IETF Logo Mail Archive

RE: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt

Mike Bishop <mbishop@evequefou.be> Sat, 15 December 2018 00:07 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED8FB130EA9 for <quic@ietfa.amsl.com>; Fri, 14 Dec 2018 16:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zl-NDleuc4nc for <quic@ietfa.amsl.com>; Fri, 14 Dec 2018 16:07:30 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800099.outbound.protection.outlook.com [40.107.80.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25D99127B4C for <quic@ietf.org>; Fri, 14 Dec 2018 16:07:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XdX8iPZFxvo4l9QjM2Uh9mm+UpaDMjezl47lG9diox8=; b=QqEFNFoUI8poP8FjIoWyjKGiz4TkyOmO7RtnNwOSZJDDu3urOvciRnVOd/puRHJUS7vBLXCWXTzaGIX0yAWGv/kssI+eJor26q4dLaYtrMHBLBOL1ejSnBF7rytSjCpgbNu8SJAovtRw82ZotUPUdlV/H//kEGbL9LY8q1d0KKk=
Received: from CY4PR22MB0983.namprd22.prod.outlook.com (10.171.171.20) by CY4PR22MB0278.namprd22.prod.outlook.com (10.173.194.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.21; Sat, 15 Dec 2018 00:07:27 +0000
Received: from CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::48d2:1dff:3687:d430]) by CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::48d2:1dff:3687:d430%2]) with mapi id 15.20.1404.028; Sat, 15 Dec 2018 00:07:27 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Kazuho Oku <kazuhooku@gmail.com>, IETF QUIC WG <quic@ietf.org>
CC: Christian Huitema <huitema@huitema.net>
Subject: RE: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
Thread-Topic: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
Thread-Index: AQHUk1WFIzZEf2Ej4U2GTFRiBwv2VaV+6HNg
Date: Sat, 15 Dec 2018 00:07:27 +0000
Message-ID: <CY4PR22MB0983F89134F0C5A62B30CF34DAA20@CY4PR22MB0983.namprd22.prod.outlook.com>
References: <154475462982.32005.8870303572182973327.idtracker@ietfa.amsl.com> <CANatvzwbL-NoRK1boZmFkA8kEvJzCQTP26FCh31_c0rRrYvSOw@mail.gmail.com>
In-Reply-To: <CANatvzwbL-NoRK1boZmFkA8kEvJzCQTP26FCh31_c0rRrYvSOw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2601:600:8080:701:a581:9f0f:cd11:12f1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR22MB0278; 6:lFCjwC/rpi+wW2mNSB+m0motcaw0agqkUP4NgcaHvPnrMpLyknLtCy7qOK3LU0X1Ies/MiFudNxgkQfOKStWYW0Xg2jJ5ckN+c34+Y3ZdD48eJOg3IcKwzTtu4T/IJ72ZgS9X9Uu9h/pbN7f7X/yYzyGw+KmEWMqu/mB6ixBjAomv56Bgnbd57pIcTqGoIUfHIQWCgL2qLYTubh4m4ZK6SXwK75yLrUN3jxgQWM9R7hfJ2rqWWLBLwMJUSPM5VKb2u5dZYtaH9MB3ofV5S1ThbM7Wbp0I2iyn8xQf9Tp6uGeUrcPTI2Go8ZehrqammLxIbBqBTFiWnPPxLUjHKSbxV3oG6AZWozVBcasubzQ8P2rZETQkbElls+zMAGMlQ+A+QqCaF/8MWicxqAqTDSFWG7F8YzmsHE66OspOInajmOAo6XnCuk7j2i4PwdZn083nrxrBlF4LeXJG2+Ab9t3VQ==; 5:izQxT16vdRYjauZQf6z3x5vDMD/Ts98JbAM5BJo413pQMLjq8FYhJS6lV3HIkVNXy3LQO3vyyGOts5Njrqj183Mn0Q6uoMg2axHvGTrZoEfP21cDszvb+Mes/rDjN/bqxk+6W7uq0UNoJWNxCUizeoCcStUPW6dXXnFLmF/0s7I=; 7:9h1mGAVX1FHTirc4j9p9DpIXNbgb23NBiRh75bn9pLEgljPnXQHHfcSiu6EEMPpyVR/zDLvIFmCES94qzV0lLrUp/OczJ7FdHjpQSgETQDnaBJRpk2xKVxV7JtRHHzBgwGClPExVyX2t5hrW7g8fEw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 78643a89-9ca0-45fe-45dd-08d662214c51
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600074)(711020)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020); SRVR:CY4PR22MB0278;
x-ms-traffictypediagnostic: CY4PR22MB0278:
x-microsoft-antispam-prvs: <CY4PR22MB027879FA68C0C13C4403D7DCDAA20@CY4PR22MB0278.namprd22.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231475)(944501520)(52105112)(148016)(149066)(150057)(6041310)(20161123558120)(2016111802025)(20161123560045)(20161123564045)(20161123562045)(6043046)(201708071742011)(7699051)(76991095); SRVR:CY4PR22MB0278; BCL:0; PCL:0; RULEID:; SRVR:CY4PR22MB0278;
x-forefront-prvs: 088751B4D4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(39830400003)(346002)(366004)(136003)(199004)(504964003)(13464003)(51444003)(189003)(22974007)(256004)(15650500001)(105586002)(561944003)(68736007)(7110500001)(97736004)(33656002)(8936002)(229853002)(4326008)(81166006)(4001150100001)(86362001)(14444005)(5660300001)(316002)(74482002)(110136005)(81156014)(71200400001)(71190400001)(606006)(2420400007)(53936002)(25786009)(6246003)(54896002)(476003)(74316002)(508600001)(76176011)(966005)(6506007)(53546011)(102836004)(46003)(11346002)(6306002)(236005)(7736002)(186003)(14454004)(7696005)(106356001)(6436002)(39060400002)(446003)(2906002)(486006)(9686003)(790700001)(10710500007)(8676002)(99286004)(6116002)(55016002)(66574012); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR22MB0278; H:CY4PR22MB0983.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-antispam-message-info: O07D4JClZ/oQmFwVv5zjkhOhCrBTYrIaRx5RHpKwGPLyrjzr9DQ+n3g1lRBj79e2nya74VzamOi0Sjgh6W3qCuNGqoQohx9jxPfzkUvEJ+nLBW9JQdGknAr3BokQ6mqPp4rW2FyAKSCDAjwBxFA0h1zT1Aw3kTFY4Fw6UUiqBkzo5b6WW/U+7oqnKDSfFsvOde9qTgapNcXmA0ZCxygUCOBBVRY5F0MUXrwMwPPQDPqKjYsw/H8850/lHuXstJeOqadh6ESmgaYBS3nFbfOhyyDS7E6I/w9i2uxknddBC/7NXr9Q8Ot5oRbrBOFap8oi
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR22MB0983F89134F0C5A62B30CF34DAA20CY4PR22MB0983namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 78643a89-9ca0-45fe-45dd-08d662214c51
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2018 00:07:27.1935 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR22MB0278
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/cxAFqsEDhp-hqnOx97Z4qtd_8lA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2018 00:07:34 -0000

