Re: [TLS] three ECHO issues
Ben Schwartz <bemasc@google.com> Mon, 09 March 2020 15:23 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1383A1298 for <tls@ietfa.amsl.com>; Mon, 9 Mar 2020 08:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAl-nYzUYg5X for <tls@ietfa.amsl.com>; Mon, 9 Mar 2020 08:23:36 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD07B3A12AB for <tls@ietf.org>; Mon, 9 Mar 2020 08:23:35 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id m9so2713985wro.12 for <tls@ietf.org>; Mon, 09 Mar 2020 08:23:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0p5rE9DD+56p5t4B5n7rX3meEVUqAwhJUF9Hnjstz1E=; b=COok0ld/fO5SNdOR3jvyr2rtiUfTiERPyvaSkappoCqu0xaNDYMyFLhsEGzysAwVcb Y/SypLlamFPOXSTP0TyV2WiZqB6qBgPNFCNNa2LnfRtEYKInZfAejESkdQZg6cLgKD6p +ts8VxBOEA9xV8COcWM/p3NDSaJQ3YmBhTOyQ2IqgkbtyliqiPvUArmHwpnk6tMDmgTx +YnzVbv9IvD97WX+MHjyrTpBnmVs3VsEgueRsbCzb4jjn96OugRwJwe7qZu+NJCPfV0g tV/6Lp6alcTyloEL7+oGBroRjMnXSJFrxltLbCgVS8FNj1z7+hOcnH99Mk8CymxHtTD4 EFgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0p5rE9DD+56p5t4B5n7rX3meEVUqAwhJUF9Hnjstz1E=; b=CgnlLGhAqM4YCTngADHdMzxWyYGYfwSVipei558al2vf4SAgQWzvsSrVsnlfH/hFuU lVMpzClKVQmm/UGl2kBppNgFdtYtrW6NiN16AEpWoTK57tJzsVHJxQmbHgU0qXbqExf2 /JOw+RBzrup7v+d2QqFFLQ/hDURvbyLYoYYbeXRa0QOwOawgiMpTuDQPBM9J3zN7d4qc 3/SPoH3WOO+NPl76wynu7TqHsqd79dNNfetrIKDyl563CH4Y0P8ZVQAXOOJ6nLc4yiRq FZhqaWmFHBDU6AFKeAjoy/RpUeJCdbd3DnuYsHr9mBhCQKePLknRH/eDmdGHi3sl9m4T delQ==
X-Gm-Message-State: ANhLgQ0RjLugbDbJHLyHhT0+Hxq7K2Tt+GNrnM4NyqDFRAioQADNc2iD D3Uwu1FxYb81pfq02PlTMvxeJMQY/Iu3A6fdiJSqUR1z
X-Google-Smtp-Source: ADFU+vtI3nBx8vzEgWNWBRx5MF66BGqznJFQFF4Vr3bmCJ9DnjMnl3pCl2nO6uK707vgAIZxt2vroB5BXA8bPlrSHF0=
X-Received: by 2002:adf:9501:: with SMTP id 1mr21973281wrs.426.1583767413664; Mon, 09 Mar 2020 08:23:33 -0700 (PDT)
MIME-Version: 1.0
References: <a212c2da-f2fd-9013-4934-a46e03b024f3@cs.tcd.ie> <87368A1A-0F1E-45C6-938C-0F755208E9B4@heapingbits.net> <7fc87dd2-88dd-16e9-979f-3770d41184b2@cs.tcd.ie> <5f325608-ea37-5ce6-67cd-139fac8a41b3@huitema.net> <f2b57747-54b0-118a-b4e3-ef7558d4d911@cs.tcd.ie>
In-Reply-To: <f2b57747-54b0-118a-b4e3-ef7558d4d911@cs.tcd.ie>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 09 Mar 2020 11:23:21 -0400
Message-ID: <CAHbrMsCdC3oebHKxQp6OF2RCmeZZpg6TH-tjJbMNcgrTjfj8Jw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Christian Huitema <huitema@huitema.net>, Christopher Wood <caw@heapingbits.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000025756905a06d9603"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1sPbzcj-SO3u3T6LdnSFNZqnV58>
Subject: Re: [TLS] three ECHO issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 15:23:46 -0000
On Mon, Mar 9, 2020 at 6:49 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 09/03/2020 02:13, Christian Huitema wrote: > > On 3/8/2020 10:14 AM, Stephen Farrell wrote: > > > >> I'm questioning whether that's a good goal or not. In my > >> analysis of the various extensions, only SNI and ALPN seem > >> to offer immediate value. > > > > Uh, No. First, we do have fingerprinting attacks that look at the > > pattern of extensions. If the extensions are encrypted in the ESNI, they > > cannot do that. > > Well... that depends on whether or not the outer CH that > includes the inner exposes fingerprintable detail. If it > were possible to define a minimal outer CH profile that > everyone could use, then I'd be for that, but not sure > it's feasible. > Instead of one profile for "everyone", the ECHOConfig could provide instructions for forming the ClientHelloOuter. BTW, enumerating the supported ALPNs in the ECHOConfig would solve the ALPN padding problem (but now we're awfully close to cTLS...). > And then, we have extensions that reveal a lot about the > > app, like for example the QUIC parameters extension. Those are just as > > sensitive as the ALPN. > > Wasn't in the OpenSSL code I looked at:-) But sure, if > there are others that offer immediate value, good to know > about 'em. What's a good ref for that? (I've not been > keeping up to date with QUIC-detail.) > > The main problems I've seen in inner/outer variance > so far relate to the TLS key share though - because > that (and associated values) generate loads of internal > state that has to be duplicated and that can have a > bunch of hard to track side-effects in the code when > the trial decryption is being checked. It seems like trial decryption can be avoided by tagging the ServerHello. For example, the client could include X random bytes in the ClientHelloInner, and the server could echo them in cleartext if ECHO is in use, or send X random bytes if ECHO decryption failed. (The extra upstream bytes can probably be avoided by returning a hash of the nonce or something.) Would this make implementation easier? > For most other > outer CH extensions, I expect values would have little > or no effect really, as the client should either give > up or try again with new ESNI public keys, but that > might not be true of QUIC stuff - any idea? > > Anyway, if the consensus ends up to be to code up > a fully flexible outer CH, then I'll try do that, > but I'd love to hear that others have looked at > their code and (still) figure that's a good plan. > > Cheers, > S. > > > > > > -- Christian Huitema > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christian Huitema
- Re: [TLS] three ECHO issues Rob Sayre
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Ben Schwartz
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Eric Rescorla
- Re: [TLS] three ECHO issues Ilari Liusvaara