IETF Logo Mail Archive

Re: [dns-privacy] DNS + 0-RTT

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 09 April 2016 18:32 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797CA12D0FA for <dns-privacy@ietfa.amsl.com>; Sat, 9 Apr 2016 11:32:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uV96dRlfMZDP for <dns-privacy@ietfa.amsl.com>; Sat, 9 Apr 2016 11:32:43 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 916C712D0F4 for <dns-privacy@ietf.org>; Sat, 9 Apr 2016 11:32:43 -0700 (PDT)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 6DE9BFED8; Sat, 9 Apr 2016 14:32:39 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 28FAB20712; Sat, 9 Apr 2016 06:58:11 -0300 (BRT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Colm MacCárthaigh <colm@allcosts.net>
In-Reply-To: <CAAF6GDcwGJmrPcFj_o+tCe7PTL5jFj=YZ+2LCgCTVZ=64CpOdA@mail.gmail.com>
References: <5703F0CF.3050306@gmail.com> <87egaidh3y.fsf@alice.fifthhorseman.net> <CAAF6GDcwGJmrPcFj_o+tCe7PTL5jFj=YZ+2LCgCTVZ=64CpOdA@mail.gmail.com>
User-Agent: Notmuch/0.21+124~gbf604e9 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Sat, 09 Apr 2016 06:58:10 -0300
Message-ID: <87vb3rm7d9.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/AbPdULEvY9_1CSFy75fGGgQVTSI>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] DNS + 0-RTT
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2016 18:32:45 -0000

On Wed 2016-04-06 11:08:55 -0300, Colm MacCárthaigh wrote:
>  On Wed, Apr 6, 2016 at 6:03 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>
>  > forward secrecy
>  > ---------------
>  >
>  > IIUC for (b), the failing forward secrecy window is constrained by the
>  > duration of the PSK/session resumption ticket.  That's doesn't seem
>  > particularly worrisome to me for DNS.
>
>  I'd expect many operators to re-use ticket encryption keys for far too
>  long, as we see with HTTPS today, so the effect is that a dns server bug
>  may unlock years of 0RTT data. For DNS, the query is always likely to fit
>  in there.

This would be a good argument against doing any sort of session
resumption, i think, not just 0-RTT.

>  > replay protection
>  > -----------------
>  >
>  > For DNS we don't particularly care about replay attacks initially, but
>  > replayable traffic might have some privacy implications.
>  >
>  > For example, if Mallory can monitor the traffic to and from the DNS
>  > resolver, and a TLS-wrapped DNS request is made that is answered from
>  > the cache, then the attacker has no additional information about what
>  > the answer is.
>  >
>  > But if the request is replayable, Mallory can capture it, and replay it
>  > at different intervals (when parts of the cache might be expired) to try
>  > to coax the recursor to call out to the authoritative resolvers, which
>  > might provide more information about the original query.
>
>  There's a simpler attack too; if the RRSet contains multiple RRs, it's
>  common for resolvers to rotate the order of the RRs in a fixed and
>  predictable order. So you can query a name you suspect was queried, then
>  replay the target query, then query the name again, and confirm your
>  suspicion.

Just to make sure i understand this attack: suppose the rotation of two
RRs returned for a given response goes:

  A,B
  B,A
  A,B
  ...

Then the attacker would query, note the order, replay, then query again.
if the order received each time was the same, it's strongly suggestive
that it was the correct guess.  Is that the proposed attack?

>  This requires only a copy of the target 0RTT section, and access
>  to query the resolver, so a typical wifi scenario would do. Multi-RR
>  responses are very common these days too.

It strikes me that we should discourage privacy-sensitive resolvers from
employing this pattern. though i'm not sure where that documentation
would go or how to write it.  Is there a term for this kind of stateful
response history leakage?

thanks for pointing it out.

         --dkg

v2.23.0 | Report a Bug | By Email