Description of the formal security guarantees that the protocol MUST provide

mlswg / mls-architecture

MLS architecture

Other

66 stars 28 forks source link

Description of the formal security guarantees that the protocol MUST provide #48

Closed beurdouche closed 3 years ago

beurdouche commented 5 years ago

[ ] Forward secrecy

Sofía noted: "We are also unsure on the 'type' of forward secrecy provided. The Signal's X3DH protocol, for example, provides a forward secrecy between strong and weak. We are unsure if the way the Delivery Service, as defined in MLS, when providing the authentication keys and initial keying material, achieves which type of forward secrecy. But, of course, this can be a misunderstood from our side."

claucece commented 4 years ago

Mmm.. not sure what is the state of this now @beurdouche .. but I can take a look the upcoming week... is it useful for IETF018?

beurdouche commented 4 years ago

Hi Sofía, no need to take action yet. I have to check if I can make the 108 meeting but the current plan is (I have yet to send an email to the ML) that I will take significant time in September to rewrite the security guarantees we expect from MLS according to the protocol we have then. I'll open a large discussion with the WG to make sure we have a really comprehensive section for security considerations :) In the meantime feel free to keep opening issues for the document, that will help making sure we don't forget anything then ;)

beurdouche commented 4 years ago

CC. @kkohbrok @br-hale @psyoptix @karthikbhargavan (Apparently, I can't assign you with me for some reason, but the intent is there...)

claucece commented 4 years ago

Oh, for sure @beurdouche ! I'll open some issues by rereading the current state of the drafts (which I haven't read in a while ;)) Happy to help you on that on September as well ;)

I think this links also to the #50 issue.

claucece commented 4 years ago

Just re-read the draft @beurdouche and looks awesome so far! I'm going to list here the properties that should be analyzed and clarified:

Forward secrecy
Post-compromise security
Authentication: to the group, with respect to the sender
End-to-end security
Metadata-Resistance
Integrity
Confidentiality (Message Secrecy)

it might be also worth listing the threats, such as DDoS attacks, replay attacks, etc.

Over the upcoming months, I'll analyze more in depth the protocol and see how the current definitions map into it. I'll start a docu somewhere, so @br-hale , @raphaelrobert , @bifurcation , @cascremers and, perhaps, @Bren2010 , let me know if you want to be included.

beurdouche commented 3 years ago

I think we can close this in favor or more fined-grained discussions. All the things we discussed here are in the document. We have to strike a balance between being too precise and clear enough for readers but things are going ok.