Re: [Secdispatch] Dispatching draft on key consistency
Christopher Wood <caw@heapingbits.net> Sat, 12 March 2022 02:15 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7006A3A0E1D for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 18:15:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=dyDAF+Q2; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XqSVQLIs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hzsD_46Z_KP for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 18:15:16 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40DAF3A0E1C for <secdispatch@ietf.org>; Fri, 11 Mar 2022 18:15:15 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 4F4925C019C; Fri, 11 Mar 2022 21:15:15 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 11 Mar 2022 21:15:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; bh=uqhbZ0itvdKpf3 2j6r9kWAx8129Zeeb9iwIoCzhCvsU=; b=dyDAF+Q2yblsnWGC60UezzGSjG+RXx z+7xjmyxrSuPivwFYUGdyb7pZ40zdayhKcUdHlr5V/0oWZqKTk9ho4tvodAZD+nz y0LTgEwQJv6lhw7xy8pq6f8AtUlpO3LDGDsayDYC35i09XMaqBrFLo8N7g27Jpy3 gMFff3oUYpGrPoVuunc1cBKvu6xvGA5iBQG4wCFuao5IiswSB6DAJR6OzSGIFDXx UlGi+CHi3A1nO8mcZ/qJJOumElKGe41H1DlLtbHwwfuycnd+GbMWwB20dsZUD6Ec iPzX+1mFrt1NFkp3cAt9s5pUm9fJCOpMh2KORiNYybnF8mXsjUVBM7wQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=uqhbZ0itvdKpf32j6r9kWAx8129Zeeb9iwIoCzhCv sU=; b=XqSVQLIsI1O+Fj9NRyhUoaC8QPzucn9tzT6UtNdgxeSPd95Iwiu6OBZtf YAaTzfAiJ9RWbsAaia5af19VefCQxqmrzWrusDk4OYowsA4SXMDW4TN3PLbqbk4p Vb7ThF0hsFfpFEB5H18u5uKHnUpwPzVlpuVZEu/XAow18ppgmD46oCPRV9Rh3mEv X38hiF4uuFatAYkWnLx4elgr0g4wNTnjMmYLfVGOOUOOTSMyuQKiJokAxh0b6KSI 4GXLfhoWNazMRuXl++2ls+FG02frSQydPUjflBiGa+6MgtBKl6tDxrKDW6pKhlWV 0YhknGm/ogiwMRfqWUSXxp7w0ne5w==
X-ME-Sender: <xms:MgIsYlbSr7mQSXB0s5gyU9mRYiNMV3MVmBp6we7w7uhQynFpmaAK0Q> <xme:MgIsYsbuE8rFdp06PZ2RJLhLVDOZVju4WZQRGZ8Qj-WZHrMoVDPmWyw5XDw9rtm4f ORLhq2na5TZ1OGFJBA>
X-ME-Received: <xmr:MgIsYn_m6rxNqKYGBWO5v0fDzcLMD2SGF-dVYeDYSo04U-3WdJKC7r9uddKDMVSzccW1NT337306qlEVCtsbuH2Gx56dXhcA2w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddvfedggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpegtggfuhfgjfffgkfhfvffosehtqh hmtdhhtdejnecuhfhrohhmpeevhhhrihhsthhophhhvghrucghohhougcuoegtrgifsehh vggrphhinhhgsghithhsrdhnvghtqeenucggtffrrghtthgvrhhnpeeuheekledtfeetff ethedvhffffedvfeduueeiueejvefhvdegieetffdtvdffjeenucffohhmrghinhepihgv thhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:MgIsYjqqEV8UYNvns37JWs56nyK-EPMmgooSCi0X278lFkoYIx3zkQ> <xmx:MgIsYgpbMc_37NNP_ZPI5ffqXq3jJijj00iAYvdjilsptkurT7sCBw> <xmx:MgIsYpRb7akVyR_ON30x5sBfrfaX-3dNvOzdurCtZmNauLhxuBfmbg> <xmx:MwIsYnS0GJkBKti0dWmcZQech1kalVWV-9P6JcXLKraM6kdHMwvzKg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 11 Mar 2022 21:15:14 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <1699.1647042053@localhost>
Date: Fri, 11 Mar 2022 18:15:12 -0800
Cc: secdispatch@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5BB6763B-1057-47DA-A9A5-47A665B6DA9C@heapingbits.net>
References: <8BB73374-E38C-40A5-A147-F469B8C24D01@heapingbits.net> <24889.1646506998@localhost> <1C782443-5FDE-4847-8F47-997DDCD0DDE3@heapingbits.net> <1699.1647042053@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/N9huYhv0SqhCko0CRYi8ZazDfZc>
Subject: Re: [Secdispatch] Dispatching draft on key consistency
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2022 02:15:22 -0000
