Re: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
Kazuho Oku <kazuhooku@gmail.com> Sun, 16 December 2018 03:21 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0A5130F18 for <quic@ietfa.amsl.com>; Sat, 15 Dec 2018 19:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUxjEvdk7DN8 for <quic@ietfa.amsl.com>; Sat, 15 Dec 2018 19:21:32 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F902130EE8 for <quic@ietf.org>; Sat, 15 Dec 2018 19:21:31 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id f23so7010750lfc.13 for <quic@ietf.org>; Sat, 15 Dec 2018 19:21:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=w2pjWuvomA4mw8sDluPpxtBxpZeYhVSdhiSSjZG+GCw=; b=bV8pJf+AhSjr9Lxjb6A/rLSNThvFahprLeZKUfLyTZ9JbHbre57Lq6RSPVAL2qTkdP NFJ2t7tLvyJXh+1HSyvDQTchHpiCIBxjuV0aFX79Zj40vlK2dvBG9mTWCrw2RUeQagSv /CD6csNx8DflLPHneWGZ6PWLFPZiqEOJqroEda8C7FOAh3KYQvA7DvywvlnEV+t0DK7w 4zDmPclPOxrx12kVsSQSa+s5kW7HcNXAw1eA5u806v+lokrz/n6ebo4bq6C7QSVcY7sJ W42I36argt+Tww4ED6gkeeQRfZWxFABtLsJ3zWDtSFMY3Q7ZkkGRevHpY3fBX7ldQzcC qdzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=w2pjWuvomA4mw8sDluPpxtBxpZeYhVSdhiSSjZG+GCw=; b=Csewzq9KCFrQzRlmNMpvRJu1paCi1SD4U7HNBVnUN5Ea3YM+iSiLxAJwKrsjoPWan7 aPIxHkdYfYpusfD4y/6XH6ut0yi73InbNiUAs4OHuV83JsSc3IpcWYZItx8RDhDvMlKN ecsuS4bWKYOl4Z08ls/e6o0p7AnRv1mB2AejrIr1WQ7BP4Xi49eXNbH91Gvjf+x7anAS kwX6Kqgx49ZgJ28FCY3ziApu//cttMtWIRUWUelnhXGLs9IogLuRVRqpV4rOpjeLMrAp uvC0nSYn/xP/ykkYYB2gMmu4pGKeSDFfGWGmkYkuuKeRxaENOQLcM5/Qkr+PXtnfmWPz WZ2g==
X-Gm-Message-State: AA+aEWaAT7WZApB5wcElrDDTb3bVhoZSLnh0vqki9J1XD05kcADfn2dx eTNzG1MbJ4Xovhv78L7LppDF+ni6OpR/8vbWUnI=
X-Google-Smtp-Source: AFSGD/XqP3lqj9LGwA/B4o+oKAjqpoKNF3k6JIjj9LjbFX6E0kAwgCEHX6FyOJ/IHV24nrbULC2uy3tA6WN/nzA1HK4=
X-Received: by 2002:a19:9b50:: with SMTP id d77mr4886813lfe.137.1544930489676; Sat, 15 Dec 2018 19:21:29 -0800 (PST)
MIME-Version: 1.0
References: <154475462982.32005.8870303572182973327.idtracker@ietfa.amsl.com> <CANatvzwbL-NoRK1boZmFkA8kEvJzCQTP26FCh31_c0rRrYvSOw@mail.gmail.com> <CABcZeBNOAw3b504yZ5rV2THroe0K_y-T=_ya8-t0zDC5k6X8+g@mail.gmail.com> <98ac8dac-393c-92e4-776c-2c27c55be7a2@huitema.net>
In-Reply-To: <98ac8dac-393c-92e4-776c-2c27c55be7a2@huitema.net>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Sun, 16 Dec 2018 12:21:17 +0900
Message-ID: <CANatvzwe2dJ8hCrsrnL3uXkcsbODKTLtZeLcsTDF_yuypxvxng@mail.gmail.com>
Subject: Re: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
To: Christian Huitema <huitema@huitema.net>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/RykOz0yxCivYhpKIC4sRhrB3QHw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Dec 2018 03:21:35 -0000
2018年12月16日(日) 9:45 Christian Huitema <huitema@huitema.net>: > > Quoting the whole message, because it is a nice analysis. > > On 12/15/2018 10:50 AM, Eric Rescorla wrote: > > Kazuho, > > > > Thanks for sending this. I think it's a very interesting direction. I have > > some comments below. > > > > DEPLOYMENT MODEL > > It seems to me that there are two models to consider here. In the > > first, the server *only* supports authenticated handshakes (AH) and in > > the second, it supports both authenticated and unauthenticated > > handshakes. In general, I think the second case is far more likely, > > because in general we can't assume that clients can receive the > > ESNIKeys records, and that means that some clients will not use AH. > > > > > > THREAT MODEL > > This leads us directly to the question of the threat model. I assume > > that we have what I termed a Class (3) attacker, which can inject > > packets and will always win the race but cannot delete packets. > > With that, you get the following pattern: > > > > > > Client Attacker Server > > > > CInitial -> > > CInitial' -> > > CInitial -> > > <- SInitial > > <- SInitial' > > <- SInitial > > > > CHandshake -> > > CHandshake -> > > > > Our objective is to have the handshake survive this treatment. In an > > ideal world, we would cause the server and client to reject X' and > > process X but this isn't possible, with the design you suggest, > > because the attacker can always take CInitial, replace the CRYPTO > > frames with his own and then send it to the server, computing > > a new MAC based on *his* Zx. Note that this won't necessarily have > > the right ESNI but that doesn't matter, because it will have > > the same [SC]CID, and so will cause cause CInitial to be discarded > > when it is received. As far as I can tell, your current design > > does not prevent this. If I'm missing something here, let me > > know [0] > > > Agreed. > > > > > > > > > FIRST CLIENT INITIAL > > It seems like the obvious defense is the one you suggest in S 3.2.2, > > namely to treat each distinct CInitial as its own handshake and create > > separate state on the server for each one. Then this will cause the > > server to send two SInitials, one in response to CInitial and one > > in response to CInitial'. This gives us the diagram below. > > > > Client Attacker Server > > > > CInitial -> > > CInitial' -> > > <- SInitialX // > > Corresponds to CInitial' > > > > <- SInitialX' > > <- SInitialX > > > > CInitial -> > > <- Sinitial // > > Corresponds to CInitial > > <- Sinitial' > > <- SInitial > > > > CHandshake -> > > CHandshake -> > > > > Note that the attacker can duplicate and tamper with any message > > either side sends so because the server sends two SInitials, the > > attacker ends up potentially sending 4. > > The suggestion is S 3.2.2. is basically the same as PR 2706: create a > separate server context for each separate CH. Like Kazuho, I think it is > pretty much required for any good defense. Yeah. As I suggested in my response to EKR, it might be worth considering going one step further; i.e. derive DCID from ClientHello. > > > > > > > SERVER INITIAL FLIGHT > > So, what we need at this point is to ensure that the client rejects > > (a) SInitial', SInitialX' and (b) SInitialX, and accepts SInitial (I'm > > ignoring subsequent Initial packets from the Client at this point), > > but I'll get there shortly. Rejecting SInitial' happens automatically > > in your design. The attacker doesn't have Zx and so SInitial' will not > > deprotect correctly. > > > > Rejecting SInitialX is harder, but I think can be fixed by mixing > > CInitial1 > > into the the key schedule. I.e., the initial key would be something > > like: > > > > IS = HKDF-Extract(0xef4fb0abb47470c41befcf8031334fae485e09a0, > > Zx) > > > > initial_secret = HKDF-Extract(HKDF-Expand(IS, ...), > > F(CInitial)) > > > > Where F(CInitial is some sanitized version of CInitial, that is > > invariant under retransmission, perhaps the payload + the CIDs. > > The result of this is that SInitialX and SInitial will be encrypted > > with separate keys (with only the one for SInitial being the one > > that the client expects) and the client will discard SInitialX > > after it fails to decrypt. > > We tried to not have rekeying at the client, i.e. keep the same hmac key > throughout the session. Agreed. I think that that would be a nice property to have (for simplicity). And IMO there's no downside in doing that, because an attacker cannot generate a spoofed packet that would be processed by either of the endpoints, assuming that we address the issue of server not rejecting spoofed Initial packets carrying legitimate a ESNI extension (discussed above). > The assumption is that the data incorporated in > the "hmac_key" contains something that client and server know, but the > attacker cannot guess. The structure "ClientESNIInner" has that > property, as long as the nonce really is unguessable. Caveats about > random number generation seem to apply. Now it may well be that our > draft refers to "ESNIContents" when in fact it should refer to > "ClientESNIInner". That would be a simple fix. Zx is the shared secret between the client and server, therefore hmac_key cannot be calculated by an attacker. Hash(ESNIContents) is the equivalent of AAD. Therefore I am not sure if ClientESNIInner is the correct thing to do. Instead we should expand that to cover the entire ClientHello, to ensure that HMAC key would be unique to ClientHello. > > > > > > > SUBSEQUENT CLIENT INITIALS > > The diagram looks like this > > > > Client Attacker Server > > > > CInitial -> > > CInitial' -> > > <- SInitialX // > > Corresponds to SInitial' > > CInitial -> > > <- Sinitial > > > > <- SInitialX' > > <- SInitialX > > <- SInitial > > <- Sinitial' > > > > CInitial2 -> > > CInitial2' -> > > CInitial2 -> > > > > There are actually two types of subsequent client Initials > > > > > > 1. Those after SH that contain ACKs (and the like) for server > > Initial. > > 2. Those after HRR > > > > With case (1), we should just rekey off of Initial secret. The server > > can sort out which keys to use based on trial decryption or perhaps > > some extra flag in the packet (probably the second is better). > > This gets better if the client switches to using the server chosen SCID > instead of the ICID in the subsequent initials. If we do that, then > there is no ambiguity: Clinitial2 arrives with the SCID chosen by the > server when sending SInitial, and is authenticated using the HMAC key > derived from CInitial. > > If we insist that all Initial packets shall have Dest=ICID, then we do > indeed have a problem, and we need to put a unique token somewhere in > the payload. Hash(CInitial) would work. I think deriving DCID from Hash(ClientHello) would also fix the issue. > > > > > Case (2) (HRR) is more complicated. Trying to use data in the ESNI > > extension when you're not going to use g^x is tricky (though maybe > > possible), so we could potentially handle this as in case (1). Another > > alternative is to use the same general strategy we used for the > > first Initial and bucket the CInitial1/CInitial2 pairs. This is > > easiest done > > if we force each CInitial2 to commit to a specific CInitial1 (thus > > avoiding > > the need to do combinatoric explosion on the server). You could > > do this by including a hash of CInitial1 in CInitial2. The attacker > > can obviously bind CInitial2' to any CInitial he wants, but he has > > to transmit one message for each, so the result is the same as > > sending N CInitial1s. > > That, or sending the messages with dest=SCID instead of dest=ICID. > > I think we went back and forth with that idea. I don't quite remember > why we nixed it. Is there a potential deployment issue? > > > > VERSION NEGOTIATION > > In your design you move version negotiation to the client and forbid > > VN: > > > > A client MUST ignore Version Negotiation packets. When the client > > gives up of establishing a connection, it MAY report the failure > > differently based on the receipt of (or lack of) Version Negotiation > > packets. > > > > More concerning, this moves the QUIC version negotiation to the ESNI > > record, which permits downgrade attacks by that server (or anyone who > > controls DNS). We've generally avoided this in TLS ESNI. It could > > be solved by having the true origin sign the ESNIKeys structure > > (as we have discussed for semi-static). > > > > It's worth noting that this is a consequence of QUIC's VN design. With > > the simplified VN design I suggested in PR #2113, you wouldn't have > > this problem: the server would commit to its *minimum* version (this > > is implicit in ESNIKeys already, as it requires TLS 1.3) and then you > > could upward negotiate as expected. > > And maybe we should specify that. After all, we are creating a new QUIC > version, so we can just as well have a couple of extra transport parameters. > > > > [0] Another possibility with your current design is for the attacker > > to tamper with CH, for instance by adding a dummy extension, because > > the ESNI extension doesn't protect all of CH, just g^x. This will > > cause the server's Handshake messages to deprotect incorrectly. One > > could imagine a fix for this if the ESNI extensions covered more > > of the CH. > > If the attacker did that, wouldn't the HMAC fail at the server? Also, > isn't that just a variant of CInitial' ? > > -- Christian Huitema -- Kazuho Oku
- Fwd: New Version Notification for draft-kazuho-qu… Kazuho Oku
- Re: Fwd: New Version Notification for draft-kazuh… Mikkel Fahnøe Jørgensen
- RE: New Version Notification for draft-kazuho-qui… Mike Bishop
- Re: Fwd: New Version Notification for draft-kazuh… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Eric Rescorla
- Re: New Version Notification for draft-kazuho-qui… Christian Huitema
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Christian Huitema
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku
- Re: New Version Notification for draft-kazuho-qui… Kazuho Oku