IETF Logo Mail Archive

Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok

Christian Huitema <huitema@huitema.net> Thu, 28 February 2019 03:37 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87EC31228B7 for <dnssd@ietfa.amsl.com>; Wed, 27 Feb 2019 19:37:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycizUTt6zQIb for <dnssd@ietfa.amsl.com>; Wed, 27 Feb 2019 19:37:55 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 927991200D7 for <dnssd@ietf.org>; Wed, 27 Feb 2019 19:37:54 -0800 (PST)
Received: from xsmtp03.mail2web.com ([168.144.250.223]) by mx66.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1gzCW7-0009rk-7L for dnssd@ietf.org; Thu, 28 Feb 2019 04:37:52 +0100
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp03.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1gzCVu-0002MD-7U for dnssd@ietf.org; Wed, 27 Feb 2019 22:37:42 -0500
Received: (qmail 17479 invoked from network); 28 Feb 2019 03:37:37 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.202]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dschinazi.ietf@gmail.com>; 28 Feb 2019 03:37:37 -0000
To: Christopher Wood <christopherwood07@gmail.com>
Cc: Bob Bradley <bradley@apple.com>, DNSSD <dnssd@ietf.org>, David Schinazi <dschinazi.ietf@gmail.com>
References: <CAPDSy+6YyW_G7uwfwGPv1KLtJqL96dZ87R-5pnmmffEEniTigg@mail.gmail.com> <47A82E32-32B9-476F-AB79-76C8D182624F@apple.com> <CAO8oSXkGAErtKQgMGGT+88PY4Y+wJ_6Rz493exaymZ_L8F4FNg@mail.gmail.com> <CAPDSy+68V=rx8cAbVq6rKxNbb9yHisCCPURwHoLKsA179NooLw@mail.gmail.com> <e9b4900d-94e3-c79a-2a72-e2f996663b9d@huitema.net> <CAPDSy+4d27SQCStGzPpzzv=pjGiCM+0df988BesRGHdV_vvteA@mail.gmail.com> <CAO8oSXnXre29hjbNCZ1N7b8VBRMubS1yO5_XXr7VY2yxzNAWGw@mail.gmail.com> <1fc0ba86-2619-6efb-5e89-aa0a025c998e@huitema.net> <CAO8oSX=rWYxkKq0H5dEJDKq_Hs3tH2gqSxQ-Cr_SaHDPkrvvCA@mail.gmail.com> <CAO8oSXkfszNXUT6gr1G2OEWgJXe-cX_S4yAJmLm5sUqN0SQ54w@mail.gmail.com> <CAPDSy+7UvYdNOeYZg-R2b+eXuvGNMguXDWtkKgotVpLP5YPk4g@mail.gmail.com> <3d4d353e-5cb5-e35f-fc31-db819b4b2506@huitema.net> <CAO8oSX=9Fi60GigVWgCRkLXxwgF8aD1BveVNicz6_m5S-MQnYg@mail.gmail.com> <867b0844-ddf2-a7d1-4b3c-166fb4770e2d@huitema.net> <CAO8oSXmKwA6yE3A_OczjCBSvLwm1jqT3dEDNGzAB88ZM785+CQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <eb11a426-fcf5-7e62-6b40-82f5218e1d47@huitema.net>
Date: Wed, 27 Feb 2019 19:37:37 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <CAO8oSXmKwA6yE3A_OczjCBSvLwm1jqT3dEDNGzAB88ZM785+CQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------671F79F6F9BDC0F42E3A589C"
Content-Language: en-US
X-Originating-IP: 168.144.250.223
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.10)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5vL9OnC1XzLSFwdx3nB8jhF602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvOzXMPpKBnlzcICbdbWbUSKtVjyn5UrUp4n4yKOOaq9AxOnkTkhhZZhB0eCrfQ/1+s1Dj fzzJ6O8jiVhZi+WiYeCsScX6I9Dl5i6VrUM1b/j5CwBCT9sIkLmxDvdn5Y/nzU5EpHPznVavQp4h 1cyzxbRC4xvs/7iGgDKhZ45D5vihvZAdx4vjUFLh0kXGIOazxFpgLxqZUFZdwbOLffZB9SIbeA2G NaAif0QyGEAJd8kel+zffa+S3paXsykGResyE7dAzbZabvf4+eAvvSn0D5YzxzA4C4+ILjmdkQoL 6F7cCSavQBrPoagEXfZ210Cx8bwqyT5p50x81ZKcmzCu2U1l0pLLr6Q2GfeLeJGF+80DrsibCyBr x+YtCB8oetqRijWKtLT9WR57oxUvRixjadcobnduoQv5Sp6y3SmK1n5SK/lIPtlUiBhTzlv5XU8Y E2iH1Wgh6RAenBR+licROGYpdSSwoNX/JQLuoQOg/Yb9zrQYrb8D2DW+FmTFNdXGYC+bZYWuu2OL SW53AXMPyanFVfV8YwbQTud2ndj194c9/49qryIYbFFBOkVCXXzvNuW3bv1nPfn3AWXq7M22DtZ0 Dg9K+vwGh2YhLXUzLTJYs7W549ydvqZDiFMXDyPJeB7HlN2YA3iyCV6axofC5fnozswVgmo2tH4W 8yU3FuMq4xOBkoeSzFd1sgtMF/3XfUzMKSdupn/1sw8PhB4z0FQ8CVsONrMJuGzuoGnKTKcyyDl+ Iey4xwZiQVVdRpyDl1sLFxHj6kXIGqVk7wwMysWf3MLbn7l3g+Lh7r9C5nLMpdrjtWjWoVN8YHT+ snsrp0y2ZS50wJ+lQ+LaxBNJUp6t2ykfuEOAy+YBuZa3mFPXkVWClPVvbW5lVyQanRxw5p2JYH/6 BohvTRmOq56pXi2xVeaE7wHMAOKzNxZH1vP9C0T1BLTNamueI0y1oJZKcQ==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/G27p2ix4AQrZnEPw3zRf7NVjmSE>
Subject: Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 03:37:58 -0000

On 2/27/2019 6:04 PM, Christopher Wood wrote:
>
>
> On Wed, Feb 27, 2019 at 5:58 PM Christian Huitema <huitema@huitema.net
> <mailto:huitema@huitema.net>> wrote:
>
>
>     On 2/27/2019 5:40 PM, Christopher Wood wrote:
>>     On Wed, Feb 27, 2019 at 5:37 PM Christian Huitema <huitema@huitema.net> <mailto:huitema@huitema.net> wrote:
>>>     On 2/27/2019 4:48 PM, David Schinazi wrote:
>>>
>>>     <chair hat off>
>>>     Given that our main target is local networks, I personally believe spending an extra round trip to prevent dictionary attacks sounds worth it.
>>>
>>>     I am thinking of using the ESNI extension, or developing a very similar extension specifically for the purpose of private discovery. The ESNI extension format is defined in https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1 as:
>>>
>>>           struct {
>>>               CipherSuite suite;
>>>               KeyShareEntry key_share;
>>>               opaque record_digest<0..2^^16 -1>;
>>>               opaque encrypted_sni<0..2^^16 -1>;
>>>           } ClientEncryptedSNI;
>>>
>>>     The service name is encrypted, but we would have to do something to not reveal the hash of the key in the "record digest".
>>     This seems to highlight my main reservation about the 1-RTT approach.
>>     I think we ought not to complicate things and just pay the round trip.
>
>     My priority there is not the 1 RTT design, but rather the
>     integration with TLS. I don't like coming up with a new crypto
>     protocol, even when using well known patterns.
>
>
> That’s a fair concern. Note that I’m not advocating for something
> that’s not TLS. I’m simply advocating for something that’s not one stage.
>
>     As for the complication, the only requirement is to omit the
>     record_digest, or redefine it to include a nonce. Apart from that,
>     the prototype can just reuse the existing code.
>
>
> The record digest is required to prevent downgrade attacks in the
> normal ESNI case. Depending on how the keys are installed, it may be
> fine to omit here. 
>
> Can you please be specific for how you expect this optional nonce to
> work? It would help this discussion, I think.

In the ESNI design, the digest is used to verify that the client is
using the published keys and algorithms. We are concerned that DNS
spoofing could enable a downgrade attack, e.g. using an old key now
deemed insecure, or using the same key but with downgraded parameters.
The digest protects the integrity of the transmission between DNS server
and client. Since we don't plan using the DNS, we do not really have
that concern.

In the discussions in Bangkok, we mentioned a "hint", so servers could
rapidly discard requests that are "not for me". In the old proposal, the
nonce was the truncated 64 bit Unix time -- setting the 5 least
significant bits to zero -- and the proof was a hash of the 7 bytes and
the shared secret -- in our case, that would be the public key of the
server. The nonce only changes every 30 seconds or so. Servers have to
compute that proof only once every 30 seconds, which limits the
potential for DOS attacks.

The clients compute the nonce before sending the message. The server
evaluate first whether the nonce has the right format, starts with the
truncated current time plus or minus some estimate of clock drift. If
that passes, the server compares to the pre-computed proof, or compute
it if the clock is in a new interval. If that passes, the server
processes with ESNI decryption, and verifies that the service name is
what it expects.

Of course, we could assume that the discovery key is passed to the peer
in exactly the same format as ESNI:

    struct {
        uint8 checksum[4];
        KeyShareEntry keys<4..2^16-1>;
        CipherSuite cipher_suites<2..2^16-2>;
        uint16 padded_length;
        uint64 not_before;
        uint64 not_after;
        Extension extensions<0..2^16-1>;
    } ESNIKeys;

Hashing that with the nonce will alleviate concerns about clients using
the wrong cipher suite, or the wrong padding length.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email