Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
Kazuho Oku <kazuhooku@gmail.com> Fri, 14 December 2018 02:34 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A927130F72 for <quic@ietfa.amsl.com>; Thu, 13 Dec 2018 18:34:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g82NJt2S1sV0 for <quic@ietfa.amsl.com>; Thu, 13 Dec 2018 18:34:05 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91A2D128B14 for <quic@ietf.org>; Thu, 13 Dec 2018 18:34:04 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id k15-v6so3586967ljc.8 for <quic@ietf.org>; Thu, 13 Dec 2018 18:34:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4eyRjrESx+AluvkKOAibwHVKo5XhfnV88jqBQTusADA=; b=YOfCP7JohuDD1Mi0kolMS3xD8eg33iVztbjWwne3yO8UTz9vuXxxbBeZQIsRxLKnSd nxz4e9zwdHIj7iMWT9+tJ9IEwG0ERYKNU4GE7ptermRJeH988CriVjhoGHtv7SP0mp2O 8JHcT9Zqj/K1PrtxyMEf0NAYPUgwB6eFlB01oDI7GDdqFjOUN4jZbHNrgW2MQ54wS4Mu iZc0pB+rDiBIbS0DVLcE2fGGhNrEB7fQRYDU+2ztmF2cnM10k+mnU9rh2CbLDIK53NVe gRY//qrfRIC+Y59uaOOvp6MQfX2VdJPNGRjiuDBchJv8pPIzq+vGdIR4qB/HvzK3Nofi SN/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4eyRjrESx+AluvkKOAibwHVKo5XhfnV88jqBQTusADA=; b=QbrbOjEpiaK+hrUPwXGyBDbUCWE84lUP6z77ICctAFddHGGGvE6AbmxjTfNl3ZlwI0 b7WlFWUmg8A1MTwbBxrOqK3TqdQzF1nNCEGRnnUuyyzTfK89Sqn5EoKD5U09MzuvZLvE 1ZutvazIhwoFgwbxN3wsGcgE5LnI+4HxqtyhNqXnPkgG4s18rn2LT5m/pSnXwHYVxOxz Vuwot8eQEbd1SiXYUQQuUqBs1vLlEMjAUxjpJRJe8KHM4mjdB3mf1YWEKWzdcrtRX8PR CwjAuq4yYcSsMpFFt5xIx0hHnz5EIfRinEXTcItKaojLVKNJAhZBvCxOdnQ9po2ybpXr JcIg==
X-Gm-Message-State: AA+aEWaYSQQAUxig+9/vjWEIvW9PcpGrd6A42OrxqxjmzdQlaI0+YkHf x0PvDIpzLgq3xfwojxa7ixw8BgVVeVKpGANZ3EjhwkevPCw=
X-Google-Smtp-Source: AFSGD/Wpyp0NfYTT205rbj+ItIKOrOjo17N3QCY8xyLl2Ydo/DRpsV2JRNq4Tg/Y32A2cqtQeulfNiQkAIwJiq6y868=
X-Received: by 2002:a2e:81a:: with SMTP id 26-v6mr727537lji.14.1544754842469; Thu, 13 Dec 2018 18:34:02 -0800 (PST)
MIME-Version: 1.0
References: <154475462982.32005.8870303572182973327.idtracker@ietfa.amsl.com>
In-Reply-To: <154475462982.32005.8870303572182973327.idtracker@ietfa.amsl.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 14 Dec 2018 11:33:50 +0900
Message-ID: <CANatvzwbL-NoRK1boZmFkA8kEvJzCQTP26FCh31_c0rRrYvSOw@mail.gmail.com>
Subject: Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
To: IETF QUIC WG <quic@ietf.org>
Cc: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/DdT-gIgzxUDnSajyoMwDm1A_URQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 02:34:07 -0000
TL;DR: Christian and I have submitted an I-D that proposes a flavor of QUIC v1 that uses the Encrypted SNI key to authenticate Initial packets. Initial packets are no longer vulnerable to man-on-the-side attacks; the entire handshake process becomes tamper-proof. https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/ ## Background So far, we have spent multiple efforts to make QUIC resistant to man-on-the-side attacks. Among them, mitigating injection attacks of Initial packets has been the biggest head-ache. There have been various proposals (including #2045, #2053, #2076), but the question has always been if it's worth the effort, because there are so many attack vectors (e.g. injection of a packet carrying a corrupt header, invalid or unknown frames, ACKs with unsent PNs, crafted TLS Hellos, HelloRetryRequests, crafted Version Negotiation or Retry packets) and it is doubtful if having mitigations for just one or few types of attacks are meaningful. We want to close all the attack vectors, however it is like building house of cards. ## The Proposed Approach The draft introduces a different approach. It relies on the Encrypted SNI [1]. For people not familiar with Encrypted SNI, it is an extension of TLS 1.3 that uses a public key distributed using DNS to encrypt the SNI. Encrypted SNI is currently a TLS WG draft, has multiple implementations, and it is already deployed by Cloudflare and Mozilla. The approach proposed by the draft