> On Mar 11, 2022, at 3:40 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Christopher Wood <caw@heapingbits.net> wrote: >>> "somehow" ... such an attacker can substitute any on-path attacker key. >>> I don't see how this is distinct from all the other attacks. > >> The problem here is, say, forcing one single client to use key A and >> all other clients to use key B. The attacker would then be able to >> identify the individual client whenever key A is used. > > I understand. > >>>> [4] https://datatracker.ietf.org/doc/draft-wood-key-consistency/ >>>> [5] https://datatracker.ietf.org/doc/slides-110-privacypass-key-consistency-and-discovery/ >>> >>> In reviewing the documents, it seems that it's not "somehow", it's >>> that the proxy has been >>> persuaded to collude with a third party. Perhaps that would be better to say. > >> It’s not clear to me what you mean by "the proxy” here. The document >> doesn’t make any assumption about a proxy. Indeed, direct discovery a >> la section 4.1 >> (https://datatracker.ietf.org/doc/html/draft-wood-key-consistency-02#section-4.1) >> involves only client and server. Would you mind clarifying what you >> mean? > > Oblivious DoH and Oblivious HTTP involve some kind of intermediary. > Maybe calling it a proxy is incorrect, but there is a third party. I think there’s still a misunderstanding here. This draft discusses key consistency that can be _used_ by things like ODoH and OHTTP since, at the end of the day, key consistency is a separable problem. In other words, the draft doesn’t assume any particular protocol in which the key material is used, though the choice of consistency mechanism one uses may certainly be influenced by the protocol for which consistency is required. > >>> Perhaps "persuaded" is the wrong term as well, since I think that the goal is >>> to defend the proxy against NSLs that would force the proxy to collude. >>> >>> What is needed is a kind of canary such that for clients can detect when they >>> are being singled out, and then refuse to operate with that proxy. By >>> existence of such a mechanism, proxies can effectively render themselves >>> useless to such forms of "persuasion". > >> The purpose of key consistency is to give clients a way to ensure they >> are not being singled out, not to tell clients when they are being >> singled out. These seem like different sides of the same coin, no? > > Hard to prove a negative. > Easier to give them a way to recognize a positive, I think. Hmm… I’m not sure I’m following you. Ensuring consistency is proving a positive, i.e., that all clients share the same view of the keying material. (It’s possible we’re saying the same thing but with different words.) > Either way, what does the client do when it figures out it has been singled out? That’s up to the client to decide, I think. It could choose to not use the key for the corresponding protocol, raise some alarms, or whatever else makes sense for the given application. > If the goal is to hide in the crowd, then if there is a spotlight on you, > better act "normally" right, and not give away that one has figure out one > has been found out? > > The client probably needs to go ahead and pretend it hasn't been singled out, > and do some innoculous transactions anyway, right? As above, what the client does when it cannot guarantee consistency is a detail left to the relevant application. That said, I think you’re right in that the client’s behavior — reactive or not — should not lend itself to further privacy problems. Best, Chris > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > >
- [Secdispatch] Dispatching draft on key consistency Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Eric Rescorla