IETF Logo Mail Archive

Re: [Masque] Encrypting between client and proxy

David Schinazi <dschinazi.ietf@gmail.com> Fri, 30 June 2023 00:09 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C5EC14CE4F for <masque@ietfa.amsl.com>; Thu, 29 Jun 2023 17:09:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TyfX0076jCwm for <masque@ietfa.amsl.com>; Thu, 29 Jun 2023 17:09:06 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B965C14E515 for <masque@ietf.org>; Thu, 29 Jun 2023 17:09:06 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-51d91e9b533so1412517a12.3 for <masque@ietf.org>; Thu, 29 Jun 2023 17:09:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688083744; x=1690675744; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=quNqvt1UHf56fpMlv3zobMfl7lqmum/Z0Tmh5nRM4xI=; b=BRxvQCRcPSdKsHeVuVhphH8C5H2E7S6PY2oKijWdtKjcN5MsjzhMSTfm0n5+w4VGRY vleMITBLGgIGKM1NNG/HxpGRJY93TxdQUPh8ncEciiy9O/4rNEWq3gdXybE/K9jB9n8s xx3EMOmsEtJGZDDQF3em6yZoxxIjm86YTKVywvQgzPSUMj2PjyQJLVZt+IpgrclZA6Gc MsXZA+waOKdRmtxJ+ZcSKqdnpH3ZE11gTfPX1GGBo9+tAPuD9i6MOEHXZ2SBhedMh3kE I8pn0oGbQl6+kJFi+tGYei1HChGjT590W1bGGFTLNXPX+CrnR0XTzAeTnvOK/Af3LZno sk6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688083744; x=1690675744; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=quNqvt1UHf56fpMlv3zobMfl7lqmum/Z0Tmh5nRM4xI=; b=joYoHQkg54dx10MItUrgIjvdup5GcUToEPBGjd5+ub/sMAmm+YHqcqE8Q7ZJ8vhxkZ pLuD1BlW1tv/hdNOTHb/cQLdJfrvz7F2vJsz58wd1uZOcqRUtS/rj5RQ2WAChbx56bzD pS2z0k3ieEuh3lK3dsR67H2ihhqD9faHLsaTLg7Jw0y0IM5iQgCxmrAzUKABaW35yZQq X8x1QiMdaYMagwQ9O0cH5BnxgPBNbZ0A1xl1mlsCEsxlfsFxZhhAjYX2KXu0v659nKMr 9deh6LI6whxl3tDXfIxkwhCMwxXNZrkCaVQiaZqijTGpgyGJ8V30sq7TbWPYS4xO17kl 7xFA==
X-Gm-Message-State: ABy/qLZmou9sR69vVH60uLuu0d5L/m79UC3S5djR+SqHgtnQE4LmoWl/ UsUGD7Qc1o7cEW3M3I/yChzKYwqegesZTVAT8t4qixGqfdA=
X-Google-Smtp-Source: APBJJlHkOoBtkd/RfGhatVBHANhci9PK3jKy0z+J+Pp9OncL8qrjvPzL8YezR+6E1HvWnh4vdVrf/4vzkV/gPSqS+OY=
X-Received: by 2002:aa7:d04d:0:b0:51d:91ef:c836 with SMTP id n13-20020aa7d04d000000b0051d91efc836mr432173edo.32.1688083743629; Thu, 29 Jun 2023 17:09:03 -0700 (PDT)
MIME-Version: 1.0
References: <8e6fb1e1-6454-4706-a61a-53be58acaa61@betaapp.fastmail.com> <CAHbrMsCj2KHcQJFZdKr2DGUQDFSLLE6rK7CSqOUZ2ALNCrLAEQ@mail.gmail.com> <CAHbWFkRv_z8FP8f9LcARQbXp1Q9x3KvkAuz075HLeo5BytybWA@mail.gmail.com> <9CF39321-CB56-45AA-AF52-3E03AC8D4B2A@apple.com>
In-Reply-To: <9CF39321-CB56-45AA-AF52-3E03AC8D4B2A@apple.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 29 Jun 2023 17:08:52 -0700
Message-ID: <CAPDSy+4i5mnKyHK8Emo_frq2+m+nkAzpG1GkHBs+NH9f+GdUyQ@mail.gmail.com>
To: masque@ietf.org
Cc: Martin Thomson <mt@lowentropy.net>, Eric Rosenberg <eric_rosenberg@apple.com>, Alex Chernyakhovsky <achernya@google.com>, Benjamin Schwartz <ietf@bemasc.net>, Tommy Pauly <tpauly@apple.com>
Content-Type: multipart/alternative; boundary="000000000000e3e3a405ff4d9f47"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/SA54VekOqaTNScayzt0rd2PK_os>
Subject: Re: [Masque] Encrypting between client and proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jun 2023 00:09:10 -0000

Resurrecting this thread as we prepare to discuss this at IETF 117.

I was thinking about MT's proposal using AES-CTR above and I think we can
make this work. The main concern was for short packets but I'm not too
worried, I have a proposal below that could resolve it. To recap the issue,
we need to run two passes of a header-protection-like algorithm that both
need a sample that can be fed to AES-CTR as IV. In an ideal world, AES-CTR
expects a 16-byte IV, which is the sample size we use for header
protection. We can however use a smaller sample - the risk is that this
increases the risk of collision, and if there is a collision then an
attacker can XOR two ciphertexts to get the XOR of two plaintexts.