is to use a shared secret that is derived from the Encrypted SNI key to authenticate the Initial packets, using HMAC. Because the shared key can only be calculated by the endpoints, an attacker cannot spoof the Initial packets. Spoofed packets will be detected by HMAC and will be to dropped. The draft disables Version Negotiation (because the DNS record of Encrypted SNI can carry a list of QUIC versions supported by the server), a different client-side behavior for handling Retry packets, and also introduces a CONNECTION_CLOSE packet to communicate handshake failures without affecting the transport state. And of course, it also uses a different QUIC version number in the long packet header field so that the Initial packets of QUIC v1 and the authenticated Initial packets of the proposal can be handled differently. Other than that, the protocol is identical to QUIC v1, including the handling of 0-RTT, Handshake, 1-RTT packets and the frames being contained by them. IMO, the differences are small and isolated well enough that QUIC v1 stacks can easily add support for the flavor proposed by the I-D. There are other benefits too. We have always hoped to have multiple versions of QUIC being deployed from early days in order to prevent ossification. The proposal makes that happen. Besides, one interesting aspect of the proposed protection of Initial packets is that MITM boxes (with root certificates) would not be possible to terminate the connection _unless_ they also block the distribution of Encrypted SNI DNS records, and that even then, the existence of such MITM boxes is detectable. Raising the bar of implementing and deploying MITM boxes as well as detecting them is beneficial for the evolution of the protocol. The downside of the proposal is that it only protects QUIC connections going to servers that provide the Encrypted SNI DNS records. But considering our failing attempts to address the Initial packet injection attacks, and considering the amount of interest we have seen for Encrypted SNI, I think that the proposed approach is the way forward. Please let us know what you think. Thank you in advance. PS. The GitHub repository of the I-D is: https://github.com/kazuho/draft-kazuho-quic-authenticated-handshake ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: 2018年12月14日(金) 11:30 Subject: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt To: Kazuho Oku <kazuhooku@gmail.com>, Christian Huitema <huitema@huitema.net> A new version of I-D, draft-kazuho-quic-authenticated-handshake-00.txt has been successfully submitted by Kazuho Oku and posted to the IETF repository. Name: draft-kazuho-quic-authenticated-handshake Revision: 00 Title: Authenticated Handshake for QUIC Document date: 2018-12-14 Group: Individual Submission Pages: 9 URL: https://www.ietf.org/internet-drafts/draft-kazuho-quic-authenticated-handshake-00.txt Status: https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/ Htmlized: https://tools.ietf.org/html/draft-kazuho-quic-authenticated-handshake-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-kazuho-quic-authenticated-handshake Abstract: This document explains a variant of QUIC protocol version 1 that uses the ESNI Keys to authenticate the Initial packets thereby making the entire handshake tamper-proof. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- Kazuho Oku
- Fwd: New Version Notification for draft-kazuho-qu… Kazuho Oku
- Re: Fwd: New Version Notification for draft-kazuh… Mikkel Fahnøe Jørgensen
- RE: New Version Notification for draft-kazuho-qui… Mike Bishop
- Re: Fwd: New Version Notification for draft-kazuh… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Eric Rescorla
- Re: New Version Notification for draft-kazuho-qui… Christian Huitema
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Christian Huitema
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku