comments we have (order of fields and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed that indeed, feel free to fix the <>
[]
and we'll merge the PR, I'll put the API recommendation in the architecture document. For the record, even though people at the interim kind of agree this mechanism was ok, I am still very skeptical about it because I am certain people will misuse it...
Note that in general, the |
Are you saying that I added it there, but I don't fully understand it. Please take another look. |
@beurdouche - I agree with @psla that it doesn't seem necessary to include the |
Ok, I am quite exhausted this week, so my clarity is low sorry…
I think I confused the positionning of the new field in the MLSPlaintext vs the MLSCiphertext
It all depends where you place the new field in the MLSCiphertext, right ?!
In the current design for the AEADs is that the thing you authenticate is the prefix of
the ciphertext you are decrypting...
So if the new field is just after the content type in the MLSCiphertext
it is part of the prefix of the encrypted sender data and has to be included in the SenderDataAAD but it is also in the prefix of the content so it has to also be in the ContentAAD.
If the new field is placed between the encrypted SenderData and the encrypted Content
it is just a prefix of the second one and should appear only in the ContentAAD.
Do I make sense ? :)
B.
|
If we espouse that theory (not clear that it necessarily holds, but let's go with it for now), the question is where you draw the line between metadata and content. Compare the current state with two cases (a) and (b):
Basically, the |
Those were my proposals…
My preference goes to Fig 8 but I don’t have a strong opinion.
<img width="640" alt="New field" src="https://user-images.githubusercontent.com/1193431/66683688-5eaae700-ec78-11e9-8af4-ff7f59a761d5.png">
|
Ah, even better illustration than mine! OK, when you put it that way, I can see the appeal of including the AAD in the sender data. Though I admit this is mostly an aesthetic point, not one that I have any security analysis to back up. @psla would you mind moving the AAD to above the |
It makes sense to me too now. Thanks. I think I addressed it. |
As previously discussed, this is a proposal to add AAD to the application messages.
There are many motivations to do this:
• It's a 'cheap' feature to add (although it could potentially be misused)
• It avoids duplicate content: if there is a content that needs to be authenticated, but also needs to be visible to the server, the only solution today is to repeat it in the header (to the server) and then in the encrypted body.
• Modern ciphers already provide support for AAD, and MLS takes advantage of this. In fact most(all?) of the fields in the header are authenticated already.
• This field is optional(as in: can be empty), which means that it doesn't have to be used in the implementation.
The primary benefit is for the server to have access to the fields that are otherwise authenticated, but are not part of MLS message. Typically, the server has another encryption mechanism with the client (e.g. TLS) and as such client-server communication is already secure. As a matter of fact, handshake messages can already be transported in plaintext (in case server needs to examine their content), but application messages are not allowed to have any plaintext content, even though server may need to examine some metadata as well.
A couple of thoughts that may be worth discussing: