Skip to content

Commit

Permalink
Relocate encryption at rest recommendation (#226)
Browse files Browse the repository at this point in the history
  • Loading branch information
beurdouche committed Jan 19, 2024
1 parent 43b4ef9 commit 1cace28
Showing 1 changed file with 25 additions and 6 deletions.
31 changes: 25 additions & 6 deletions draft-ietf-mls-architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -1696,6 +1696,27 @@ Similar concerns exist in the peer-to-peer use cases of MLS.
More generally, using anonymous credentials in an MLS based architecture might
not be enough to provide strong privacy or anonymity properties.

#### Storage of Metadata and Ecryption at rest on the Servers

In the case where private data or metadata has to be persisted on the servers
for functionality (mappings between identities and push tokens, group
metadata...), it should be stored encrypted at rest and only decrypted upon need
during the execution. Honest Service Providers can rely on such encryption at
rest mechanism to be able to prevent access to the data when not using it.

> **RECOMMENDATION:** Store cryptographic material used for server-side
> decryption of sensitive meta-data on the clients and only send it when needed.
> The server can use the secret to open and update encrypted data containers
> after which they can delete these keys until the next time they need it, in
> which case those can be provided by the client.

> **RECOMMENDATION:** Rely on group secrets exported from the MLS session for
> server-side encryption at rest and update the key after each removal from the
> group. Rotate those keys on a regular basis otherwise.

In the future, it is expected that servers can rely on fully homomorphic
encryption to rotate the ciphertexts without opening these encrypted containers.

### Delivery Service Compromise

MLS is intended to provide strong guarantees in the face of compromise of the
Expand Down Expand Up @@ -1766,6 +1787,9 @@ account, a credit card or other information.
> to the Delivery Service without the need of a dedicated push notification
> infrastructure.

Applications can also consider anonymous systems for server fanout (for
example {{Loopix}}).

### Authentication Service Compromise {#as-compromise}

The Authentication Service design is left to the infrastructure designers. In
Expand Down Expand Up @@ -1869,12 +1893,7 @@ membership list is stored on some server associated with the Delivery Service.
While this knowledge is not a breach of the protocol's authentication or
confidentiality guarantees, it is a serious issue for privacy.

> **RECOMMENDATION:** In the case where metadata has to be persisted for
> functionality, it should be stored encrypted at rest and then decrypted during
> the execution. Applications should also consider anonymous systems for server
> fanout (for example {{Loopix}}).

Some infrastructure keeps a mapping between keys used in the MLS protocol and
Some infrastructure keep a mapping between keys used in the MLS protocol and
user identities. An attacker with access to this information due to compromise
or regulation can associate unencrypted group messages (e.g., Commits and
Proposals) with the corresponding user identity.
Expand Down

0 comments on commit 1cace28

Please sign in to comment.