Re: [TLS] About encrypting SNI
Andy Lutomirski <luto@amacapital.net> Wed, 16 April 2014 17:22 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 608441A0260 for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 10:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeNvNaI1JJOk for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 10:22:33 -0700 (PDT)
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53]) by ietfa.amsl.com (Postfix) with ESMTP id 17B621A024F for <tls@ietf.org>; Wed, 16 Apr 2014 10:22:32 -0700 (PDT)
Received: by mail-la0-f53.google.com with SMTP id b8so8298844lan.40 for <tls@ietf.org>; Wed, 16 Apr 2014 10:22:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1sEPuSbwhhZUVIveZ+yYF3Pxb5pArkapInBYrlnWQbw=; b=YhszUUIZxt7TJ++30vPo8OZaOOXmq4UHyuAxokrl+2BU1aNWgWqiwwmNpbAHNM+ZMf atdeOs+6eixy4WF3dtaWwdbfwUfdbF66dUVn6kUj/mzPo1ms6bVGJnmL1qbP895i5zmi UcKCMOokZP4sB2mOP+Ui/guryvbkyNtv1e4fmyZNeAgwOlpGhn0XJb9Bv7qh18o8UMWi w81c1zeiUooOJUocY1yTJDOeG1tGrIfNa78ZClPKBY7J+cBra+yynQYDCv5U6B0crVes n94hS+0wILOqiZlN2KehbGjFILgYrJZ1S3PF9vIWrtCO8HAaPPdw/o9GR/dhCgZhapSF bQrg==
X-Gm-Message-State: ALoCoQnjNFPliLrRv1S/NlE7atLKOo8rTKap9wrDFafecV+02K4LP4mJE07d4d7rrBHe+rvGwDoN
X-Received: by 10.112.134.230 with SMTP id pn6mr3598343lbb.37.1397668949074; Wed, 16 Apr 2014 10:22:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.21.7 with HTTP; Wed, 16 Apr 2014 10:22:08 -0700 (PDT)
In-Reply-To: <ADBC94F9-0EBB-4F50-B49D-EDAFF8AD9313@akamai.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <m2ppkhl08c.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrXuvA7XAu7O4QVGe1Ktzo8wfQq88j2g44bfc=MGYzY9BQ@mail.gmail.com> <ADBC94F9-0EBB-4F50-B49D-EDAFF8AD9313@akamai.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 16 Apr 2014 10:22:08 -0700
Message-ID: <CALCETrUch98b+4qxzkWiy6Hsyg5VBsks9DHv2J1jX08LC48tnQ@mail.gmail.com>
To: "Sniffen, Brian" <bsniffen@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0BY2GIKmhVysMqGtYlGJ7zOof2s
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 17:22:37 -0000
On Wed, Apr 16, 2014 at 9:54 AM, Sniffen, Brian <bsniffen@akamai.com> wrote: > > On Apr 16, 2014, at 11:39 AM, Andy Lutomirski <luto@amacapital.net> wrote: > >> On Wed, Apr 16, 2014 at 9:15 AM, Brian Sniffen <bsniffen@akamai.com> wrote: >>> Andy Lutomirski <luto@amacapital.net> writes: >>> >>>> On 04/14/2014 10:21 PM, Watson Ladd wrote: >>>>> Now, the best mechanism I can think off would be to use DNS to preload >>>>> a per-IP SNI encryption key, or have the handshake optionally involve >>>>> getting one. But I still can't figure out how to authenticate the >>>>> gotten key without a lot of complexity. The best solution is for the >>>>> client and server to do a DH, then pass the desired website (which >>>>> might get you investigated when the initial handshake is intercepted), >>>>> and have that cert sign the handled DH, then go back and do a TLS >>>>> connection. Ugh. >>>> >>>> What if it were an opt-in thing? A hypothetical DANE extension could >>>> associate with each domain a tuple (ClientHello-protection public key, >>>> TLS version guaranteed to be supported). Clients could resolve that >>>> essentially for free as long as they're already querying DNS, and this >>>> could prevent downgrade attacks and give an efficient way to encrypt the >>>> entire ClientHello. >>> >>> Then the censor looks to see which key is used, yes? >>> >> >> The idea is that the same key would be used for hello encryption for >> all domains served by the same IP addresses. > > Oh, I see. But the US government customers want a key to a NIST scheme generated with Dual_EC, and the notional non-government entities want anything but that. > >> Even if different keys were used, I'm not sure the censor can tell >> which. I think that the particular public-key protocol I suggested >> doesn't leak any information about the public key used to a censor >> that doesn't know the private key, but I could be wrong. > > But they want different protocols. So we drift to having the censor-approved data on one IP, and the censor-opposed data on another IP. OK, I see the problem here. Three possible solutions: 1. US government customers can just skip setting the DNSSEC option. The same IP can host encrypted and unencrypted ClientHello users. 2. See if Curve25519 can be used in an encrypted ClientHello even with FIPS certification. The argument would be that this isn't really cryptography, since it's just an additional layer on top of something that's already certified. I don't know whether this would fly. 3. Use something like Elligator. This slows down the server a little bit, since it will have to attempt to decrypt the ClientHello once for each possible key, but there only really need to be two keys here. This needs some padding trickery -- see below. I don't think that Elligator works for NIST curves, but Elligator Squared seems to. I actually like #3, despite its complexity, because it allows the entire encrypted ClientHello payload to be indistinguishable from random. This is a further argument for adding a little bit more complexity to allow the rest of the handshake and the record layer to be indistinguishable from random as well. If nothing else, this will make it much easier to extend things in the future, since middle boxes that support TLS 1.3 won't be able to peek inside and screw up future extensions. IIUC the TLS 1.2 record layer is easily distinguishable from random. To keep everything on one page, here's the updated strawman: DNS indicates, for each domain: (cryptosystem, public key, guaranteed TLS version) Cryptosystems include: Non-US-government-preferred choice: ECIES/Elligator on Curve25519, with ChaCha20+Poly1305 AEAD. US-governement-preferred choice: ECIES/Elligator Squared on P-256, with AES-128-GCM. If the client sees one of these DNS records, it sends: ClientHello wrapper || f(a*G) || IV || AEAD(real ClientHello) The function f is either Elligator 2 or Elligator Squared, as appropriate. If Elligator is being used, the client needs to try an average of two times to get a value of a that works. The client is expected to include a padding extension in the real ClientHello with a length calculated to hide the length of the SNI and the length of the ECIES header. The real ClientHello will contain a further extension that contains a session key that will be used to encrypt the rest of the handshake and indicates the cipher suite. This cipher suite MUST be exactly the same as the one used for the ClientHello (ChaCha20+Poly1305 or AES-128-GCM, respectively). The server tries to decrypt the ECIES payload with each of its keys. This is quite fast, unless P-256 is supported, in which case it's still not that bad. It then proceeds exactly as it would if the real ClientHello were sent in the clear. In particular, it does not need to remember the ECIES session key. If the encrypted ServerHello extension is in use, then the ServerHello and all remaining handshake messages are encrypted as specified. This happens regardless of whether the ClientHello is encrypted. If TLS 1.3 plans on encrypting the ServerHello anyway in a manner that is indistinguishable from random, then the extension part of this strawman can be dropped. I don't see why FIPS certifiers would object to the use of Elligator Squared. It's just a transformatoin of the bytes before they are sent on the wire. --Andy
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir