Re: [Masque] Encrypting between client and proxy
Alex Chernyakhovsky <achernya@google.com> Wed, 16 November 2022 10:18 UTC
Return-Path: <achernya@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CA0C152716 for <masque@ietfa.amsl.com>; Wed, 16 Nov 2022 02:18:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.596
X-Spam-Level:
X-Spam-Status: No, score=-22.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mkEx-op12qyS for <masque@ietfa.amsl.com>; Wed, 16 Nov 2022 02:18:14 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC8C9C15270E for <masque@ietf.org>; Wed, 16 Nov 2022 02:18:14 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id ja4-20020a05600c556400b003cf6e77f89cso2773815wmb.0 for <masque@ietf.org>; Wed, 16 Nov 2022 02:18:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gJrdTTGznwK1nsPx9pk6/s6AUbOboTQCjKa5zWYKqG8=; b=HzJFWA5cj3k4k6G9h1wrib9RWM0iBW3Ej7ZZIasAg5Ks20QixUZwqnT+RBhkHmTCOS 0kcSp3R1s3iRBT2XQQ0jmBXKzrUFdcvRbg+Kqwtr54Moulms5H7cIwzXzGNZEUErh8M6 Sf94MN9f63mi0Kw6PyiNls6YiPEVu22TwjQSd+ZGjZU86uxPmzWygNlg8Hd0T90+zf0y mPRJkexjRuEZFCptO529AXArzBAS/VIBPZ8217ysOC5Ro7iMAKiPGDeK064QknnfehlD vSHr8ekPKkdL2LKDNttpODGpnfQQfaMqtQcBCOaFT2iKHmUdUUuruxxX/13l6JBpdajl Bu0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gJrdTTGznwK1nsPx9pk6/s6AUbOboTQCjKa5zWYKqG8=; b=DKdtuDHvfbnCvPFQ/mvvJY9WAHjnpfSnGBtQrEyQwfU2BSIvZ8Jui9oxl2LBqKeEkS ZCl3AqgGMbmOIkt93lPT1Kj3X2g02nw5eomRpYPEVM6olRx3UhmiN/IrHDnNdKZeRv6e UF+US7+LI3BuuEUUY2hbbAr1P6coadCXY2hva3Quo+h6hA1W/oSYn2ZRLhu+Jmx7nqhQ MZJiqs+lztL6MIozChaWDkrVUXurQ8yXSGBBYaod9vVqbcA7zaoS8KiVnkK6ixy+th0Y 0G9CR0aw5Llre/wANOHlbJTGNBkgz4wVir9rA+/GEUg3YZA1+S7AQKNIlr4jSg59ENxl /C8w==
X-Gm-Message-State: ANoB5pmEg06FhfLZQCTDp7TkPza4vWwWUWN/wvty+hgx2/JP/CMrY7k+ 2CqIxAPOA0ASBvEneeXJ5FagU6jQeA3SmtT7KXyFsDCbxsRn9iAB
X-Google-Smtp-Source: AA0mqf64h7nUOy/Tdfwsv81Thg8rlZF8hklsap/J19xRqlZ0Y3Ue9668FAy5PFVZvwMEYQF6iaVsgaD6TiHoTrlCbVQ=
X-Received: by 2002:a05:600c:4e0b:b0:3cf:e850:4437 with SMTP id b11-20020a05600c4e0b00b003cfe8504437mr1713450wmq.51.1668593892530; Wed, 16 Nov 2022 02:18:12 -0800 (PST)
MIME-Version: 1.0
References: <8e6fb1e1-6454-4706-a61a-53be58acaa61@betaapp.fastmail.com> <CAHbrMsCj2KHcQJFZdKr2DGUQDFSLLE6rK7CSqOUZ2ALNCrLAEQ@mail.gmail.com>
In-Reply-To: <CAHbrMsCj2KHcQJFZdKr2DGUQDFSLLE6rK7CSqOUZ2ALNCrLAEQ@mail.gmail.com>
From: Alex Chernyakhovsky <achernya@google.com>
Date: Wed, 16 Nov 2022 05:18:00 -0500
Message-ID: <CAHbWFkRv_z8FP8f9LcARQbXp1Q9x3KvkAuz075HLeo5BytybWA@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, masque@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003d72b005ed93ca98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/-fh6mIgkN2xQpnDcPEZxpZiahxg>
Subject: Re: [Masque] Encrypting between client and proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2022 10:18:18 -0000
On Tue, Nov 15, 2022 at 8:57 PM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > On Tue, Nov 15, 2022 at 6:44 PM Martin Thomson <mt@lowentropy.net> wrote: > ... > >> The protected payload is high entropy, being comprised of ciphertext and >> is anywhere from 20 to 65506 bytes. This payload can be split into two, >> with a 12 byte sample being used as a nonce for AES-CTR. The remainder of >> the payload, plus part of the first byte, could then be protecting using >> AES-CTR. The remaining 8+ bytes could again be sampled again as a nonce to >> protect the first sample. >> > > The thing you are looking for is called a Pseudo-Random Permutation [1]. > I would encourage you to use HCTR2 [2]. (I learned a bit about these while > working on [3].) > > [1] https://en.wikipedia.org/wiki/Pseudorandom_permutation > [2] https://github.com/google/hctr2 > [3] https://datatracker.ietf.org/doc/draft-cpbs-pseudorandom-ctls/ > > ... > >> [1] A few people have noted that timing tends to be a dead giveaway here, >> as does packet size. I have some ideas about how that might be managed, >> but let's start with the basics. >> > I think enough of our threat model has to consider side-channels like packet size as out of scope (although I believe we do have the opportunity to add chaff to less-than-MTU packets); we can certainly do something about timing analysis. I would expect most interesting deployments of such a proxy to be very high throughput which would mean some amount of artificial queuing and mixing would go a long way towards increasing the search space for correlation. > > Personally, I think this is probably fatal, so the encryption is not > really buying you anything. However, I would still support adding > encryption here, at least optionally, for the sake of making the attacker's > job a bit harder. It's not the easiest thing to specify in a threat model, > but there is a real difference between "instant undeniable confirmation" > and "strong statistical inference" for an attacker. > I am similarly in favor of trying to protect the packet further, but my understanding from the presentation at the session was that a lot of the CPU wins came from NIC offloads. If we end up hitting the host CPU to do the decryption, we should compare the implementation to the full CONNECT-UDP tunneling mode and see if it's worthwhile. > > ... > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque >
- [Masque] Encrypting between client and proxy Martin Thomson
- Re: [Masque] Encrypting between client and proxy Ben Schwartz
- Re: [Masque] Encrypting between client and proxy Martin Thomson
- Re: [Masque] Encrypting between client and proxy Alex Chernyakhovsky
- Re: [Masque] Encrypting between client and proxy Eric Rosenberg
- Re: [Masque] Encrypting between client and proxy David Schinazi
- Re: [Masque] Encrypting between client and proxy Ben Schwartz
- Re: [Masque] Encrypting between client and proxy David Schinazi