IETF
mls
mls@jabber.ietf.org
Sunday, July 15, 2018< ^ >
dkg has set the subject to: MLS @ IETF102 -- hackathon https://trac.ietf.org/trac/ietf/meeting/wiki/102hackathon/MLS
Room Configuration
Room Occupants

GMT+0
[02:46:05] richard.barnes joins the room
[04:04:34] richard.barnes leaves the room
[10:27:30] Dave Cridland joins the room
[10:27:56] Dave Cridland leaves the room
[10:28:37] Dave Cridland joins the room
[10:37:54] Dave Cridland leaves the room
[11:47:45] jmillican@outer-planes.net joins the room
[11:57:19] jmillican@outer-planes.net leaves the room: Disconnected: closed
[12:31:18] Dave Cridland joins the room
[12:32:40] linuxwolf joins the room
[12:35:07] JoeHallCDT joins the room
[12:38:28] JoeHallCDT leaves the room: Replaced by new connection
[12:39:02] Dave Cridland leaves the room
[12:39:43] Dave Cridland joins the room
[12:41:40] Dave Cridland leaves the room
[12:42:21] Dave Cridland joins the room
[12:42:41] nat joins the room
[12:49:54] Dave Cridland leaves the room
[13:08:24] jmillican@outer-planes.net joins the room
[13:14:50] jmillican@outer-planes.net leaves the room
[13:15:07] richard.barnes joins the room
[13:15:38] <richard.barnes> Joe: I heartily endorse that interpretation
[13:32:57] richard.barnes leaves the room
[13:42:45] richard.barnes joins the room
[13:53:17] linuxwolf leaves the room
[14:04:20] JoeHallCDT joins the room
[14:05:01] <JoeHallCDT> morning folks... looking EKR’s original email to the MLS list about TreeKEM: I’m wondering if the line about updating keys:
[14:06:29] <JoeHallCDT> the line “E(pubkey(H^2(d)), H^2(b’))” shouldn’t be to pubkey(H(d), H^2(b’))... that is you want to encrypt the root secret of that four-element tree with the pubkey of the (d) node (not the pubkey of a double hash of that node?)
[14:06:41] <JoeHallCDT> anyway, hopefully that makes sense... seems like it’s a simple typo
[14:07:22] <richard.barnes> You don’t encrypt the root secret to anyone (?)
[14:07:35] <richard.barnes> You encrypt the secret of an intermediate node to whichever child isn’t being updated
[14:10:10] Dave Cridland joins the room
[14:10:13] linuxwolf joins the room
[14:10:33] <JoeHallCDT> ah
[14:11:42] <JoeHallCDT> I guess my question here is why is it pubkey(H^2(d)) there and not just H(d)... I’ll stare a bit more at it
[14:11:58] <richard.barnes> Without seeing the doc, can’t comment on the specific notation
[14:12:15] <JoeHallCDT> UPDATES
Now say that b wants to update its key to b', giving us the tree:
       H^2(b')
      /     \
    H(b')   H(d)
    / \     / \
   a   b'  c   d
This requires providing
  - a with H(b') -- note that a can compute H^2(b') for itself.
  - c and d with H^2(b')
Recall that you can encrypt to any subset of the tree by just
encrypting to the appropriate set of parent nodes. So, we can
do this by sending:
  - E(pubkey(a), H(b'))
  - E(pubkey(H^2(d)), H^2(b'))
[14:12:51] <JoeHallCDT> TreeKEM is a cool tweak yo
[14:20:53] JoeHallCDT leaves the room
[14:22:54] Dave Cridland leaves the room
[14:24:50] richard.barnes leaves the room
[14:25:32] Dave Cridland joins the room
[14:26:53] richard.barnes joins the room
[14:28:14] <richard.barnes> Joe: You’re right, should be E(pubkey(H^2(b’)), H(d))
[14:28:25] <richard.barnes> Also, ignore what I said above about not encrypting the root secret
[14:28:27] <richard.barnes> :)
[14:28:56] JoeHallCDT joins the room
[14:29:20] JoeHallCDT leaves the room: Replaced by new connection
[14:29:20] JoeHallCDT joins the room
[14:29:23] Dave Cridland leaves the room
[14:30:04] Dave Cridland joins the room
[14:30:39] richard.barnes leaves the room
[14:36:16] Dave Cridland leaves the room
[14:36:58] Dave Cridland joins the room
[14:37:33] Dave Cridland leaves the room
[14:38:14] Dave Cridland joins the room
[14:40:35] Dave Cridland leaves the room
[14:42:56] Dave Cridland joins the room
[14:46:54] Dave Cridland leaves the room
[14:47:43] richard.barnes joins the room
[14:55:23] Dave Cridland joins the room
[15:00:58] Dave Cridland leaves the room
[15:01:39] Dave Cridland joins the room
[15:04:10] Dave Cridland leaves the room
[15:04:51] Dave Cridland joins the room
[15:10:00] Dave Cridland leaves the room
[15:10:41] Dave Cridland joins the room
[15:10:54] Dave Cridland leaves the room
[15:19:56] <JoeHallCDT> committed first copy of slide template here:
[15:19:56] <JoeHallCDT> https://github.com/IETF-Hackathon/ietf102-project-presentations/blob/master/hackathon-presentation-MLS.pptx
[15:20:15] richard.barnes leaves the room
[15:24:53] <JoeHallCDT> err, PDF here for those that prefer not to PPTX:
[15:24:53] <JoeHallCDT> https://josephhall.org/3cb5b4ab91ec5bff8c78da4966c0cb752e0a4be1/hackathon-presentation-MLS.pdf
[15:26:56] <JoeHallCDT> (we’ll fix the slides between the “pens down” part between 1:30 and 2:00 (don’t look at them now!))
[15:30:58] richard.barnes joins the room
[15:32:01] richard.barnes leaves the room
[15:34:25] Dave Cridland joins the room
[15:34:29] Dave Cridland leaves the room
[15:35:10] Dave Cridland joins the room
[15:38:10] JoeHallCDT leaves the room
[15:39:29] richard.barnes joins the room
[15:42:12] JoeHallCDT joins the room
[15:42:24] JoeHallCDT leaves the room: Replaced by new connection
[15:42:24] JoeHallCDT joins the room
[15:43:54] Dave Cridland leaves the room
[15:58:32] <linuxwolf> note for y'all: JWK representations for Curve25519 keys defined here: https://tools.ietf.org/html/draft-ietf-jose-cfrg-curves-06
[16:16:45] richard.barnes leaves the room
[16:19:44] richard.barnes joins the room
[16:26:14] JoeHallCDT leaves the room
[16:42:03] richard.barnes leaves the room
[16:50:45] richard.barnes joins the room
[16:55:09] nat leaves the room: Machine going to sleep
[17:15:01] JoeHallCDT joins the room
[17:15:26] JoeHallCDT leaves the room: Replaced by new connection
[17:15:27] JoeHallCDT joins the room
[17:18:16] <linuxwolf> working off of this for this weekend https://github.com/linuxwolf/treekem-25519
[17:18:32] <linuxwolf> will get a series of PRs in the future
[17:24:05] <linuxwolf> a JWK for a Curve25519 (public) key: {
    "kty": "OKP",
    "crv": "X25519",
    "x": "ObC_rkfFwMNvZZ3gS47rhzxMXaW5EJ4sX8LDdobNTyY"
}
[17:25:28] jmillican@outer-planes.net joins the room
[17:25:54] linuxwolf leaves the room
[17:26:13] m&m joins the room
[17:27:13] <JoeHallCDT> a belated note that I was adding stuff to the hackathon wiki including the TreeKEM paper from the MLS List (which I found very very helpful)
[17:27:13] <JoeHallCDT> https://mailarchive.ietf.org/arch/attach/mls/pdf1XUH6o.pdf
[17:28:33] jmillican@outer-planes.net leaves the room
[17:29:55] jmillican@outer-planes.net joins the room
[17:56:50] <jmillican@outer-planes.net> My root value after the first node is added: 3eZJ9BxMU3xzlWv8nWFRegJP2Llm2OJG4wdYMlVhM48=
[17:57:02] <jmillican@outer-planes.net> Note I'm not clamping my keys correctly, so don't compare the first few bytes
[17:57:03] jmillican@outer-planes.net leaves the room: Disconnected: closed
[17:59:20] richard.barnes leaves the room
[18:01:24] nat joins the room
[18:08:32] JoeHallCDT leaves the room
[18:14:18] JoeHallCDT joins the room
[18:14:41] JoeHallCDT leaves the room: Replaced by new connection
[18:14:41] JoeHallCDT joins the room
[18:15:31] richard.barnes joins the room
[18:16:28] <richard.barnes> Hey can I get y’all’s help with my presentation in a minute?  I’m going to start off with “who loves video conferences?”  “Who hates surveillance?”  And I need a cheer for the first and a boo for the second
[18:16:44] <JoeHallCDT> will do!
