Network Working Group R. Barnes Internet-Draft Cisco Intended status: Informational B. Beurdouche Expires: 4 May 2021 Inria J. Millican Facebook E. Omara Google K. Cohn-Gordon University of Oxford R. Robert Wire 31 October 2020 The Messaging Layer Security (MLS) Protocol draft-ietf-mls-protocol-10 Abstract Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy and post-compromise security for groups in size ranging from two to thousands. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 4 May 2021. Barnes, et al. Expires 4 May 2021 [Page 1] Internet-Draft MLS October 2020 Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Change Log . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Basic Assumptions . . . . . . . . . . . . . . . . . . . . . . 9 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 10 5. Ratchet Trees . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1. Tree Computation Terminology . . . . . . . . . . . . . . 14 5.2. Ratchet Tree Nodes . . . . . . . . . . . . . . . . . . . 16 5.3. Views of a Ratchet Tree . . . . . . . . . . . . . . . . . 17 5.4. Ratchet Tree Evolution . . . . . . . . . . . . . . . . . 18 5.5. Synchronizing Views of the Tree . . . . . . . . . . . . . 20 6. Cryptographic Objects . . . . . . . . . . . . . . . . . . . . 21 6.1. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . 21 6.2. Credentials . . . . . . . . . . . . . . . . . . . . . . . 22 7. Key Packages . . . . . . . . . . . . . . . . . . . . . . . . 24 7.1. Client Capabilities . . . . . . . . . . . . . . . . . . . 25 7.2. Lifetime . . . . . . . . . . . . . . . . . . . . . . . . 26 7.3. KeyPackage Identifiers . . . . . . . . . . . . . . . . . 26 7.4. Parent Hash . . . . . . . . . . . . . . . . . . . . . . . 26 7.5. Tree Hashes . . . . . . . . . . . . . . . . . . . . . . . 27 7.6. Group State . . . . . . . . . . . . . . . . . . . . . . . 28 7.7. Update Paths . . . . . . . . . . . . . . . . . . . . . . 29 8. Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . 30 8.1. External Initialization . . . . . . . . . . . . . . . . . 33 8.2. Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . 34 8.3. Secret Tree . . . . . . . . . . . . . . . . . . . . . . . 36 8.4. Encryption Keys . . . . . . . . . . . . . . . . . . . . . 37 8.5. Deletion Schedule . . . . . . . . . . . . . . . . . . . . 38 8.6. Exporters . . . . . . . . . . . . . . . . . . . . . . . . 39 8.7. Resumption Secret . . . . . . . . . . . . . . . . . . . . 40 8.8. State Authentication Keys . . . . . . . . . . . . . . . . 40 9. Message Framing . . . . . . . . . . . . . . . . . . . . . . . 40 Barnes, et al. Expires 4 May 2021 [Page 2] Internet-Draft MLS October 2020 9.1. Content Authentication . . . . . . . . . . . . . . . . . 43 9.2. Content Encryption . . . . . . . . . . . . . . . . . . . 44 9.3. Sender Data Encryption . . . . . . . . . . . . . . . . . 45 10. Group Creation . . . . . . . . . . . . . . . . . . . . . . . 46 10.1. Linking a New Group to an Existing Group . . . . . . . . 47 10.1.1. Sub-group Branching . . . . . . . . . . . . . . . . 48 11. Group Evolution . . . . . . . . . . . . . . . . . . . . . . . 48 11.1. Proposals . . . . . . . . . . . . . . . . . . . . . . . 48 11.1.1. Add . . . . . . . . . . . . . . . . . . . . . . . . 49 11.1.2. Update . . . . . . . . . . . . . . . . . . . . . . . 50 11.1.3. Remove . . . . . . . . . . . . . . . . . . . . . . . 50 11.1.4. PreSharedKey . . . . . . . . . . . . . . . . . . . . 51 11.1.5. ReInit . . . . . . . . . . . . . . . . . . . . . . . 51 11.1.6. ExternalInit . . . . . . . . . . . . . . . . . . . . 52 11.1.7. External Proposals . . . . . . . . . . . . . . . . . 52 11.2. Commit . . . . . . . . . . . . . . . . . . . . . . . . . 53 11.2.1. External Commits . . . . . . . . . . . . . . . . . . 59 11.2.2. Welcoming New Members . . . . . . . . . . . . . . . 60 11.3. Ratchet Tree Extension . . . . . . . . . . . . . . . . . 63 12. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 64 13. Sequencing of State Changes . . . . . . . . . . . . . . . . . 66 13.1. Server-Enforced Ordering . . . . . . . . . . . . . . . . 67 13.2. Client-Enforced Ordering . . . . . . . . . . . . . . . . 67 14. Application Messages . . . . . . . . . . . . . . . . . . . . 67 14.1. Message Encryption and Decryption . . . . . . . . . . . 68 14.2. Restrictions . . . . . . . . . . . . . . . . . . . . . . 69 14.3. Delayed and Reordered Application messages . . . . . . . 69 15. Security Considerations . . . . . . . . . . . . . . . . . . . 69 15.1. Confidentiality of the Group Secrets . . . . . . . . . . 69 15.2. Authentication . . . . . . . . . . . . . . . . . . . . . 70 15.3. Forward Secrecy and Post-Compromise Security . . . . . . 70 15.4. InitKey Reuse . . . . . . . . . . . . . . . . . . . . . 70 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 16.1. MLS Ciphersuites . . . . . . . . . . . . . . . . . . . . 71 16.2. MLS Extension Types . . . . . . . . . . . . . . . . . . 74 16.3. MLS Credential Types . . . . . . . . . . . . . . . . . . 75 16.4. MLS Designated Expert Pool . . . . . . . . . . . . . . . 76 17. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 77 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 78 18.1. Normative References . . . . . . . . . . . . . . . . . . 78 18.2. Informative References . . . . . . . . . . . . . . . . . 79 Appendix A. Tree Math . . . . . . . . . . . . . . . . . . . . . 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 84 Barnes, et al. Expires 4 May 2021 [Page 3] Internet-Draft MLS October 2020 1. Introduction DISCLAIMER: This is a work-in-progress draft of MLS and has not yet seen significant security analysis. It should not be used as a basis for building production systems. RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/mlswg/mls-protocol. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the MLS mailing list. A group of users who want to send each other encrypted messages needs a way to derive shared symmetric encryption keys. For two parties, this problem has been studied thoroughly, with the Double Ratchet emerging as a common solution [doubleratchet] [signal]. Channels implementing the Double Ratchet enjoy fine-grained forward secrecy as well as post-compromise security, but are nonetheless efficient enough for heavy use over low-bandwidth networks. For a group of size greater than two, a common strategy is to unilaterally broadcast symmetric "sender" keys over existing shared symmetric channels, and then for each member to send messages to the group encrypted with their own sender key. Unfortunately, while this improves efficiency over pairwise broadcast of individual messages and provides forward secrecy (with the addition of a hash ratchet), it is difficult to achieve post-compromise security with sender keys. An adversary who learns a sender key can often indefinitely and passively eavesdrop on that member's messages. Generating and distributing a new sender key provides a form of post-compromise security with regard to that sender. However, it requires computation and communications resources that scale linearly with the size of the group. In this document, we describe a protocol based on tree structures that enable asynchronous group keying with forward secrecy and post- compromise security. Based on earlier work on "asynchronous ratcheting trees" [art], the protocol presented here uses an asynchronous key-encapsulation mechanism for tree structures. This mechanism allows the members of the group to derive and update shared keys with costs that scale as the log of the group size. 1.1. Change Log RFC EDITOR PLEASE DELETE THIS SECTION. draft-10 Barnes, et al. Expires 4 May 2021 [Page 4] Internet-Draft MLS October 2020 * Allow new members to join via an external Commit (*) * Enable proposals to be sent inline in a Commit (*) * Re-enable constant-time Add (*) * Change expiration extension to lifetime extension (*) * Make the tree in the Welcome optional (*) * PSK injection, re-init, sub-group branching (*) * Require the initial init_secret to be a random value (*) * Remove explicit sender data nonce (*) * Do not encrypt to joiners in UpdatePath generation (*) * Move MLSPlaintext signature under the confirmation tag (*) * Explicitly authenticate group membership with MLSPLaintext (*) * Clarify X509Credential structure (*) * Remove uneeded interim transcript hash from GroupInfo (*) * IANA considerations * Derive an authentication secret * Use Extract/Expand from HPKE KDF * Clarify that application messages MUST be encrypted draft-09 * Remove blanking of nodes on Add (*) * Change epoch numbers to uint64 (*) * Add PSK inputs (*) * Add key schedule exporter (*) * Sign the updated direct path on Commit, using "parent hashes" and one signature per leaf (*) * Use structured types for external senders (*) Barnes, et al. Expires 4 May 2021 [Page 5] Internet-Draft MLS October 2020 * Redesign Welcome to include confirmation and use derived keys (*) * Remove ignored proposals (*) * Always include an Update with a Commit (*) * Add per-message entropy to guard against nonce reuse (*) * Use the same hash ratchet construct for both application and handshake keys (*) * Add more ciphersuites * Use HKDF to derive key pairs (*) * Mandate expiration of ClientInitKeys (*) * Add extensions to GroupContext and flesh out the extensibility story (*) * Rename ClientInitKey to KeyPackage draft-08 * Change ClientInitKeys so that they only refer to one ciphersuite (*) * Decompose group operations into Proposals and Commits (*) * Enable Add and Remove proposals from outside the group (*) * Replace Init messages with multi-recipient Welcome message (*) * Add extensions to ClientInitKeys for expiration and downgrade resistance (*) * Allow multiple Proposals and a single Commit in one MLSPlaintext (*) draft-07 * Initial version of the Tree based Application Key Schedule (*) * Initial definition of the Init message for group creation (*) * Fix issue with the transcript used for newcomers (*) * Clarifications on message framing and HPKE contexts (*) Barnes, et al. Expires 4 May 2021 [Page 6] Internet-Draft MLS October 2020 draft-06 * Reorder blanking and update in the Remove operation (*) * Rename the GroupState structure to GroupContext (*) * Rename UserInitKey to ClientInitKey * Resolve the circular dependency that draft-05 introduced in the confirmation MAC calculation (*) * Cover the entire MLSPlaintext in the transcript hash (*) draft-05 * Common framing for handshake and application messages (*) * Handshake message encryption (*) * Convert from literal state to a commitment via the "tree hash" (*) * Add credentials to the tree and remove the "roster" concept (*) * Remove the secret field from tree node values draft-04 * Updating the language to be similar to the Architecture document * ECIES is now renamed in favor of HPKE (*) * Using a KDF instead of a Hash in TreeKEM (*) draft-03 * Added ciphersuites and signature schemes (*) * Re-ordered fields in UserInitKey to make parsing easier (*) * Fixed inconsistencies between Welcome and GroupState (*) * Added encryption of the Welcome message (*) draft-02 * Removed ART (*) * Allowed partial trees to avoid double-joins (*) Barnes, et al. Expires 4 May 2021 [Page 7] Internet-Draft MLS October 2020 * Added explicit key confirmation (*) draft-01 * Initial description of the Message Protection mechanism. (*) * Initial specification proposal for the Application Key Schedule using the per-participant chaining of the Application Secret design. (*) * Initial specification proposal for an encryption mechanism to protect Application Messages using an AEAD scheme. (*) * Initial specification proposal for an authentication mechanism of Application Messages using signatures. (*) * Initial specification proposal for a padding mechanism to improving protection of Application Messages against traffic analysis. (*) * Inversion of the Group Init Add and Application Secret derivations in the Handshake Key Schedule to be ease chaining in case we switch design. (*) * Removal of the UserAdd construct and split of GroupAdd into Add and Welcome messages (*) * Initial proposal for authenticating handshake messages by signing over group state and including group state in the key schedule (*) * Added an appendix with example code for tree math * Changed the ECIES mechanism used by TreeKEM so that it uses nonces generated from the shared secret draft-00 * Initial adoption of draft-barnes-mls-protocol-01 as a WG item. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Client: An agent that uses this protocol to establish shared Barnes, et al. Expires 4 May 2021 [Page 8] Internet-Draft MLS October 2020 cryptographic state with other clients. A client is defined by the cryptographic keys it holds. Group: A collection of clients with shared cryptographic state. Member: A client that is included in the shared state of a group, hence has access to the group's secrets. Key Package: A signed object describing a client's identity and capabilities, and including a hybrid public-key encryption (HPKE [I-D.irtf-cfrg-hpke] ) public key that can be used to encrypt to that client. Initialization Key (InitKey): A key package that is prepublished by a client, which other clients can use to introduce the client to a new group. Signature Key: A signing key pair used to authenticate the sender of a message. Terminology specific to tree computations is described in Section 5. We use the TLS presentation language [RFC8446] to describe the structure of protocol messages. 3. Basic Assumptions This protocol is designed to execute in the context of a Service Provider (SP) as described in [I-D.ietf-mls-architecture]. In particular, we assume the SP provides the following services: * A signature key provider which allows clients to authenticate protocol messages in a group. * A broadcast channel, for each group, which will relay a message to all members of a group. For the most part, we assume that this channel delivers messages in the same order to all participants. (See Section 13 for further considerations.) * A directory to which clients can publish key packages and download key packages for other participants. Barnes, et al. Expires 4 May 2021 [Page 9] Internet-Draft MLS October 2020 4. Protocol Overview The goal of this protocol is to allow a group of clients to exchange confidential and authenticated messages. It does so by deriving a sequence of secrets and keys known only to members. Those should be secret against an active network adversary and should have both forward secrecy and post-compromise security with respect to compromise of any members. We describe the information stored by each client as _state_, which includes both public and private data. An initial state is set up by a group creator, which is a group containing only itself. The creator then sends _Add_ proposals for each client in the initial set of members, followed by a _Commit_ message which incorporates all of the _Adds_ into the group state. Finally, the group creator generates a _Welcome_ message corresponding to the Commit and sends this directly to all the new members, who can use the information it contains to set up their own group state and derive a shared secret. Members exchange Commit messages for post-compromise security, to add new members, and to remove existing members. These messages produce new shared secrets which are causally linked to their predecessors, forming a logical Directed Acyclic Graph (DAG) of states. The protocol algorithms we specify here follow. Each algorithm specifies both (i) how a client performs the operation and (ii) how other clients update their state based on it. There are three major operations in the lifecycle of a group: * Adding a member, initiated by a current member; * Updating the leaf secret of a member; * Removing a member. Each of these operations is "proposed" by sending a message of the corresponding type (Add / Update / Remove). The state of the group is not changed, however, until a Commit message is sent to provide the group with fresh entropy. In this section, we show each proposal being committed immediately, but in more advanced deployment cases an application might gather several proposals before committing them all at once. Before the initialization of a group, clients publish InitKeys (as KeyPackage objects) to a directory provided by the Service Provider. Barnes, et al. Expires 4 May 2021 [Page 10] Internet-Draft MLS October 2020 Group A B C Directory Channel | | | | | | KeyPackageA | | | | |------------------------------------------------->| | | | | | | | | KeyPackageB | | | | |-------------------------------->| | | | | | | | | | KeyPackageC | | | | |--------------->| | | | | | | When a client A wants to establish a group with B and C, it first initializes a group state containing only itself and downloads KeyPackages for B and C. For each member, A generates an Add and Commit message adding that member, and broadcasts them to the group. It also generates a Welcome message and sends this directly to the new member (there's no need to send it to the group). Only after A has received its Commit message back from the server does it update its state to reflect the new member's addition. Upon receiving the Welcome message and the corresponding Commit, the new member will be able to read and send new messages to the group. Messages received before the client has joined the group are ignored. Barnes, et al. Expires 4 May 2021 [Page 11] Internet-Draft MLS October 2020 Group A B C Directory Channel | | | | | | KeyPackageB, KeyPackageC | | |<-------------------------------------------| | |state.init() | | | | | | | | | | | | | Add(A->AB) | | | | | Commit(Add) | |--------------------------------------------------------------->| | | | | | | Welcome(B) | | | | |------------->|state.init() | | | | | | | | | | | | Add(A->AB) | | | | | Commit(Add) | |<---------------------------------------------------------------| |state.add(B) |<------------------------------------------------| | |state.join() | | | | | | | | | | | | Add(AB->ABC) | | | | | Commit(Add) | |--------------------------------------------------------------->| | | | | | | | Welcome(C) | | | |---------------------------->|state.init() | | | | | | | | | | | Add(AB->ABC) | | | | | Commit(Add) | |<---------------------------------------------------------------| |state.add(C) |<------------------------------------------------| | |state.add(C) |<---------------------------------| | | |state.join() | | Subsequent additions of group members proceed in the same way. Any member of the group can download a KeyPackage for a new client and broadcast an Add message that the current group can use to update their state, and a Welcome message that the new client can use to initialize its state. To enforce the forward secrecy and post-compromise security of messages, each member periodically updates their leaf secret. Any member can update this information at any time by generating a fresh KeyPackage and sending an Update message followed by a Commit message. Once all members have processed both, the group's secrets will be unknown to an attacker that had compromised the sender's prior leaf secret. Barnes, et al. Expires 4 May 2021 [Page 12] Internet-Draft MLS October 2020 Update messages should be sent at regular intervals of time as long as the group is active, and members that don't update should eventually be removed from the group. It's left to the application to determine an appropriate amount of time between Updates. Group A B ... Z Directory Channel | | | | | | | Update(B) | | | | |------------------------------------------->| | Commit(Upd) | | | | |---------------------------------------------------------->| | | | | | | | | | Update(B) | | | | | Commit(Upd) | |<----------------------------------------------------------| |state.upd(B) |<-------------------------------------------| | |state.upd(B) |<----------------------------| | | |state.upd(B) | | | | | | | Members are removed from the group in a similar way. Any member of the group can send a Remove proposal followed by a Commit message, which adds new entropy to the group state that's known to all except the removed member. Note that this does not necessarily imply that any member is actually allowed to evict other members; groups can enforce access control policies on top of these basic mechanism. Group A B ... Z Directory Channel | | | | | | | | Remove(B) | | | | | Commit(Rem) | | | | |---------------------------->| | | | | | | | | | Remove(B) | | | | | Commit(Rem) | |<----------------------------------------------------------| |state.rem(B) | |<----------------------------| | | |state.rem(B) | | | | | | | | | | | | 5. Ratchet Trees The protocol uses "ratchet trees" for deriving shared secrets among a group of clients. Barnes, et al. Expires 4 May 2021 [Page 13] Internet-Draft MLS October 2020 5.1. Tree Computation Terminology Trees consist of _nodes_. A node is a _leaf_ if it has no children, and a _parent_ otherwise; note that all parents in our trees have precisely two children, a _left_ child and a _right_ child. A node is the _root_ of a tree if it has no parents, and _intermediate_ if it has both children and parents. The _descendants_ of a node are that node, its children, and the descendants of its children, and we say a tree _contains_ a node if that node is a descendant of the root of the tree. Nodes are _siblings_ if they share the same parent. A _subtree_ of a tree is the tree given by the descendants of any node, the _head_ of the subtree. The _size_ of a tree or subtree is the number of leaf nodes it contains. For a given parent node, its _left subtree_ is the subtree with its left child as head (respectively _right subtree_). All trees used in this protocol are left-balanced binary trees. A binary tree is _full_ (and _balanced_) if its size is a power of two and for any parent node in the tree, its left and right subtrees have the same size. A binary tree is _left-balanced_ if for every parent, either the parent is balanced, or the left subtree of that parent is the largest full subtree that could be constructed from the leaves present in the parent's own subtree. Given a list of "n" items, there is a unique left-balanced binary tree structure with these elements as leaves. (Note that left-balanced binary trees are the same structure that is used for the Merkle trees in the Certificate Transparency protocol [I-D.ietf-trans-rfc6962-bis].) The _direct path_ of a root is the empty list, and of any other node is the concatenation of that node's parent along with the parent's direct path. The _copath_ of a node is the node's sibling concatenated with the list of siblings of all the nodes in its direct path, excluding the root. For example, in the below tree: * The direct path of C is (CD, ABCD, ABCDEFG) * The copath of C is (D, AB, EFG) Barnes, et al. Expires 4 May 2021 [Page 14] Internet-Draft MLS October 2020 ABCDEFG / \ / \ / \ ABCD EFG / \ / \ / \ / \ AB CD EF | / \ / \ / \ | A B C D E F G 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 Each node in the tree is assigned a _node index_, starting at zero and running from left to right. A node is a leaf node if and only if it has an even index. The node indices for the nodes in the above tree are as follows: * 0 = A * 1 = AB * 2 = B * 3 = ABCD * 4 = C * 5 = CD * 6 = D * 7 = ABCDEFG * 8 = E * 9 = EF * 10 = F * 11 = EFG * 12 = G The leaves of the tree are indexed separately, using a _leaf index_, since the protocol messages only need to refer to leaves in the tree. Like nodes, leaves are numbered left to right. The node with leaf Barnes, et al. Expires 4 May 2021 [Page 15] Internet-Draft MLS October 2020 index "k" is also called the "k-th" leaf. Note that given the above numbering, a node is a leaf node if and only if it has an even node index, and a leaf node's leaf index is half its node index. The leaf indices in the above tree are as follows: * 0 = A * 1 = B * 2 = C * 3 = D * 4 = E * 5 = F * 6 = G 5.2. Ratchet Tree Nodes A particular instance of a ratchet tree is defined by the same parameters that define an instance of HPKE, namely: * A Key Encapsulation Mechanism (KEM), including a "DeriveKeyPair" function that creates a key pair for the KEM from a symmetric secret * A Key Derivation Function (KDF), including "Extract" and "Expand" functions * An AEAD encryption scheme Each node in a ratchet tree contains up to five values: * A private key (only within the member's direct path, see below) * A public key * An ordered list of leaf indices for "unmerged" leaves (see Section 5.3) * A credential (only for leaf nodes) * A hash of the node's parent, as of the last time the node was changed. Barnes, et al. Expires 4 May 2021 [Page 16] Internet-Draft MLS October 2020 The conditions under which each of these values must or must not be present are laid out in Section 5.3. A node in the tree may also be _blank_, indicating that no value is present at that node. The _resolution_ of a node is an ordered list of non-blank nodes that collectively cover all non-blank descendants of the node. * The resolution of a non-blank node comprises the node itself, followed by its list of unmerged leaves, if any * The resolution of a blank leaf node is the empty list * The resolution of a blank intermediate node is the result of concatenating the resolution of its left child with the resolution of its right child, in that order For example, consider the following tree, where the "_" character represents a blank node: _ / \ / \ _ CD[C] / \ / \ A _ C D 0 1 2 3 4 5 6 In this tree, we can see all of the above rules in play: * The resolution of node 5 is the list [CD, C] * The resolution of node 2 is the empty list [] * The resolution of node 3 is the list [A, CD, C] Every node, regardless of whether the node is blank or populated, has a corresponding _hash_ that summarizes the contents of the subtree below that node. The rules for computing these hashes are described in Section 7.5. 5.3. Views of a Ratchet Tree We generally assume that each participant maintains a complete and up-to-date view of the public state of the group's ratchet tree, including the public keys for all nodes and the credentials associated with the leaf nodes. Barnes, et al. Expires 4 May 2021 [Page 17] Internet-Draft MLS October 2020 No participant in an MLS group knows the private key associated with every node in the tree. Instead, each member is assigned to a leaf of the tree, which determines the subset of private keys it knows. The credential stored at that leaf is one provided by the member. In particular, MLS maintains the members' views of the tree in such a way as to maintain the _tree invariant_: The private key for a node in the tree is known to a member of the group only if that member's leaf is a descendant of the node. In other words, if a node is not blank, then it holds a public key. The corresponding private key is known only to members occupying leaves below that node. The reverse implication is not true: A member may not know the private keys of all the intermediate nodes they're below. Such a member has an _unmerged_ leaf. Encrypting to an intermediate node requires encrypting to the node's public key, as well as the public keys of all the unmerged leaves below it. A leaf is unmerged when it is first added, because the process of adding the leaf does not give it access to all of the nodes above it in the tree. Leaves are "merged" as they receive the private keys for nodes, as described in Section 5.4. 5.4. Ratchet Tree Evolution A member of an MLS group advances the key schedule to provide forward secrecy and post-compromise security by providing the group with fresh key material to be added into the group's shared secret. To do so, one member of the group generates fresh key material, applies it to their local tree state, and then sends this key material to other members in the group via an UpdatePath message (see Section 7.7) . All other group members then apply the key material in the UpdatePath to their own local tree state to derive the group's now-updated shared secret. To begin, the generator of the UpdatePath updates its leaf KeyPackage and its direct path to the root with new secret values. The HPKE leaf public key within the KeyPackage MUST be derived from a freshly generated HPKE secret key to provide post-compromise security. The generator of the UpdatePath starts by sampling a fresh random value called "leaf_secret", and uses the leaf_secret to generate their leaf HPKE key pair (see Section 7) and to seed a sequence of "path secrets", one for each ancestor of its leaf. In this setting, path_secret[0] refers to the node directly above the leaf, Barnes, et al. Expires 4 May 2021 [Page 18] Internet-Draft MLS October 2020 path_secret[1] for its parent, and so on. At each step, the path secret is used to derive a new secret value for the corresponding node, from which the node's key pair is derived. leaf_node_secret = DeriveSecret(leaf_secret, "node") path_secret[0] = DeriveSecret(leaf_secret, "path") path_secret[n] = DeriveSecret(path_secret[n-1], "path") node_secret[n] = DeriveSecret(path_secret[n], "node") leaf_priv, leaf_pub = KEM.DeriveKeyPair(leaf_node_secret) node_priv[n], node_pub[n] = KEM.DeriveKeyPair(node_secret[n]) For example, suppose there is a group with four members: G / \ / \ / \ E _ / \ / \ A B C D If member B subsequently generates an UpdatePath based on a secret "leaf_secret", then it would generate the following sequence of path secrets: path_secret[1] --> node_secret[1] --> node_priv[1], node_pub[1] ^ | path_secret[0] --> node_secret[0] --> node_priv[0], node_pub[0] ^ | leaf_secret --> leaf_node_secret --> leaf_priv, leaf_pub ~> leaf_key_package After applying the UpdatePath, the tree will have the following structure, where "np[i]" represents the node_priv values generated as described above: np[1] / \ np[0] _ / \ / \ A B C D After performing these operations, the generator of the UpdatePath MUST delete the leaf_secret. Barnes, et al. Expires 4 May 2021 [Page 19] Internet-Draft MLS October 2020 5.5. Synchronizing Views of the Tree After generating fresh key material and applying it to ratchet forward their local tree state as described in the prior section, the generator must broadcast this update to other members of the group in a Commit message, who apply it to keep their local views of the tree in sync with the sender's. More specifically, when a member commits a change to the tree (e.g., to add or remove a member), it transmits an UpdatePath message containing a set of public and encrypted private values for intermediate nodes in the direct path of a leaf. The other members of the group use these values to update their view of the tree, aligning their copy of the tree to the sender's. To transmit this update, the sender broadcasts to the group the following information for each node in the direct path of the leaf, including the root: * The public key for the node * Zero or more encrypted copies of the path secret corresponding to the node The path secret value for a given node is encrypted for the subtree corresponding to the parent's non-updated child, that is, the child on the copath of the leaf node. There is one encrypted path secret for each public key in the resolution of the non-updated child. The recipient of a path update processes it with the following steps: 1. Compute the updated path secrets. * Identify a node in the direct path for which the local member is in the subtree of the non-updated child. * Identify a node in the resolution of the copath node for which this node has a private key. * Decrypt the path secret for the parent of the copath node using the private key from the resolution node. * Derive path secrets for ancestors of that node using the algorithm described above. * The recipient SHOULD verify that the received public keys agree with the public keys derived from the new path_secret values. 2. Merge the updated path secrets into the tree. Barnes, et al. Expires 4 May 2021 [Page 20] Internet-Draft MLS October 2020 * For all updated nodes, - Replace the public key for each node with the received public key. - Set the list of unmerged leaves to the empty list. - Store the updated hash of the node's parent (represented as a ParentNode struct), going from root to leaf, so that each hash incorporates all the nodes above it. The root node always has a zero-length hash for this value. * For nodes where an updated path secret was computed in step 1, compute the corresponding node key pair and replace the values stored at the node with the computed values. For example, in order to communicate the example update described in the previous section, the sender would transmit the following values: +============+==================================+ | Public Key | Ciphertext(s) | +============+==================================+ | pk(ns[1]) | E(pk(C), ps[1]), E(pk(D), ps[1]) | +------------+----------------------------------+ | pk(ns[0]) | E(pk(A), ps[0]) | +------------+----------------------------------+ Table 1 In this table, the value pk(ns[X]) represents the public key derived from the node secret X, whereas pk(X) represents the public leaf key for user X. The value E(K, S) represents the public-key encryption of the path secret S to the public key K. After processing the update, each recipient MUST delete outdated key material, specifically: * The path secrets used to derive each updated node key pair. * Each outdated node key pair that was replaced by the update. 6. Cryptographic Objects 6.1. Ciphersuites Each MLS session uses a single ciphersuite that specifies the following primitives to be used in group key computations: Barnes, et al. Expires 4 May 2021 [Page 21] Internet-Draft MLS October 2020 * HPKE parameters: - A Key Encapsulation Mechanism (KEM) - A Key Derivation Function (KDF) - An AEAD encryption algorithm * A hash algorithm * A signature algorithm The HPKE parameters are used to instantiate HPKE [I-D.irtf-cfrg-hpke] for the purpose of public-key encryption. The "DeriveKeyPair" function associated to the KEM for the ciphersuite maps octet strings to HPKE key pairs. Ciphersuites are represented with the CipherSuite type. HPKE public keys are opaque values in a format defined by the underlying protocol (see the Cryptographic Dependencies section of the HPKE specification for more information). opaque HPKEPublicKey<1..2^16-1>; The signature algorithm specified in the ciphersuite is the mandatory algorithm to be used for signatures in MLSPlaintext and the tree signatures. It MUST be the same as the signature algorithm specified in the credential field of the KeyPackage objects in the leaves of the tree (including the InitKeys used to add new members). The ciphersuites are defined in section Section 16.1. 6.2. Credentials A member of a group authenticates the identities of other participants by means of credentials issued by some authentication system, like a PKI. Each type of credential MUST express the following data in the context of the group it is used with: * The public key of a signature key pair matching the SignatureScheme specified by the CipherSuite of the group * The identity of the holder of the private key Credentials MAY also include information that allows a relying party to verify the identity / signing key binding. Barnes, et al. Expires 4 May 2021 [Page 22] Internet-Draft MLS October 2020 Additionally, Credentials SHOULD specify the signature scheme corresponding to each contained public key. // See RFC 8446 and the IANA TLS SignatureScheme registry uint16 SignatureScheme; // See IANA registry for registered values uint16 CredentialType; struct { opaque identity<0..2^16-1>; SignatureScheme signature_scheme; opaque signature_key<0..2^16-1>; } BasicCredential; struct { opaque cert_data<0..2^16-1>; } Certificate; struct { CredentialType credential_type; select (Credential.credential_type) { case basic: BasicCredential; case x509: Certificate chain<1..2^32-1>; }; } Credential; A BasicCredential is a raw, unauthenticated assertion of an identity/ key binding. The format of the key in the "public_key" field is defined by the relevant ciphersuite: the group ciphersuite for a credential in a ratchet tree, the KeyPackage ciphersuite for a credential in a KeyPackage object. For X509Credential, each entry in the chain represents a single DER- encoded X509 certificate. The chain is ordered such that the first entry (chain[0]) is the end-entity certificate and each subsequent certificate in the chain MUST be the issuer of the previous certificate. The algorithm for the "public_key" in the end-entity certificate MUST match the relevant ciphersuite. For ciphersuites using Ed25519 or Ed448 signature schemes, the public key is in the format specified [RFC8032]. For ciphersuites using ECDSA with the NIST curves P-256 or P-521, the public key is the output of the uncompressed Elliptic-Curve-Point-to-Octet-String conversion according to [SECG]. Barnes, et al. Expires 4 May 2021 [Page 23] Internet-Draft MLS October 2020 Note that each new credential that has not already been validated by the application MUST be validated against the Authentication Service. 