Submission of QUIC-AH draft-01, with support for version number greasing (Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-01.txt)
Kazuho Oku <kazuhooku@gmail.com> Fri, 05 July 2019 08:42 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3C1120295 for <quic@ietfa.amsl.com>; Fri, 5 Jul 2019 01:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNQfZ3Qb0OuU for <quic@ietfa.amsl.com>; Fri, 5 Jul 2019 01:42:23 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51750120182 for <quic@ietf.org>; Fri, 5 Jul 2019 01:42:21 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id b29so5837739lfq.1 for <quic@ietf.org>; Fri, 05 Jul 2019 01:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kLVbJwc06QkgFUt6jz9+Sg25bo+aFIpRBWwbrQ+X6o0=; b=CTALDoS7tuIflRMT18hKflv4AaQgtCWfuJZXE0spZIeggkO88oKznlhsI6sbTMdTth uXRMINCVX9HX+gEs/7qVqu50C0WGNLcj2ZVAVlRmmtCm7M+ktlHxnbXACtP0jFwDs46j o6x3DBUlZcmwZp8F3kZYuJ6tDMsiYfVOa7PBxWPyBQ6pKmkZC93hmJ0HRomWK7kY3cOn TU6a4Xq+S88+X+L6CO1vzVMdDoYpZFhxk+/JscRwqvM+m0rZMNuKHSDUZQZsl3EDptsD dwh++OhFTKw9jhUFxjvwbLDXboOiTS0GyfYl9msAc9tWYO4fYNPLc/cK1jgHEAfSYEqT HVow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kLVbJwc06QkgFUt6jz9+Sg25bo+aFIpRBWwbrQ+X6o0=; b=JHXZevE4qIes0gf2Og3ort4HLy9NS9tdSBdt7gp0W3gGnBA2DZeM05eAxuuwilSMyu WJTw4CV4dSB+l40QsinlfXmETOIRMkS1ytS/KrNcnzSJtAtFsLKGJuRqs3gki6PimUyA k8/bwmFrmXliN3oXRvzW66dVQxrGw1XE3sbKv0/cCzYP2tDEa57Oq2mSlMSbIK8Ax3jc 6VxwgT/CKh3QWLkjWXRk5yFofx+TWzvDWR1V7q+WVIgzmA4Ik1Eqn0sp0IrIAs9oelba eR/SGzzM9WEO97egBCoDHq2tTfVTOMfw1Cy3lLEQaWcJMpGZReIzNcvO5PLsV69gaZI8 KPJA==
X-Gm-Message-State: APjAAAWwNxDskuA88zmmifx35zZOv38c8+SWNiHhpKrBxhm/nIbQEm+s PTR6oMkyLRVlrHXoNENq0Gsnhd+Luf180uqpmow5x/Vo
X-Google-Smtp-Source: APXvYqwWW64LXVXXPy7R7hh29xgPAyeVlpmBq2ttGR427UjdO8zGhx3hx1AyeSIUn3n37DSpNNor5r2qWKygqmXTIP8=
X-Received: by 2002:ac2:4839:: with SMTP id 25mr1423893lft.79.1562316139289; Fri, 05 Jul 2019 01:42:19 -0700 (PDT)
MIME-Version: 1.0
References: <156231582165.22018.291016500099755441.idtracker@ietfa.amsl.com>
In-Reply-To: <156231582165.22018.291016500099755441.idtracker@ietfa.amsl.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 05 Jul 2019 17:42:07 +0900
Message-ID: <CANatvzym7Da28HXdOtmv8GdGpPYaOyX943gv_Y=dXweFJHpwqg@mail.gmail.com>
Subject: Submission of QUIC-AH draft-01, with support for version number greasing (Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-01.txt)
To: IETF QUIC WG <quic@ietf.org>
Cc: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/vlnPLsWgxtqafOv2eUbvdOj2Tyg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 08:42:36 -0000
Hi all, Christian and I have submitted -01 of draft-ietf-quic-authenticated-handshake (QUIC-AH), that descriibes a variant of QUIC v1 that uses ESNI [1] to protect Initial packets (and therefore the entire lifetime of a QUIC connection) from MITM attacks. Since -00 [2], we have fixed a design flaw (pointed out by EKR), added Considerations, and introduced the capability to advertise alternative QUIC version numbers to be used on the wire, as we have discussed in London [3]. Version number greasing, the new feature in -01, works as follows: 1. Alternative versions to be used on the wire is published using DNS, through an extension of the ESNI Resource Record. ESNI requires the Resource Record be known to the server. 2. Client that supports QUIC-AH picks one of the wire-versions found in the ESNI RR. The obfuscation key of the Initial packet is derived the same way as QUICv1 (i.e. from DCID). 