[18:20:49] <m&m> got it
[18:21:29] <m&m> note: iota() has changed from H(secret) to HMAC(secret, "iota") ... to get around inadvertently leaking secrets
[18:22:09] <m&m> my one-leaf tree has a public X25519 key of 6K93Bd50p7K_qnWGc6XMBOU4vbkESZhmIT9Axmch9ik
[18:22:28] <JoeHallCDT> The argument being that you’ll have some serious information about a secret key if it’s just a straight hash?
[18:22:53] <JoeHallCDT> (and not that you can brute force out the key from the hash)
[18:22:53] <m&m> correct
[18:22:56] <JoeHallCDT> kk
[18:23:06] <m&m> and collisions
[18:23:11] <m&m> which are worse
[18:23:46] <m&m> (since we've got a "rng" that is `next = H(next)`
[18:23:48] <m&m> )
[18:25:59] <JoeHallCDT> (RLB is up next)
[18:27:27] <JoeHallCDT> ah, they skipped PERC
[18:27:33] <m&m> boo!
[18:27:37] <JoeHallCDT> boo!
[18:27:51] <richard.barnes> We’ll get there, don’t worry
[18:27:55] dkg joins the room
[18:28:58] <JoeHallCDT> @linuxwolf the TreeKEM paper has at the root K_n = KDF(H(H(...)),K_n-1)
[18:29:04] <dkg> m&m: that's not ours, but  we might be getting doing something in between
[18:29:16] <dkg> hang on, i'll check
[18:29:28] <dkg> m&m: what is your private key?
[18:29:35] <m&m> <redacted>
[18:29:38] <dkg> ha ha
[18:29:43] <m&m> 'uM0pla6_4ktmq00x7hL1clyQvYq8HbW7uNb1SKlgbkE'
[18:29:46] <dkg> we're finding this as the privkey: REUgeN+XlQuyoIGBnwGder/FrzfJjFVJNPtgm2RLiNQ=
[18:29:47] <richard.barnes> hunter2
[18:30:52] <m&m> derived from secret of '3_1gIbsr1bCvZ2KQgJ7DpTGR3YHH9wpLKGiKNiGCmG8' via X25519_clamp( HMAC( secret, 'iota' ) )
[18:30:53] <dkg> are you using "iota" as the HMAC SHA256 key, or are you using "iota" as the data?
[18:31:06] <m&m> data
[18:31:18] <m&m> HMAC-SHA-256(key: secret, data: "iota")
[18:31:21] <dkg> ok, let me try swapping that
[18:31:56] <dkg> now we get us0pla6/4ktmq00x7hL1clyQvYq8HbW7uNb1SKlgboE=
[18:32:18] <dkg> looks like y'all are clamping, no?
[18:32:23] <m&m> yes
[18:32:29] <richard.barnes> clamping?
