Re: [Secdispatch] Dispatching draft on key consistency
Eric Rescorla <ekr@rtfm.com> Sat, 12 March 2022 02:23 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D48E83A00E0 for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 18:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9U6NgYMb3KIJ for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 18:23:11 -0800 (PST)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3421C3A0033 for <secdispatch@ietf.org>; Fri, 11 Mar 2022 18:23:11 -0800 (PST)
Received: by mail-il1-x136.google.com with SMTP id b14so7243875ilf.6 for <secdispatch@ietf.org>; Fri, 11 Mar 2022 18:23:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zZJsZVWdQIvYDryveLRD14u6tel3dQPwMtbeR3UY7v8=; b=m6E2DRdqbMQkn1HBzX8mZV/1yXXUUYFv1TNAaR5BVu1EPnhbDvQLspdXOWwyOeylCa JLWCHP4vnYP2MHI+Qc14PoaIbCb2e8m+rM7fWtjBec+vw60InqutQ/x2j2A1Ok7lXa/f MbZfjdUuLvw2AMwxpCJ0PB8Nl3+gv+wOc8k2m0VsqyMgxZYVboS5bIhpg6TF+oktV4nz xERBP0uOcGnKcgQOC/9yTM93Wg9qVSX7dzN0HDjqNb+r/JUJXrKtuO0V2Wi30S1zPg4P YOAoDGQKxxV1Uds9EmnOG9VfF0LlbPDAR3w3nkaHyqBgA0OPcNxnf6kKn8UIDQQFLTg+ UMCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zZJsZVWdQIvYDryveLRD14u6tel3dQPwMtbeR3UY7v8=; b=H7mjpbTFBsm8ot27NTLS6CvDD/DyBywNG0N5F5i/EU+wexNl6NVFiK2CZ82cqzgQva EvtaZxKvdbKx3irQKDrZTHKF6GpEFyExcwPhJEAKx4lUOyZXvem/+m6uig9WmwxuJ7Aj VdIRGsHHYAh2wNDj5CEYljd5n+0hYRSQzU4IMwSHeXWKVieVsSXPlKSi6w+O6/Nt3/DA inqperZlJ2uErlYpsLJq7LwOSXpAkSn361C7+Nv8i9g11KI35/DFQBRv7wx75BGIfXwM fmBhLOTYYX4mFLh2DOSHfSOxQ6EAHIqvURyxhZRLZ1JAHIbjtDjtHcz4ekH0wLAn8wKl l3UQ==
X-Gm-Message-State: AOAM532wVxKywYcoCh4H0o9XcTL966UVoDba04nH59hfx+0qbVXZvPKO l0NqgL7ctFNp6ZCsCfojMzvi1APtKCIVTEcV52hntw==
X-Google-Smtp-Source: ABdhPJxY6J2hdnqSAZ/YdzWwcYhOoJKyzd1eoDRV5I1xqIyBUMfW8G8f+Cao5O3xVB7mhTYNmIopcotV7xfaBeD7GkM=
X-Received: by 2002:a05:6e02:1887:b0:2c2:4311:cc5a with SMTP id o7-20020a056e02188700b002c24311cc5amr10104648ilu.39.1647051790033; Fri, 11 Mar 2022 18:23:10 -0800 (PST)
MIME-Version: 1.0
References: <8BB73374-E38C-40A5-A147-F469B8C24D01@heapingbits.net> <24889.1646506998@localhost> <1C782443-5FDE-4847-8F47-997DDCD0DDE3@heapingbits.net> <1699.1647042053@localhost> <5BB6763B-1057-47DA-A9A5-47A665B6DA9C@heapingbits.net>
In-Reply-To: <5BB6763B-1057-47DA-A9A5-47A665B6DA9C@heapingbits.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 11 Mar 2022 18:22:34 -0800
Message-ID: <CABcZeBObZz6=1Q+679e8ZJwZaJaYZ-ppHxu=XzFEYioH0TcZJQ@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000df3a7c05d9fc20e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/s6jVJQUyrhOld9mZUerRHNhbe0k>
Subject: Re: [Secdispatch] Dispatching draft on key consistency
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2022 02:23:16 -0000
On Fri, Mar 11, 2022 at 6:15 PM Christopher Wood <caw@heapingbits.net> wrote: > > > > On Mar 11, 2022, at 3:40 PM, Michael Richardson <mcr+ietf@sandelman.ca> > wrote: > > > > > > Christopher Wood <caw@heapingbits.net> wrote: > >>> "somehow" ... such an attacker can substitute any on-path attacker key. > >>> I don't see how this is distinct from all the other attacks. > > > >> The problem here is, say, forcing one single client to use key A and > >> all other clients to use key B. The attacker would then be able to > >> identify the individual client whenever key A is used. > > > > I understand. > > > >>>> [4] https://datatracker.ietf.org/doc/draft-wood-key-consistency/ > >>>> [5] > https://datatracker.ietf.org/doc/slides-110-privacypass-key-consistency-and-discovery/ > >>> > >>> In reviewing the documents, it seems that it's not "somehow", it's > >>> that the proxy has been > >>> persuaded to collude with a third party. Perhaps that would be better > to say. > > > >> It’s not clear to me what you mean by "the proxy” here. The document > >> doesn’t make any assumption about a proxy. Indeed, direct discovery a > >> la section 4.1 > >> ( > https://datatracker.ietf.org/doc/html/draft-wood-key-consistency-02#section-4.1 > ) > >> involves only client and server. Would you mind clarifying what you > >> mean? > > > > Oblivious DoH and Oblivious HTTP involve some kind of intermediary. > > Maybe calling it a proxy is incorrect, but there is a third party. > > I think there’s still a misunderstanding here. This draft discusses key > consistency that can be _used_ by things like ODoH and OHTTP since, at the > end of the day, key consistency is a separable problem. In other words, the > draft doesn’t assume any particular protocol in which the key material is > used, though the choice of consistency mechanism one uses may certainly be > influenced by the protocol for which consistency is required. > Just to sharpen this point, there are uses of key consistency other than for proxied protocols. For instance, consider the case where you want to amortize the cost of solving a captcha. In this case, the server would force the user to solve the captcha and then issue some number of signed tokens (with some kind of VOPRF or something so that it didn't see the actual token value) which can then be used to avoid the captcha the next time. For obvious reasons, we'd like the same key to be used to compute the VOPRF for each user. > > > >>> Perhaps "persuaded" is the wrong term as well, since I think that the > goal is > >>> to defend the proxy against NSLs that would force the proxy to collude. > >>> > >>> What is needed is a kind of canary such that for clients can detect > when they > >>> are being singled out, and then refuse to operate with that proxy. By > >>> existence of such a mechanism, proxies can effectively render > themselves > >>> useless to such forms of "persuasion". > > > >> The purpose of key consistency is to give clients a way to ensure they > >> are not being singled out, not to tell clients when they are being > >> singled out. These seem like different sides of the same coin, no? > > > > Hard to prove a negative. > > Easier to give them a way to recognize a positive, I think. > > Hmm… I’m not sure I’m following you. Ensuring consistency is proving a > positive, i.e., that all clients share the same view of the keying > material. (It’s possible we’re saying the same thing but with different > words.) > > > Either way, what does the client do when it figures out it has been > singled out? > > That’s up to the client to decide, I think. It could choose to not use the > key for the corresponding protocol, raise some alarms, or whatever else > makes sense for the given application. > > > If the goal is to hide in the crowd, then if there is a spotlight on > you, > > better act "normally" right, and not give away that one has figure out > one > > has been found out? > > > > The client probably needs to go ahead and pretend it hasn't been singled > out, > > and do some innoculous transactions anyway, right? > > As above, what the client does when it cannot guarantee consistency is a > detail left to the relevant application. That said, I think you’re right in > that the client’s behavior — reactive or not — should not lend itself to > further privacy problems. > I think in the case I described above, you wouldn't use the token going forward and maybe warn the user. -Ekr > > Best, > Chris > > > > > -- > > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT > consulting ) > > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > > > > > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch >
- [Secdispatch] Dispatching draft on key consistency Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Eric Rescorla