3. The server, with the knowledge of the mapping between the versions on the wire and the actual versions, decodes and processes the Initial packet. I think that this design is simple, and that it would be trivial to implement on top of QUIC-AH (or on top of QUIC v1/TLS+ESNI, if the WG prefers just using the version number greasing but not the “authenticated handshake” part of the I-D). That said, I think the broader question is how we should protect not only the version number field but also other non-encrypted fields of QUIC packets (e.g., payload format of Initial packet = ClientHello) from getting ossified. I think there are three options: a) Merely obfuscate the version number field. That's what is currently being achieved by the draft. b) In addition to the version numbers, advertise alternative salt values to be used on the wire using the ESNI Resource Record. Doing so does not prevent a middlebox from observing the content of ClientHello (even though it cannot see the plaintext SNI), however it would require the middlebox more work, as it needs to fetch the ESNI Resource Record to obtain the salt. IIRC, this is analogous to what was proposed in #2573 [4]. c) Encrypt the Initial payload [5]. ESNI provides a semi-static public key known to the server. In case of ESNI, that key is used to encrypt only the server name, but in case of QUIC, because the format of the Initial packet is not yet encrypted, we have the freedom to change the design as we would like. That would be the ultimate method to prevent the payload of v1 CRYPTO frame from getting ossified. Though in turn, the way the client encodes it's public key in the AH Initial packet (most likely a particular encoding of HPKE [6]) could become an ossification vector. What do you think? I would appreciate it if you could give us feedback, either on QUIC-AH in general, or on the version number greasing design. [1] https://tools.ietf.org/html/draft-ietf-tls-esni-03 [2] https://mailarchive.ietf.org/arch/msg/quic/DdT-gIgzxUDnSajyoMwDm1A_URQ [3] https://github.com/quicwg/base-drafts/issues/2496 [4] https://github.com/quicwg/base-drafts/pull/2573 [5] https://github.com/kazuho/draft-kazuho-quic-authenticated-handshake/issues/9 [6] https://tools.ietf.org/html/draft-barnes-cfrg-hpke-01 ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: 2019年7月5日(金) 17:37 Subject: New Version Notification for draft-kazuho-quic-authenticated-handshake-01.txt To: Kazuho Oku <kazuhooku@gmail.com>, Christian Huitema <huitema@huitema.net> A new version of I-D, draft-kazuho-quic-authenticated-handshake-01.txt has been successfully submitted by Kazuho Oku and posted to the IETF repository. Name: draft-kazuho-quic-authenticated-handshake Revision: 01 Title: Authenticated Handshake for QUIC Document date: 2019-07-05 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/internet-drafts/draft-kazuho-quic-authenticated-handshake-01.txt Status: https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/ Htmlized: https://tools.ietf.org/html/draft-kazuho-quic-authenticated-handshake-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-kazuho-quic-authenticated-handshake Diff: https://www.ietf.org/rfcdiff?url2=draft-kazuho-quic-authenticated-handshake-01 Abstract: This document explains a variant of QUIC protocol version 1 that uses the ESNI Keys to authenticate the Initial packets thereby making the entire handshake tamper-proof. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- Kazuho Oku