Re: [Secdispatch] Dispatching draft on key consistency

Christopher Wood <caw@heapingbits.net> Fri, 11 March 2022 22:34 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59BE73A10A4 for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 14:34:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=ZIdr6vtf; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=cnw+jISF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mB4LJ5cR32SU for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 14:34:02 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32E3E3A109E for <secdispatch@ietf.org>; Fri, 11 Mar 2022 14:34:01 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 3B3C75C020E; Fri, 11 Mar 2022 17:34:01 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 11 Mar 2022 17:34:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; bh=Jd6rbpiQeI7pTy gAtlVddiOCeDLTl6YnxWVaCbfguRs=; b=ZIdr6vtfoC1R/gONpBoaOnKENcTK2r N5mIDKKmAzX5Z7xBu1oXBniio2f+O6aZ1mkoJ1Xkszqo5QrpXWFXpICQaKwWVdfT OUr3CrLtleguHdBpNea3q7oeVF+lcf23+u3+oQAwsvs3gfj1HPJ4oq4iuU/+H2iw D7cxtuSlH3QhqMw53n38HGSAw9mliYOElV+LyhG/PgrfQ8VCPDJ5qXtEh0DiwYTk LBwLLd722JF1k+sGbwtqP2wYnHoNG4VLpo01BOqUgYR5Y9erp4TETN5ShvdBVIKk 0eUIzGnZiyupCxFyucaIIgMaVSNNA3WSIF/prYx8sFEQgxk4EStSynKQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Jd6rbpiQeI7pTygAtlVddiOCeDLTl6YnxWVaCbfgu Rs=; b=cnw+jISF6V1e/mv4KEs8hLdLn8M0fnqhS4beRiYJnRzbfcQ1w29tmHL20 yabbX5/IeTZ4wzpst8mZHM7XEbK3gRnC1lAmZgNjDEOczmcKLIR1wbX2d5j58PW5 kzs39Vzoc+Qv4jM0VoGT5HuwREyvD75a3esCcKu99MAxwogZ/ww39Fpo2B61mEaA o5sBZ/KYn8iwHjOjgEU6/sVcZ1DQWSS2yhj6Z87sOS7xswi+o/j/3bfyRZbcXDRB VrOclbIJEaC7qbtPJ6k+SAgGhiNB8MkhD5Ue6Lkc+v+VMHqJG0aMe75nNZLWJ5TM 2L9ZEED7ULRT6U2+gn83XAic1MUaw==
X-ME-Sender: <xms:WM4rYkANLtO5s4mm-65dvcRoT8S5BZoyUb4Qvpeek_oeje2pBRChwg> <xme:WM4rYmhAeUmnFj5JTyLyj1mhpcB_MYVnyLNAZrswG7Vw1TERcGCZ-jKvpqlh-oL3m 0nVcdT_PoKbbipH150>
X-ME-Received: <xmr:WM4rYnk0vr9j65i-CoEuEadOXoPUjQGnFOXJViCCYq6Irwnx5_s7qL_jKCdR-Sh-aja-Z1lBKV27ljWfvOdD1xjCga7Uk7nx2w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddvvddgudeitdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurheptggguffhjgffgffkfhfvofesth hqmhdthhdtjeenucfhrhhomhepvehhrhhishhtohhphhgvrhcuhghoohguuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnhepueehkeeltdefte ffteehvdfhffefvdefudeuieeujeevhfdvgeeitefftddvffejnecuffhomhgrihhnpehi vghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:WM4rYqx5kBlYu8uxZs-m3vrjin989KnZoGK7VheyCZKNX4RdydO6qA> <xmx:WM4rYpQaqD5rkL-_F4puyIs9jkLEsayVFHNklwcJxelvXM_8ocGgGw> <xmx:WM4rYlblyg4L0qVnQflHwhac0cT7h34Ef8kh6_Lp9qAXQ7x9jkvAbQ> <xmx:Wc4rYq4H5r7Us_aapzQTQppo13-QZ2Q2l8EcP3nQShXO3ODgMFY4aA>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 11 Mar 2022 17:34:00 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <24889.1646506998@localhost>
Date: Fri, 11 Mar 2022 14:33:58 -0800
Cc: secdispatch@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C782443-5FDE-4847-8F47-997DDCD0DDE3@heapingbits.net>
References: <8BB73374-E38C-40A5-A147-F469B8C24D01@heapingbits.net> <24889.1646506998@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/gWgU_LjpyAxWczIVk5WJQ_1KoEA>
Subject: Re: [Secdispatch] Dispatching draft on key consistency
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2022 22:34:08 -0000

Hi Michael,

Apologies for the delayed reply. Please see inline below.

> On Mar 5, 2022, at 11:03 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Christopher Wood <caw@heapingbits.net> wrote:
>> There are a number of different protocols that require multiple clients
>> to discover a common — or consistent — cryptographic public key for
>> use, including: Privacy Pass [1], Oblivious DoH [2], and Oblivious HTTP
>> [3]. Consistency here means that all clients obtain the same view of
>> the public key. An inconsistent view can lead to privacy attacks.
> 
>> For example, in Privacy Pass, if an attacker can somehow force a single
>> (set of) client(s) to use a public key that is distinct from all other
>> clients, then the key used effectively partitions the set of clients
>> into two buckets, and the size and number of these partitions influence
>> the overall privacy posture of the protocol.
> 
> "somehow" ... such an attacker can substitute any on-path attacker key.
> I don't see how this is distinct from all the other attacks.

The problem here is, say, forcing one single client to use key A and all other clients to use key B. The attacker would then be able to identify the individual client whenever key A is used.

> 
>> [4] https://datatracker.ietf.org/doc/draft-wood-key-consistency/
>> [5] https://datatracker.ietf.org/doc/slides-110-privacypass-key-consistency-and-discovery/
> 
> In reviewing the documents, it seems that it's not "somehow", it's that the proxy has been
> persuaded to collude with a third party.  Perhaps that would be better to say.

It’s not clear to me what you mean by "the proxy” here. The document doesn’t make any assumption about a proxy. Indeed, direct discovery a la section 4.1 (https://datatracker.ietf.org/doc/html/draft-wood-key-consistency-02#section-4.1) involves only client and server. Would you mind clarifying what you mean?

> Perhaps "persuaded" is the wrong term as well, since I think that the goal is
> to defend the proxy against NSLs that would force the proxy to collude.
> 
> What is needed is a kind of canary such that for clients can detect when they
> are being singled out, and then refuse to operate with that proxy.  By
> existence of such a mechanism, proxies can effectively render themselves
> useless to such forms of "persuasion".

The purpose of key consistency is to give clients a way to ensure they are not being singled out, not to tell clients when they are being singled out. These seem like different sides of the same coin, no?

Best,
Chris

> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide