[TLS] Solving HRR woes in ECH
Christopher Patton <cpatton@cloudflare.com> Fri, 26 March 2021 00:05 UTC
Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF0C3A10BD for <tls@ietfa.amsl.com>; Thu, 25 Mar 2021 17:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MKQxdptc_Y2 for <tls@ietfa.amsl.com>; Thu, 25 Mar 2021 17:05:14 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491093A10BC for <tls@ietf.org>; Thu, 25 Mar 2021 17:05:14 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id l13so3105953qtu.9 for <tls@ietf.org>; Thu, 25 Mar 2021 17:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=m6A9AasqaBQcktj+EQLjKTznee6GxSUW/qt1jMpVocI=; b=fjb2rbRcrpelHrweAHXC99Ze9W0ZyBnN5atjNX1di5Xfps3oVCAEQ+R5SALWx1w1H+ 4IjaN1Nh/6LMdn0XAElnl0LWX839KBUKY7Mm00YqqQvgFzdbL77MaH46d0G8VIx/Ov4T zY2hMp8pJXcgI0ZMTvRKui/U8+b01vXOUrV98=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=m6A9AasqaBQcktj+EQLjKTznee6GxSUW/qt1jMpVocI=; b=MILIZQmDMfxtBeFspEy3/6KoMazQnclsKcnc35s571IhLfnx7AraB3jvJkWHav8zNJ 7HIWZZHRVPycVS5GVzGjOdXcMt9LFmORGIFPONXoh9BEciv0x9cNg2MeCdf1DzB/i7sV AOAFECJAB2ydtYEkfUik0fqK/eLvCvCvALCVab6wtXN/mdPrPymlGSTXy2tCVrPyQWSO 4qX/sHMnq4LaNyIlBklXvPvSfbUG/SrY7ttn+cim7Ruy5vKjywOpHz49R2vnE6U6FeEq OyLDcmGBhVHaMbmXf8h6xz2MQsvMWitfHZbhmE+HtxHzu6ZQqNfND0tElMWE0Z6JR55d SKDA==
X-Gm-Message-State: AOAM530M2AR04gfkNX3CKdfZcVgwzMfClP9itjhGOL+780TYsWyunxdE zSCirAFTxg+3YXOcPoMadx4QH4rX2xspIfBrrZILIfFT3f77BX1t
X-Google-Smtp-Source: ABdhPJzmkjqxE5wWNvy8UJ3C25wc0zJ6Bsa3EkdiVRqmcRM2y5G0i84KiOqr8/A5bXQlfeGpZeGMHyIu2FOJiW+lexw=
X-Received: by 2002:ac8:5a42:: with SMTP id o2mr10293413qta.191.1616717112338; Thu, 25 Mar 2021 17:05:12 -0700 (PDT)
MIME-Version: 1.0
From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 25 Mar 2021 17:05:01 -0700
Message-ID: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002f093405be6549d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2XWCv5Urp-tPETJRHfuP_vFS22A>
Subject: [TLS] Solving HRR woes in ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 00:05:19 -0000
Hi all, One of the open issues for ECH is how it interacts with HelloRetryRequest (HRR). The central difficulty is that a client may advertise different preferences for HRR-sensitive parameters in the ClientHelloInner and ClientHelloOuter. And because the HRR path has no explicit signal of which ClientHello was used, the client may not be able to know how to respond. The following PR solves this problem by adding to HRR an explicit signal of which ClientHello was used: https://github.com/tlswg/draft-ietf-tls-esni/pull/407 The design was originally proposed by David Benjamin in the issue referenced by the PR. Along the way, It also solves a handful of other HRR issues that have been identified. One consequence of this particular solution is that real ECH usage "sticks out" if the server responds with an HRR. In particular, signaling which ClientHello was used also signals whether ECH was accepted. However, the solution is designed to mitigate "don't stick out" attacks that attempt to trigger the HRR codepath by fiddling with bits on the wire. The distinguisher only arises when HRR happens organically. Feedback is appreciated! Best, Chris P.
- [TLS] Solving HRR woes in ECH Christopher Patton
- Re: [TLS] Solving HRR woes in ECH Nick Sullivan
- Re: [TLS] Solving HRR woes in ECH Carrick Bartle
- Re: [TLS] Solving HRR woes in ECH Ben Schwartz
- Re: [TLS] Solving HRR woes in ECH Stephen Farrell
- Re: [TLS] Solving HRR woes in ECH Christopher Patton
- Re: [TLS] Solving HRR woes in ECH Eric Rescorla
- Re: [TLS] Solving HRR woes in ECH Eric Rescorla
- [TLS] key_share hints in DNS David Benjamin