7. Key Packages In order to facilitate asynchronous addition of clients to a group, it is possible to pre-publish key packages that provide some public information about a user. KeyPackage structures provide information about a client that any existing member can use to add this client to the group asynchronously. A KeyPackage object specifies a ciphersuite that the client supports, as well as providing a public key that others can use for key agreement. The client's signature key can be updated throughout the lifetime of the group by sending a new KeyPackage with a new Credential. However, the identity MUST be the same in both Credentials and the new Credential MUST be validated by the authentication service. When used as InitKeys, KeyPackages are intended to be used only once and SHOULD NOT be reused except in case of last resort. (See Section 15.4). Clients MAY generate and publish multiple InitKeys to support multiple ciphersuites. KeyPackages contain a public key chosen by the client, which the client MUST ensure uniquely identifies a given KeyPackage object among the set of KeyPackages created by this client. The value for hpke_init_key MUST be a public key for the asymmetric encryption scheme defined by cipher_suite. The whole structure is signed using the client's signature key. A KeyPackage object with an invalid signature field MUST be considered malformed. The input to the signature computation comprises all of the fields except for the signature field. Barnes, et al. Expires 4 May 2021 [Page 24] Internet-Draft MLS October 2020 enum { reserved(0), mls10(1), (255) } ProtocolVersion; // See IANA registry for registered values uint16 ExtensionType; struct { ExtensionType extension_type; opaque extension_data<0..2^16-1>; } Extension; struct { ProtocolVersion version; CipherSuite cipher_suite; HPKEPublicKey hpke_init_key; Credential credential; Extension extensions<8..2^32-1>; opaque signature<0..2^16-1>; } KeyPackage; KeyPackage objects MUST contain at least two extensions, one of type "capabilities", and one of type "lifetime". The "capabilities" extension allow MLS session establishment to be safe from downgrade attacks on the parameters described (as discussed in Section 10), while still only advertising one version / ciphersuite per KeyPackage. As the "KeyPackage" is a structure which is stored in the Ratchet Tree and updated depending on the evolution of this tree, each modification of its content MUST be reflected by a change of its signature. This allow other members to control the validity of the KeyPackage at any time and in particular in the case of a newcomer joining the group. 7.1. Client Capabilities The "capabilities" extension indicates what protocol versions, ciphersuites, and protocol extensions are supported by a client. struct { ProtocolVersion versions<0..255>; CipherSuite ciphersuites<0..255>; ExtensionType extensions<0..255>; } Capabilities; Barnes, et al. Expires 4 May 2021 [Page 25] Internet-Draft MLS October 2020 This extension MUST be always present in a KeyPackage. Extensions that appear in the "extensions" field of a KeyPackage MUST be included in the "extensions" field of the "capabilities" extension. 7.2. Lifetime The "lifetime" extension represents the times between which clients will consider a KeyPackage valid. This time is represented as an absolute time, measured in seconds since the Unix epoch (1970-01-01T00:00:00Z). A client MUST NOT use the data in a KeyPackage for any processing before the "not_before" date, or after the "not_after" date. uint64 not_before; uint64 not_after; Applications MUST define a maximum total lifetime that is acceptable for a KeyPackage, and reject any KeyPackage where the total lifetime is longer than this duration. This extension MUST always be present in a KeyPackage. 7.3. KeyPackage Identifiers Within MLS, a KeyPackage is identified by its hash (see, e.g., Section 11.2.2). The "key_id" extension allows applications to add an explicit, application-defined identifier to a KeyPackage. opaque key_id<0..2^16-1>; 7.4. Parent Hash The "parent_hash" extension serves to bind a KeyPackage to all the nodes above it in the group's ratchet tree. This enforces the tree invariant, meaning that malicious members can't lie about the state of the ratchet tree when they send Welcome messages to new members. opaque parent_hash<0..255>; This extension MUST be present in all Updates that are sent as part of a Commit message. If the extension is present, clients MUST verify that "parent_hash" matches the hash of the leaf's parent node when represented as a ParentNode struct. Barnes, et al. Expires 4 May 2021 [Page 26] Internet-Draft MLS October 2020 7.5. Tree Hashes To allow group members to verify that they agree on the public cryptographic state of the group, this section defines a scheme for generating a hash value that represents the contents of the group's ratchet tree and the members' KeyPackages. The hash of a tree is the hash of its root node, which we define recursively, starting with the leaves. Elements of the ratchet tree are called "Node" objects and the leaves contain an optional "KeyPackage", while the parents contain an optional "ParentNode". struct { uint8 present; select (present) { case 0: struct{}; case 1: T value; } } optional; struct { HPKEPublicKey public_key; uint32 unmerged_leaves<0..2^32-1>; opaque parent_hash<0..255>; } ParentNode; When computing the hash of a parent node, the "ParentNodeHashInput" structure is used: struct { uint32 node_index; optional parent_node; opaque left_hash<0..255>; opaque right_hash<0..255>; } ParentNodeHashInput; The "left_hash" and "right_hash" fields hold the hashes of the node's left and right children, respectively. When computing the hash of a leaf node, the hash of a "LeafNodeHashInput" object is used: struct { uint32 node_index; optional key_package; } LeafNodeHashInput; Barnes, et al. Expires 4 May 2021 [Page 27] Internet-Draft MLS October 2020 Note that the "node_index" field contains the index of the leaf among the nodes in the tree, not its index among the leaves; "node_index = 2 * leaf_index". 