IETF Logo Mail Archive

[Ohai] Regarding PFS

Martin Thomson <mt@lowentropy.net> Tue, 30 January 2024 03:29 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0157EC15108E for <ohai@ietfa.amsl.com>; Mon, 29 Jan 2024 19:29:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="t1NJm2am"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="QLQHGrCF"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXJVJmMSdorU for <ohai@ietfa.amsl.com>; Mon, 29 Jan 2024 19:28:56 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456B0C1654EF for <ohai@ietf.org>; Mon, 29 Jan 2024 19:28:56 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 46C095C0152; Mon, 29 Jan 2024 22:28:55 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Mon, 29 Jan 2024 22:28:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1706585335; x=1706671735; bh=nMg54ucQbb /g6HEmATypAvM/nR3jUtI2jY+zF5KBXc8=; b=t1NJm2am7tKCp7R1oecuMOH/J8 g00r7HLxYN/MAp1pzlUJZrBQUTeo8+WmZXTtVpuhdWJIhW6hlfD34I59sN2u/osi lKAsQWDCqw/OVYiVw1HjE5z3piofWOlTX5Key5SsKH10ajOYkcEvZhvwiXKUncob JYsmbMO1VyR18RvCtG5ebkxs513Xmj0/L93sMw4aF72TUoZQXJsDLbwoz2EOB+dm 3yh05eXX4VimiP19v0eCFG8FyhJVukClYifbstDn6/Z7Xby3l/4sS6CJbVbHEp77 gQqU7Oxw8H711IGrOkC3z1hK9U3oXvsFnjlwyr+5leMjGH/DPJU1cXVnhCXw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1706585335; x=1706671735; bh=nMg54ucQbb/g6HEmATypAvM/nR3j UtI2jY+zF5KBXc8=; b=QLQHGrCFmoA+C0cIXCJapHAKHlYwAYnogLvWBZGkSbyk QONiHHsSUTBCJBgmvTSBdn/klSxw2hGSZXqjv5xWkabFS277YwdJACTwH0Fta7EH BNFyu24a/z4CsEeEnkGsMD+M1/ry/nyiNUH/Hr6jJg3X8g+gf4LFFAUhtBakZqzI 3d3JOGq2WV0Ccb61QlNv8hpS1LRcz6oCTSCn1DIDNHSKNuBiwnsBIqbtQU5ex11b 1V+kdfcvO60WeRFK3tz32bSKaDl7AcWklLF9V1MlXy6KqH/oC/ZbKdLFetjaGThN SxlmyBKFU8y2+69KnFOG1GhOeuuvCCIgfCZI1zDLyg==
X-ME-Sender: <xms:92y4Za3mzZa3pWcrFaiHxGlT7H2yVzS0DfGl-TTDYLAypWHo9iFfdQ> <xme:92y4ZdHBXCioYU5sgdctPgBzc9mcX9espr_g5srqidjqvksppQgezsoqFBQTq4rdS jLWjWmX2W9R577zSyk>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedthedgheekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:92y4ZS6krGee7LA2Qdm9p8UDsFSlIzDILz3Pz47iI4JXqV8H02dlVQ> <xmx:92y4Zb2nTsPjOcQ56qSVoLUh6YNq1SeZYLP9fi11Ty0P3FJHzvdm4A> <xmx:92y4ZdH9sJdvJDgC72UhjTIcyOhmC5eXkLIpoVT81lcjyJf69OwcTg> <xmx:92y4Zcz9ThISkL9gaLGmd-oVr0FAH5Yj9Ps_oxR700SYbx3E9MgFEQ>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 092362340080; Mon, 29 Jan 2024 22:28:55 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-144-ge5821d614e-fm-20240125.002-ge5821d61
MIME-Version: 1.0
Message-Id: <1a2d0740-8f12-477a-b4c0-c878aa7fa15e@betaapp.fastmail.com>
In-Reply-To: <CACpbDcfyrc3nArGNLssXAcJBcNQSfcb9yPk=qcJCx-BoaPuscg@mail.gmail.com>
References: <CACpbDcfyrc3nArGNLssXAcJBcNQSfcb9yPk=qcJCx-BoaPuscg@mail.gmail.com>
Date: Tue, 30 Jan 2024 14:28:33 +1100
From: Martin Thomson <mt@lowentropy.net>
To: ohai@ietf.org, David Schinazi <dschinazi.ietf@gmail.com>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/fkH16eMtZbAhBp1fcCtBkn9lLXU>
Subject: [Ohai] Regarding PFS
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 03:29:01 -0000

On Tue, Jan 30, 2024, at 13:58, Jana Iyengar wrote:
> (Adding PFS to OHTTP is a great idea that we should pursue, 
> but it increases this overlap.)

I'm picking on Jana here as a starting point of a conversation, but this is really about David's idea.

David's suggestion was to have both request and response use HPKE.  The client would send a request toward a static server key; the server would send a response toward an ephemeral client key.

The advantage of this is that responses depend on purely ephemeral keys.  Only the client and server have the ability to decrypt them and only for as long as they retain those keys.  This would be an improvement in some situations and I'd be supportive of exploring those situations.

There are, however, costs that need to be considered.

1. Additional request size.  To do this properly, the client would need to generate a fresh ephemeral key and send a public key with its request.  For something like X25519, that's 32 extra bytes; ML-KEM or hybrid KEMs are quite a lot larger.

David originally suggested using the client's `enc` value for this, which would save this cost.  That would be possible with the X25519-based KEM that is in common usage and with other DH-based KEMs.  However, that would remove some generality as other KEMs don't work like that (ML-KEM is one).

2. Additional response size.  The 16 byte nonce could go and be replaced with a freshly encapsulated secret.  This would be anywhere from 32 bytes (X25519) to well over a kilobyte (ML-KEM).

3. Additional compute cost.  The cost of generating separate key pairs and then using them is modest, but significant relative to the existing costs as it essentially doubles the largest CPU cost component of the scheme.

4. Negotiating use.  This is the one that might be the hardest.  An in-place upgrade is not easy.  It comes down to all of the same questions that Tommy went through at the last meeting around format negotiation.  You can make it optional through in-band negotiation or having it be part of a selected key configuration, but that could divide anonymity sets in two.  You can make it non-optional, but that risks excluding some peers who don't support the format.  Had this been part of the original design, it might have been easier to justify, but it gets a bit harder when there are deployment considerations in play.

Then there is the benefits.  A lot of the uses for OHTTP I have seen depend on request privacy more than response privacy.  Often, this is because the client is the one with something to say that might have privacy implications.  The response might carry information that ties back to the request, but the request contains the really dangerous stuff that we're trying to protect.  Better protection for responses is not nothing, but nor does it necessarily improve the situation much.

OHTTP clients are often anonymous.  A server will generally send the same response to a different client that makes the same request.  A compromise of the static server key will let an attacker decrypt requests.  In that case, an attacker can decrypt the request and make that same request to get the same answer. For those arrangements, response protection has negligible added value.

This changes with the inclusion of anonymous tokens, provided that you use anti-replay.  So it is not nothing, but it is still worth keeping in mind the limited applicability (and this is the limited applicability working group, after all).

The other fact to consider is that encrypted messages are only available to three entities: client, relay, and server, with only the relay not being able to read the content.  You might not trust a relay with the content, but you do trust it to protect privacy and to help shield the server from abusive clients.  That leaves a gap where you might want to strengthen confidentiality protections against the relay, but it is a small one.  I don't know how to balance that gain against the drawbacks.

v2.23.0 | Report a Bug | By Email