I had to puzzle through a few pieces of this, but this approach seems promising.  However, I would be very sad to tie the use of QUICv1 to the successful deployment of ESNI keys (particularly for the reasons we're already concerned about ESNI's current structure in a multi-CDN context).  For that reason, I think a separate version (either v2 or an alternative to v1) is the right choice.



I'm also wondering whether this actually *needs* to use ESNI as the publication mechanism.  For example, an extension to QUICv1 could be defined to relay the server’s keyshare for use on future connections.  However, ESNI permits you to delegate issues of lifetime, pinning, revocation, etc. to the DNS, which is certainly attractive.



-----Original Message-----
From: QUIC <quic-bounces@ietf.org> On Behalf Of Kazuho Oku
Sent: Thursday, December 13, 2018 6:34 PM
To: IETF QUIC WG <quic@ietf.org>
Cc: Christian Huitema <huitema@huitema.net>
Subject: Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt



TL;DR: Christian and I have submitted an I-D that proposes a flavor of QUIC v1 that uses the Encrypted SNI key to authenticate Initial packets. Initial packets are no longer vulnerable to man-on-the-side attacks; the entire handshake process becomes tamper-proof.



https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/



## Background



So far, we have spent multiple efforts to make QUIC resistant to man-on-the-side attacks. Among them, mitigating injection attacks of Initial packets has been the biggest head-ache.



There have been various proposals (including #2045, #2053, #2076), but the question has always been if it's worth the effort, because there are so many attack vectors (e.g. injection of a packet carrying a corrupt header, invalid or unknown frames, ACKs with unsent PNs, crafted TLS Hellos, HelloRetryRequests, crafted Version Negotiation or Retry packets) and it is doubtful if having mitigations for just one or few types of attacks are meaningful. We want to close all the attack vectors, however it is like building house of cards.



## The Proposed Approach



The draft introduces a different approach. It relies on the Encrypted SNI [1]. For people not familiar with Encrypted SNI, it is an extension of TLS 1.3 that uses a public key distributed using DNS to encrypt the SNI. Encrypted SNI is currently a TLS WG draft, has multiple implementations, and it is already deployed by Cloudflare and Mozilla.



The approach proposed by the draft is to use a shared secret that is derived from the Encrypted SNI key to authenticate the Initial packets, using HMAC. Because the shared key can only be calculated by the endpoints, an attacker cannot spoof the Initial packets. Spoofed packets will be detected by HMAC and will be to dropped.



The draft disables Version Negotiation (because the DNS record of Encrypted SNI can carry a list of QUIC versions supported by the server), a different client-side behavior for handling Retry packets, and also introduces a CONNECTION_CLOSE packet to communicate handshake failures without affecting the transport state.



And of course, it also uses a different QUIC version number in the long packet header field so that the Initial packets of QUIC v1 and the authenticated Initial packets of the proposal can be handled differently.



Other than that, the protocol is identical to QUIC v1, including the handling of 0-RTT, Handshake, 1-RTT packets and the frames being contained by them. IMO, the differences are small and isolated well enough that QUIC v1 stacks can easily add support for the flavor proposed by the I-D.



There are other benefits too. We have always hoped to have multiple versions of QUIC being deployed from early days in order to prevent ossification. The proposal makes that happen. Besides, one interesting aspect of the proposed protection of Initial packets is that MITM boxes (with root certificates) would not be possible to terminate the connection _unless_ they also block the distribution of Encrypted SNI DNS records, and that even then, the existence of such MITM boxes is detectable. Raising the bar of implementing and deploying MITM boxes as well as detecting them is beneficial for the evolution of the protocol.



The downside of the proposal is that it only protects QUIC connections going to servers that provide the Encrypted SNI DNS records. But considering our failing attempts to address the Initial packet injection attacks, and considering the amount of interest we have seen for Encrypted SNI, I think that the proposed approach is the way forward.



Please let us know what you think. Thank you in advance.



PS. The GitHub repository of the I-D is:

https://github.com/kazuho/draft-kazuho-quic-authenticated-handshake



---------- Forwarded message ---------

From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>

Date: 2018年12月14日(金) 11:30

Subject: New Version Notification for

draft-kazuho-quic-authenticated-handshake-00.txt

To: Kazuho Oku <kazuhooku@gmail.com<mailto:kazuhooku@gmail.com>>, Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>>







A new version of I-D, draft-kazuho-quic-authenticated-handshake-00.txt

has been successfully submitted by Kazuho Oku and posted to the IETF repository.



Name:           draft-kazuho-quic-authenticated-handshake

Revision:       00

Title:          Authenticated Handshake for QUIC

Document date:  2018-12-14

Group:          Individual Submission

Pages:          9

URL:

https://www.ietf.org/internet-drafts/draft-kazuho-quic-authenticated-handshake-00.txt

Status:

https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/

Htmlized:

https://tools.ietf.org/html/draft-kazuho-quic-authenticated-handshake-00

Htmlized:

https://datatracker.ietf.org/doc/html/draft-kazuho-quic-authenticated-handshake





Abstract:

   This document explains a variant of QUIC protocol version 1 that uses

   the ESNI Keys to authenticate the Initial packets thereby making the

   entire handshake tamper-proof.









Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.



The IETF Secretariat







--

Kazuho Oku

v2.23.0 | Report a Bug | By Email