7.6. Group State Each member of the group maintains a GroupContext object that summarizes the state of the group: struct { opaque group_id<0..255>; uint64 epoch; opaque tree_hash<0..255>; opaque confirmed_transcript_hash<0..255>; Extension extensions<0..2^32-1>; } GroupContext; The fields in this state have the following semantics: * The "group_id" field is an application-defined identifier for the group. * The "epoch" field represents the current version of the group key. * The "tree_hash" field contains a commitment to the contents of the group's ratchet tree and the credentials for the members of the group, as described in Section 7.5. * The "confirmed_transcript_hash" field contains a running hash over the messages that led to this state. When a new member is added to the group, an existing member of the group provides the new member with a Welcome message. The Welcome message provides the information the new member needs to initialize its GroupContext. Different changes to the group will have different effects on the group state. These effects are described in their respective subsections of Section 11.1. The following general rules apply: * The "group_id" field is constant * The "epoch" field increments by one for each Commit message that is processed * The "tree_hash" is updated to represent the current tree and credentials Barnes, et al. Expires 4 May 2021 [Page 28] Internet-Draft MLS October 2020 * The "confirmed_transcript_hash" is updated with the data for an MLSPlaintext message encoding a Commit message in two parts: struct { opaque group_id<0..255>; uint64 epoch; Sender sender; ContentType content_type = commit; Commit commit; opaque signature<0..2^16-1>; } MLSPlaintextCommitContent; struct { MAC confirmation_tag; } MLSPlaintextCommitAuthData; interim_transcript_hash_[0] = ""; // zero-length octet string confirmed_transcript_hash_[n] = Hash(interim_transcript_hash_[n] || MLSPlaintextCommitContent_[n]); interim_transcript_hash_[n+1] = Hash(confirmed_transcript_hash_[n] || MLSPlaintextCommitAuthData_[n]); Thus the "confirmed_transcript_hash" field in a GroupContext object represents a transcript over the whole history of MLSPlaintext Commit messages, up to the confirmation tag field in the current MLSPlaintext message. The confirmation tag is then included in the transcript for the next epoch. The interim transcript hash is passed to new members in the GroupInfo struct, and enables existing members to incorporate a Commit message into the transcript without having to store the whole MLSPlaintextCommitAuthData structure. As shown above, when a new group is created, the "interim_transcript_hash" field is set to the zero-length octet string. 7.7. Update Paths As described in Section 11.2, each MLS Commit message may optionally transmit a KeyPackage leaf and node values along its direct path. The path contains a public key and encrypted secret value for all intermediate nodes in the path above the leaf. The path is ordered from the closest node to the leaf to the root; each node MUST be the parent of its predecessor. Barnes, et al. Expires 4 May 2021 [Page 29] Internet-Draft MLS October 2020 struct { opaque kem_output<0..2^16-1>; opaque ciphertext<0..2^16-1>; } HPKECiphertext; struct { HPKEPublicKey public_key; HPKECiphertext encrypted_path_secret<0..2^32-1>; } UpdatePathNode; struct { KeyPackage leaf_key_package; UpdatePathNode nodes<0..2^32-1>; } UpdatePath; For each "UpdatePathNode", the resolution of the corresponding copath node MUST be filtered by removing all new leaf nodes added as part of this MLS Commit message. The number of ciphertexts in the "encrypted_path_secret" vector MUST be equal to the length of the filtered resolution, with each ciphertext being the encryption to the respective resolution node. The HPKECiphertext values are computed as kem_output, context = SetupBaseS(node_public_key, "") ciphertext = context.Seal(group_context, path_secret) where "node_public_key" is the public key of the node that the path secret is being encrypted for, group_context is the current GroupContext object for the group, and the functions "SetupBaseS" and "Seal" are defined according to [I-D.irtf-cfrg-hpke]. Decryption is performed in the corresponding way, using the private key of the resolution node and the ephemeral public key transmitted in the message. 8. Key Schedule Group keys are derived using the "Extract" and "Expand" functions from the KDF for the group's ciphersuite, as well as the functions defined below: Barnes, et al. Expires 4 May 2021 [Page 30] Internet-Draft MLS October 2020 ExpandWithLabel(Secret, Label, Context, Length) = KDF.Expand(Secret, KDFLabel, Length) Where KDFLabel is specified as: struct { uint16 length = Length; opaque label<7..255> = "mls10 " + Label; opaque context<0..2^32-1> = Context; } KDFLabel; DeriveSecret(Secret, Label) = ExpandWithLabel(Secret, Label, "", KDF.Nh) The value "KDF.Nh" is the size of an output from "KDF.Extract", in bytes. In the below diagram: * KDF.Extract takes its salt argument from the top and its IKM argument from the left * DeriveSecret takes its Secret argument from the incoming arrow When processing a handshake message, a client combines the following information to derive new epoch secrets: * The init secret from the previous epoch * The commit secret for the current epoch * The GroupContext object for current epoch Given these inputs, the derivation of secrets for an epoch proceeds as shown in the following diagram: Barnes, et al. Expires 4 May 2021 [Page 31] Internet-Draft MLS October 2020 init_secret_[n-1] | V commit_secret -> KDF.Extract = joiner_secret | V Derive-Secret(., "member") | V psk_secret (or 0) -> KDF.Extract = member_secret | +--> Derive-Secret(., "welcome") | = welcome_secret | V ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh) | V epoch_secret | +--> Derive-Secret(.,