mlswg / mls-architecture

MLS architecture
Other
66 stars 28 forks source link

Add recommendation for deletion of `init_key`s #269

Open TWal opened 3 weeks ago

TWal commented 3 weeks ago

Because the joiner_secret is encrypted to the init_key of joiners, if the joiners don't delete their init_key after processing a Welcome, this could undermine forward-secrecy. I noticed that the document don't give any precise recommendations about that.

There are some hints scattered in the document, but they give recommendations to participants adding other participants, not to participants being added: https://github.com/mlswg/mls-architecture/blob/b091b3a30d6f9d2f46383f7bd152058f0fbfc9b1/draft-ietf-mls-architecture.md?plain=1#L670-L672

This PR adds a recommendation for that. I am not sure on how to proceed, I have made an attempt but it might belong to another section!

TWal commented 2 weeks ago

Thinking more about init keys, we should also recommend to regularly rotate key packages that are on the delivery service, even if they are not used. This could otherwise undermine post-compromise security: the attacker could compromise the initialization key of someone, and when the corresponding key package is added in a group later (e.g. several months after the compromise) the attacker can decrypt the messages exchanged in this group, until the participant updates.

TWal commented 2 weeks ago

There are some hints that key packages must expire: https://github.com/mlswg/mls-architecture/blob/b8893e0e158defae99ed57caca300a4151598fe0/draft-ietf-mls-architecture.md?plain=1#L1819-L1822 but I think kind of attack undermines post-compromise security rather than forward secrecy.