[TLS] Don't Split HelloRetryRequest

Martin Thomson <mt@lowentropy.net> Thu, 01 April 2021 01:58 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79AFC3A0D4B for <tls@ietfa.amsl.com>; Wed, 31 Mar 2021 18:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=lOoBRVVR; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=StazQU4E
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVL4WxrVUJoK for <tls@ietfa.amsl.com>; Wed, 31 Mar 2021 18:58:03 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E3583A0D47 for <tls@ietf.org>; Wed, 31 Mar 2021 18:58:03 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A21155C00BA for <tls@ietf.org>; Wed, 31 Mar 2021 21:58:01 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Wed, 31 Mar 2021 21:58:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm1; bh=wrNFFO0LvcEzEm21MuOEHnWqiqpeRCoBbq+HvXrpFrk=; b=lOoBRVVR 8lfd00OdSqnj+i6Nw3S7wo8eO5iBDE2MS/cqDnSC8WxHHcg5QuJMU4p70C9a070r 8fthTRryV12YcLDzQqB5jYscXXzMyK1iZptnAUOjRMlFRl9cmGHMvZcxYJ9xp1DP EwOaCV9282FyZQUYqH3RNPKtF8XDXOdgiUQwH0TyQStE2nNFCh378tRQjRNt2zWJ lgd0+D0mFHpyq+kP8Bhf9jMNXmLFG/vXgreSDUAUTMc01po8iJD3xvKC+ouMeL3b 7t/ahUBi0PK1dIRocERL2jZUQigXp+j2mPETA3eZhc+TSzancruW5OmhRZjgHfd9 71ukBi7fu+YtHw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=wrNFFO0LvcEzEm21MuOEHnWqiqpeR CoBbq+HvXrpFrk=; b=StazQU4E9ju2yfltUBe462Gr59JZRmqYOgrp+m9hsYPwc +1cYNY75motJ4JM3Pfl1S2Kqg7d56QVvY0lNEHNX5U3mCfm2KzHyOV0rCJTa67Cl 2lM0yoGncpqkrCVGIF89mMZFQYvvHsybeKxgzIkcW9hEdQhqSSEl8JE+WlguQ+U7 Cd+gXA9VhJLX9xwvOLmnBC5iAcqoaeCyeDfckG/YJUkaYD/CrcSOviT8Fx6YQpJI ZSsmcFV6C+tNJ91gVbtoBe3JW8A/TmA8b0isVk4jhyjmiLs8zcnl+ffknE5OrpBZ 6mPygwMwGPWZg30a4g8JsXxUVetgtPXATjA0wK+2g==
X-ME-Sender: <xms:qShlYAvUazrw2wl-HFA1ZKY9gmIdpbFPQ4bwoaPp8xE9nuMh3OOKBA> <xme:qShlYNdGhQyf5uLKy-TUIryKedVp9Woxrf8yi1YsmiDHgfQkI6x6GZbe_-x241m-5 NiiUzH4VhhZTEllYzg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeifedghedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeegueehueejvdeiveffhedvke egffekgffgtdetleefkeeffedtjefhtdduvddutdenucffohhmrghinhepghhithhhuhgs rdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:qShlYLyr-MlrBGQsPYRv1tETig9hUcVmFg8WR2r69fKfqDVOVLVVXQ> <xmx:qShlYDNzXwcEoVwhiKX8wXOhOxw_3qAF7E7qKFVPVbmy6TeTDOklWw> <xmx:qShlYA-ja45dgq_f6WNQHlC1tu6TyTi1t2C0kOdmvnnh5M3Wo-GcNw> <xmx:qShlYDKVgIf_h5NrEWKySKKAin49ZtOQFbn4QXoV47uhZXhlJJ4Tzw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0F6CA4E0166; Wed, 31 Mar 2021 21:58:01 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-273-g8500d2492d-fm-20210323.002-g8500d249
Mime-Version: 1.0
Message-Id: <d0758a0a-737b-40ac-8189-1b4168510859@www.fastmail.com>
Date: Thu, 01 Apr 2021 12:57:40 +1100
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0yEUOAnkHSfDfKRPhw2CtACpwyQ>
Subject: [TLS] Don't Split HelloRetryRequest
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 01:58:08 -0000

I just reviewed the proposal to split HelloRetryRequest into outer and (encrypted) inner.

https://github.com/tlswg/draft-ietf-tls-esni/pull/407/files

I'm strongly opposed to taking the change.  It complicates the design greatly and unnecessarily.

The existing design has some flaws, but they can be fixed more elegantly than this.

(Apologies if this seems a little long.  I'm writing down every possible argument I can think of, because I can't guarantee that I will be coherent at the meeting.)

# HelloRetryRequest Has a Narrow Purpose

Let's first address the key question of what HelloRetryRequest exists to do.  It exists to ensure that the client and server are able to jointly agree on keys to use for the remainder of the handshake.  This is a very narrow scope.

Furthermore, the particulars of key agreement are public.  This is important as we can also say that all hidden servers need to use the same configuration as it relates to cipher suites, key exchange, and related parameters, as the results of negotiation are sent in the clear in the ServerHello.

My claim here is that there is no value in protecting any parameter that might change in response to HelloRetryRequest.

# Don't Seek Complexity

It is entirely possible to imagine scenarios where an inner ClientHello has different preferences from an outer ClientHello.  While in theory we can construct a design that would support that (the pull request does this well enough), to do so only serves to increase complexity.  It does not address any real use case or problem that I'm aware of.

If we allow for the client to provide different values in inner and outer ClientHello messages, then the current design means that the client is faced with some ambiguity about which of the two messages a HelloRetryRequest applies to.  If we try to create an indicator, then that leaks.

We could solve the problem by making the protocol more complex.  Or we could avoid it.

This problem is entirely avoidable.

# Matching Inner and Outer Values

When we get right down to it, there are a very small number of things that truly change in response to HelloRetryRequest.  And all of these changes are to values that do not need confidentiality protection.

The draft lists three fields that change: ciphersuites, key_share, and version.  From my perspective, changing cipher suites, supported groups, or versions would be a big mistake.  So what changes is even more limited.  Just the shares in key_share.

On this basis, a client that offers cipher suites, groups, versions, and key shares that are identical in both inner and outer ClientHello messages will always receive a HelloRetryRequest that applies equally to both messages.

The only adjustment that is acceptable with respect to these fields being identical is the addition of TLS 1.2-only options to the outer ClientHello (or the removal of the same from the inner ClientHello if you prefer it that way around).  This is a fine optimization on the basis that accepting ECH represents a commitment to support TLS 1.3 (or higher).  But it is really just an optimization (the draft makes this mandatory, which is silly).  The client can therefore remove options from the inner ClientHello only if it is impossible to select them with TLS 1.3 or higher.

For new extensions, if they define a means of adjustment or correction via HelloRetryRequest (there is currently just one: password_salt, which I haven't examined), then they too need to follow this restriction.   It's not an onerous one.

Follow this simple constraint and HelloRetryRequest will always apply equally to both inner and outer ClientHello and everything works.  Conveniently, this is more or less exactly what the current draft says.  Almost.

The draft currently allows inner and outer ClientHello to have different types of key share.  The way it handles this is terrible: it recommends breaking the transcript.  To me, that seems like it would only serve to open the protocol up to downgrade attack.

Incidentally, I don't see a problem with having a different key share *value* in inner and outer ClientHello.  There's no point in doing that unless you believe that these values leak information (they really shouldn't), but it wouldn't break this model if a client decided to do that.

https://github.com/tlswg/draft-ietf-tls-esni/issues/333 appears to be concerned about the cookie only applying to one or other ClientHello.  I don't see how is the case, so I'm just going to say that this is fixed by having HelloRetryRequest apply to both inner and outer ClientHello messages.  If the client receives HelloRetryRequest that applies to just one of the two, then the problem is that the client is faulty.  That would be treated as a programming error as normal (crash, open a bug report, send an internal_error alert, etc...).

Then there are the things that more or less have to change in response to HelloRetryRequest, but really only because the ClientHello changes: padding, pre_shared_key, and ECH itself.  For those, we need to address a minor inconsistency problem at the level of the core protocol itself.

# Addressing Minor HelloRetryRequest Problems

We do need to fix RFC 8446 rules regarding HelloRetryRequest.  David already suggested some minute adjustments for that problem in https://github.com/tlswg/draft-ietf-tls-esni/issues/358 .  The short version is that extensions can define their own rules for how they change after HelloRetryRequest.  This is a good amendment, especially as it relates to extensions that are not known to the server.

That tweak does have deployment issues, because the original rules have been interpreted too literally in some cases, but that should not affect ECH specifically.  Servers that have this bug won't be able to deploy ECH without fixing the bug and that's OK.  Other servers will only see grease.

The draft currently mandates that greasing values not change after HelloRetryRequest, which will avoid this compatibility bug, but also reveal the fraud.  I can tolerate that small amount of leakage.

# Avoiding HelloRetryRequest

I think that Nick's suggestion for helping avoid HelloRetryRequest by placing hints about key shares in DNS SVCB/HTTPS records is a fine one.

I see the arguments about this being about the configuration needing to speak for backend servers when the record relates to frontend servers.  But my perspective here is that you already need to ensure that backend servers have a consistent cryptographic support profile; adding a small number of frontend servers to the set that need to be made consistent isn't that difficult.  If this consistency is not possible in some deployments, that's understandable, but then it is an optional enhancement that won't be available to those deployments, that's all.

Of course, this is an extension that we can pursue separately.

# Conclusion

I'm firmly opposed to splitting HelloRetryRequest.  I would like to deploy ECH and this doesn't really help with that.

I don't agree that there is a problem that needs to be fixed with the current draft.

On the other hand, I can guarantee that this change will delay Firefox deployment significantly (that is, for an indefinite period).  It would require rearchitecting a piece of code that is rarely used already (despite being a source of significant complexity) and replacing it with code that is even more complex and would include paths that are even more lightly used.