The important first point is that this attack isn't horrible: our
plaintexts are encrypted with regular encryption so learning the XOR of two
plaintexts provides limited information. Second, for the attacker to pull
off this attack, they need to know that there is a collision. We can use
our two-pass design to our advantage here. Let's say we do the weaker
sample on the inside and the stronger one on the outside. In other words,
we reduce the size of the first sample to min(16,
protected_payload.length() - 16). We then only use the first sample to
encrypt the last 16 bytes of the packet. Those bytes then become our sample
to encrypt everything else. That way, if there's a collision on the first
sample, an attacker won't notice it because the first sample will be itself
encrypted.

Regarding the keying material, I'd suggest generating two new keys k1 and
k2 per connection and then using them regardless of which CID is in use,
and just place those keys in the CID entry next to the VCID.

When we discussed this at 116 we thought it might be worth forming a design
team on this topic. I propose we ask this question formally at 117 if the
adoption call looks positive.

David

On Wed, Nov 16, 2022 at 11:16 AM Eric Rosenberg <eric_rosenberg=
40apple.com@dmarc.ietf.org> wrote:

> The two main advantages from forwarding mode are avoiding cumulative MTU
> loss and making it easy for the proxy to skip parts of the send and receive
> path. If we can employ per-hop encryption for forwarded mode packets in a
> way that doesn’t suffer from cumulative MTU loss, that sounds like a pretty
> compelling way to solve the “I want to chain many proxies” problem while
> removing the “observers on both sides of the proxy” caveat that’s included
> in the current draft’s security considerations.
>
> Assuming encryption can be done in a way that doesn’t incur cumulative MTU
> loss, it’s worth considering how it affects the efficiency of
> implementations. Taking our current implementation as an example, we’ve
> opted to perform all forwarding at Linux’s XDP hook with an eBPF program.
> This allows us to run a custom program for each packet we receive. In this
> program, we only actually need to process up to the QUIC packet header in
> order to perform a rewrite and immediately send the packet out. How this
> program is actually executed is dependent on the network card and driver,
> but it can avoid copies, be executed before the Linux networking stack, and
> even be completely offloaded to the NIC. The numbers presented were not
> from full NIC offload, but rather “Native XDP” where the program runs on
> the main CPU, but may take advantage of direct memory access, avoid copies,
> etc.). Continuing with our implementation as an example, introducing
> encryption would likely require APIs (bpf helper functions) that aren’t
> available from mainline Linux kernels. We would likely have to patch our
> kernel to expose cryptographic operations to eBPF programs or we’d have to
> bring our forwarding implementation into userspace - both of which seem
> possible, but not something we’ve explored and it’s hard to say what the
> impact on performance/efficiency would be without testing. When considering
> full NIC offload, I wonder if network cards are less likely to expose
> cryptographic operations than they are to expose the very basic packet
> inspection and byte replacement for header rewriting required by the
> non-encrypting approach.
>
> Thanks,
> Eric
>
> On Nov 16, 2022, at 2:18 AM, Alex Chernyakhovsky <
> achernya=40google.com@dmarc.ietf.org> wrote:
>
>
>
> On Tue, Nov 15, 2022 at 8:57 PM Ben Schwartz <bemasc=
> 40google.com@dmarc.ietf.org> wrote:
>
>> On Tue, Nov 15, 2022 at 6:44 PM Martin Thomson <mt@lowentropy.net> wrote:
>> ...
>>
>>> The protected payload is high entropy, being comprised of ciphertext and
>>> is anywhere from 20 to 65506 bytes.  This payload can be split into two,
>>> with a 12 byte sample being used as a nonce for AES-CTR.  The remainder of
>>> the payload, plus part of the first byte, could then be protecting using
>>> AES-CTR.  The remaining 8+ bytes could again be sampled again as a nonce to
>>> protect the first sample.
>>>
>>
>> The thing you are looking for is called a Pseudo-Random Permutation [1].
>> I would encourage you to use HCTR2 [2].  (I learned a bit about these while
>> working on [3].)
>>
>> [1] https://en.wikipedia.org/wiki/Pseudorandom_permutation
>> [2] https://github.com/google/hctr2
>> [3] https://datatracker.ietf.org/doc/draft-cpbs-pseudorandom-ctls/
>>
>> ...
>>
>>> [1] A few people have noted that timing tends to be a dead giveaway
>>> here, as does packet size.  I have some ideas about how that might be
>>> managed, but let's start with the basics.
>>>
>> I think enough of our threat model has to consider side-channels like
> packet size as out of scope (although I believe we do have the opportunity
> to add chaff to less-than-MTU packets); we can certainly do something about
> timing analysis. I would expect most interesting deployments of such a
> proxy to be very high throughput which would mean some amount of artificial
> queuing and mixing would go a long way towards increasing the search space
> for correlation.
>
>>
>> Personally, I think this is probably fatal, so the encryption is not
>> really buying you anything.   However, I would still support adding
>> encryption here, at least optionally, for the sake of making the attacker's
>> job a bit harder.  It's not the easiest thing to specify in a threat model,
>> but there is a real difference between "instant undeniable confirmation"
>> and "strong statistical inference" for an attacker.
>>
> I am similarly in favor of trying to protect the packet further, but my
> understanding from the presentation at the session was that a lot of the
> CPU wins came from NIC offloads. If we end up hitting the host CPU to do
> the decryption, we should compare the implementation to the full
> CONNECT-UDP tunneling mode and see if it's worthwhile.
>
>>
>> ...
>> --
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
>>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>
>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>

v2.23.0 | Report a Bug | By Email