Summary
A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope, but can affect forward secrecy and limit how many messages can be decrypted.
Technical details
Scope
The scope of the bug is limited to private messages (application and handshake messages) received in groups. Furthermore, the scope is limited to one epoch and the effects are reset with each epoch transition, or through consecutive group operations without reloading group state in between.
Functional impact
Within each epoch of a group, there is a maximum number of private messages per sender that can be skipped before an error is thrown. The number of messages is set through maximum_forward_distance in the SenderRatchetConfiguration and the default value is 1000. The bug causes the library to think that private messages have been processed, even when that's not the case. This can cause an error to be returned during message processing.
Security impact
This bug can be exploited only if an adversary gains access to the client’s state. The risk for exploitation is thus relatively low in typical use cases.
The bug can be exploited to decrypt more messages than intended by the client. The number of additional messages that can be decrypted is limited to the number of messages that can be skipped, which is maximum_forward_distance. This means that if an adversary gains access to a client’s state, they can decrypt up to maximum_forward_distance additional messages per sender in the current epoch. This affects forward secrecy, as messages that were previously considered secure can be decrypted.
OpenMLS otherwise deletes message encryption keys as soon as an epoch ends if not otherwise configured via the max_past_epochs setting. This is still the case even in vulnerable versions.
Affected versions
Vulnerable: all versions up to and including version 0.7.0
Not vulnerable: all versions greater than and including version 0.7.1 (see below for security after upgrading from a vulnerable version to a secure one)
Mitigation
Message encryption secrets are deleted when a commit is merged, i.e. when the group transitions to the next epoch. If the client is not configured to retain message secrets for past epochs, messages decrypted in past epochs are thus secure. If past message secrets are retained, messages decrypted in past epochs are secure as soon as the relevant epoch leaves the retention window. Increasing update/commit frequency can thus help keep the window for compromise low.
Another way to mitigate the effect is to create a private message (application or handshake message) for each sender of previously received messages. It is important to do that with the same MlsGroup object, withpout reloading it from storage in between. This will ensure that the message encryption keys are updated correctly.
Security post-patch
Since the bug affects persisted state, patching by itself strictly speaking doesn’t solve the issue. State written prior to patching is still vulnerable. An affected client is fully healed from the effects of this bug as soon as it either enters the next epoch (by merging a commit), or, if message encryption key retention is configured, by advancing sufficiently many epochs for pre-patch epoch state to drop out of the retention window.
Additionally, the client is healed even before the next epoch, if it processes enough messages s.t. any messages decrypted pre-patch fall out of the window for out-of-order tolerance. This is 5 by default, but can be configured to an arbitrary number using the sender_ratchet_configuration setting during group creation.
Acknowledgements
We would like to thank Ege Erdogan and Fatih Ergin for reporting this issue.
References
erdoganege Finder
fatihergin Reporter
Summary
A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope, but can affect forward secrecy and limit how many messages can be decrypted.
Technical details
Scope
The scope of the bug is limited to private messages (application and handshake messages) received in groups. Furthermore, the scope is limited to one epoch and the effects are reset with each epoch transition, or through consecutive group operations without reloading group state in between.
Functional impact
Within each epoch of a group, there is a maximum number of private messages per sender that can be skipped before an error is thrown. The number of messages is set through maximum_forward_distance in the SenderRatchetConfiguration and the default value is 1000. The bug causes the library to think that private messages have been processed, even when that's not the case. This can cause an error to be returned during message processing.
Security impact
This bug can be exploited only if an adversary gains access to the client’s state. The risk for exploitation is thus relatively low in typical use cases.
The bug can be exploited to decrypt more messages than intended by the client. The number of additional messages that can be decrypted is limited to the number of messages that can be skipped, which is maximum_forward_distance. This means that if an adversary gains access to a client’s state, they can decrypt up to maximum_forward_distance additional messages per sender in the current epoch. This affects forward secrecy, as messages that were previously considered secure can be decrypted.
OpenMLS otherwise deletes message encryption keys as soon as an epoch ends if not otherwise configured via the
max_past_epochssetting. This is still the case even in vulnerable versions.Affected versions
Vulnerable: all versions up to and including version 0.7.0
Not vulnerable: all versions greater than and including version 0.7.1 (see below for security after upgrading from a vulnerable version to a secure one)
Mitigation
Message encryption secrets are deleted when a commit is merged, i.e. when the group transitions to the next epoch. If the client is not configured to retain message secrets for past epochs, messages decrypted in past epochs are thus secure. If past message secrets are retained, messages decrypted in past epochs are secure as soon as the relevant epoch leaves the retention window. Increasing update/commit frequency can thus help keep the window for compromise low.
Another way to mitigate the effect is to create a private message (application or handshake message) for each sender of previously received messages. It is important to do that with the same MlsGroup object, withpout reloading it from storage in between. This will ensure that the message encryption keys are updated correctly.
Security post-patch
Since the bug affects persisted state, patching by itself strictly speaking doesn’t solve the issue. State written prior to patching is still vulnerable. An affected client is fully healed from the effects of this bug as soon as it either enters the next epoch (by merging a commit), or, if message encryption key retention is configured, by advancing sufficiently many epochs for pre-patch epoch state to drop out of the retention window.
Additionally, the client is healed even before the next epoch, if it processes enough messages s.t. any messages decrypted pre-patch fall out of the window for out-of-order tolerance. This is 5 by default, but can be configured to an arbitrary number using the
sender_ratchet_configurationsetting during group creation.Acknowledgements
We would like to thank Ege Erdogan and Fatih Ergin for reporting this issue.
References