[18:32:34] <dkg> remind me which bits we need to clamp?
[18:33:26] <m&m>      mysecret[0] &= 248;
     mysecret[31] &= 127;
     mysecret[31] |= 64;
?
[18:33:36] m&m is double-checking his dep
[18:35:09] <dkg> ok, now we're at uM0pla6/4ktmq00x7hL1clyQvYq8HbW7uNb1SKlgbkE=
[18:35:20] <m&m> that's a match
[18:35:26] <JoeHallCDT> woo
[18:35:38] <dkg> and our pub is 6K93Bd50p7K/qnWGc6XMBOU4vbkESZhmIT9Axmch9ik=
[18:35:45] <dkg> also a match
[18:36:32] <m&m> so, that's as far as I got with my fuzz scaffold \-:
[18:36:41] <dkg> :)
[18:37:01] <JoeHallCDT> that’s what you call your beard?
[18:37:24] <dkg> so i'm assuming that we're only using this "rng" for generating leaf node private keys.  sound right?
[18:38:24] <m&m> I was going to use it for deriving private keys, and for making leaf secrets
[18:38:27] <m&m> but I can change that
[18:38:33] <dkg> well, there's an ordering issue
[18:38:36] <dkg> if we do it for both
[18:38:38] <m&m> changing it probalby safer
[18:38:53] richard.barnes leaves the room
[18:39:27] <m&m> so nextPrivateSecret() will use "Hello, World!" as the init seed ... and nextLeaf() will use "Good Bye!" as the init seed?
[18:42:45] <dkg> ok, that works for me.
[18:43:19] richard.barnes joins the room
[18:44:02] <dkg> m&m: so you're *not* clamping nextLeaf(), right?
[18:44:08] <m&m> no
[18:44:14] <m&m> it's just an opaque bstr
[18:44:17] <dkg> gotcha
[18:53:52] <JoeHallCDT> ACE and LPWAN are up and then us, I’m going to get up and just talk shit from the slides and say you’re all busy still hacking in the back
[18:54:15] <JoeHallCDT> slides here (SHA1 directory hash is stale):
[18:54:15] <JoeHallCDT> https://josephhall.org/3cb5b4ab91ec5bff8c78da4966c0cb752e0a4be1/hackathon-presentation-MLS.pdf
[18:54:18] JoeHallCDT leaves the room
[18:54:23] JoeHallCDT joins the room
[18:54:31] <dkg> m&m: so the first leaf is GMFLoK6Ifm8wRA5aXPJOJjOjbMrTGhzki+H5psWobRI=
[18:54:32] <m&m> 👍
[18:54:38] JoeHallCDT leaves the room: Replaced by new connection
[18:54:39] JoeHallCDT joins the room
[18:56:21] <m&m> dkg: I've got GMFLoK6Ifm8wRA5aXPJOJjOjbMrTGhzki-H5psWobRI, which is a match
[18:56:29] <dkg> great
[18:56:41] <dkg> so that's Alice's leaf, right?
[18:56:51] <dkg> Bob's leaf will be yQma9d6lOFZk/u6aedNqNSiTxDsI/VRud8Zjl9YHo5o=
[18:57:01] <dkg> and Bob's pubkey is yQma9d6lOFZk/u6aedNqNSiTxDsI/VRud8Zjl9YHo5o=
[18:57:11] <dkg> whoops
[18:57:22] <dkg> Bob's pubkey is CwAEhv2wvb8qzb5Y1+q53Q9S1o5alMT3L0FzhkYHCg0
[18:57:32] <m&m> got it, you're a tad ahead of me now
[19:02:39] JoeHallCDT leaves the room
[19:09:43] JoeHallCDT joins the room
[19:10:05] JoeHallCDT leaves the room: Replaced by new connection
[19:10:06] JoeHallCDT joins the room
[19:16:29] <richard.barnes> I feel like there’s a missed opportunity here -- waiting for go-dots...
