Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add recommendation for deletion of init_keys #269

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add recommendation for deletion of init_keys #269

wants to merge 1 commit into from

Conversation

TWal
Copy link
Contributor

@TWal TWal commented Nov 5, 2024

Because the joiner_secret is encrypted to the init_key of joiners, if the joiners don't delete their init_key after processing a Welcome, this could undermine forward-secrecy. I noticed that the document don't give any precise recommendations about that.

There are some hints scattered in the document, but they give recommendations to participants adding other participants, not to participants being added:

mls-architecture/draft-ietf-mls-architecture.md

Lines 670 to 672 in b091b3a

In order to avoid replay attacks and provide forward secrecy for messages sent
using the initial keying material, KeyPackages are intended to be used only
once. The Delivery Service is responsible for ensuring that each KeyPackage is

This PR adds a recommendation for that. I am not sure on how to proceed, I have made an attempt but it might belong to another section!

@TWal
Copy link
Contributor Author

TWal commented Nov 7, 2024

Thinking more about init keys, we should also recommend to regularly rotate key packages that are on the delivery service, even if they are not used. This could otherwise undermine post-compromise security: the attacker could compromise the initialization key of someone, and when the corresponding key package is added in a group later (e.g. several months after the compromise) the attacker can decrypt the messages exchanged in this group, until the participant updates.

@TWal
Copy link
Contributor Author

TWal commented Nov 7, 2024

There are some hints that key packages must expire:

mls-architecture/draft-ietf-mls-architecture.md

Lines 1819 to 1822 in b8893e0

Because the DS is responsible for providing the initial keying material to
clients, it can provide stale keys. This does not inherently lead to compromise
of the message stream, but does allow it to attack forward security to a limited
extent. This threat can be mitigated by having initial keys expire.

but I think kind of attack undermines post-compromise security rather than forward secrecy.

@beurdouche beurdouche self-requested a review February 26, 2025 20:10
@TWal
Copy link
Contributor Author

TWal commented Feb 27, 2025

I am wondering, should it be a "RECOMMENDATION"? It seems that other "RECOMMENDATION" are about things that can only be done in a best-effort way, whereas deleting initialization key upon Welcome processing seems to always be doable.

@TWal TWal mentioned this pull request Feb 27, 2025
Open
@TWal
Copy link
Contributor Author

TWal commented Feb 27, 2025

I opened #274 to discuss KeyPackage expiration.

@seanturner
Copy link
Contributor

In WGLC; see this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohanmahy rohanmahy rohanmahy approved these changes

@beurdouche beurdouche beurdouche approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@TWal @seanturner @rohanmahy @beurdouche