[19:16:51] <JoeHallCDT> hahaha
[19:23:55] JoeHallCDT leaves the room
[19:24:23] <m&m> dkg: what do you have for alice's pubkey?
[19:27:23] <dkg> Alice's pubkey is  6K93Bd50p7K/qnWGc6XMBOU4vbkESZhmIT9Axmch9ik=
[19:27:28] <dkg> m&m: ↑
[19:28:32] <m&m> ok
[19:28:41] <dkg> so i'm realizing that there are several more ephemeral DH private keys needed besides the leaf private keys during an update, and again there is no required ordering
[19:30:34] <m&m> the other ephemeral DH keys are for the KEM, though, right?
[19:30:46] <dkg> right
[19:35:38] richard.barnes leaves the room
[19:48:14] richard.barnes joins the room
[19:55:29] richard.barnes leaves the room
[20:14:18] nat leaves the room: Machine going to sleep
[20:21:44] <dkg> here is a public key, curve25519 b64-encoded: bQuvKcNFG8y5AyrHKKnXIfbQZ7nVNA+XnDXgAAaYGD8=  -- i invite anyone to send me a "groupadd" invite that i can parse.
[20:22:49] m&m leaves the room: Disconnected: No route to host
[20:28:21] mapcar leaves the room
[20:42:17] mapcar joins the room
[21:26:25] jmillican@outer-planes.net joins the room
[21:54:45] <jmillican@outer-planes.net> dkg: {"encrypted_seeds":[{"ciphertext":"R7d33I0g7xDpPsrD1meNCIVQMux6l4RxzC7wIcSOiTppNzgYPQTZH6vdvH+QFt3F","nonce":"WqgFKTw383LN6kVI","pubKey":"oOLGfUWswT3MHaM+lK8o+rw2+5HOU5TTpN1UwDzSlUI="},{"ciphertext":"JeB+Ovx/sUmgl4jdFmFxKazjw7BzCG8+oForFJfAZyHl6198HhV3Bu6lvEkJsvRz","nonce":"0NfMknKodWQc78ID","pubKey":"6EtCxZ8Efp499bdsHXaIAvrKKSYrJ0I70B869qw42SY="}],"tree_pre_add":{"pubKey":"HEchjqpOswGgafV4wRaM3czQ/L83WWYiZTIYiQxQ61o="},"new_path_public_keys":["4NqmkQsc1AYOBZyC6m13KbmViEjdPDCjzjjxO1Kdkwk=","SQy/JSvPtmIz4AqxUqA2QgbmWSjrmFXqxK7FHJs2LAk="]}
[21:55:32] <jmillican@outer-planes.net> All of my arrays are from root to leaf, rather than leaf to root. Turns out this is pretty silly, because I'm always iterating it backwards, but it's something to work with
[21:56:03] <jmillican@outer-planes.net> tree_pre_add encodes a nested tree structure. Currently just one leaf
[21:56:26] <jmillican@outer-planes.net> Think the rest is fairly self-explanatory
[21:56:41] <jmillican@outer-planes.net> The private key at the root after this is 54p6lU4pRTDIa7Nqg43Ck/YMtOfxODc4kCjop0bfOYE=
[21:58:42] jmillican@outer-planes.net leaves the room
[22:00:53] m&m joins the room
[22:03:43] m&m joins the room
[22:05:27] jmillican@outer-planes.net joins the room
[22:11:21] <jmillican@outer-planes.net> Note that the derivation process for everything here is sha256… which is sketchy, but compatible with what's going on in JS at the moment
[22:19:18] m&m leaves the room: Disconnected: closed
[22:24:16] Dave Cridland joins the room
[22:34:54] Dave Cridland leaves the room
[22:35:59] jmillican@outer-planes.net leaves the room: Disconnected: closed
[22:39:21] dkg leaves the room
[23:06:40] m&m leaves the room: Disconnected: No route to host
[23:27:27] jmillican@outer-planes.net joins the room
[23:27:45] jmillican@outer-planes.net leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!