Re: [TLS] three ECHO issues
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 09 March 2020 16:26 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C361D3A142C for <tls@ietfa.amsl.com>; Mon, 9 Mar 2020 09:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bplDMxcfrkvO for <tls@ietfa.amsl.com>; Mon, 9 Mar 2020 09:25:59 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DDC23A13BA for <tls@ietf.org>; Mon, 9 Mar 2020 09:25:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 8F803156C9 for <tls@ietf.org>; Mon, 9 Mar 2020 18:25:56 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id fwZ5qAO-m4TP for <tls@ietf.org>; Mon, 9 Mar 2020 18:25:56 +0200 (EET)
Received: from LK-Perkele-VII (87-100-246-37.bb.dnainternet.fi [87.100.246.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 1142372 for <tls@ietf.org>; Mon, 9 Mar 2020 18:25:54 +0200 (EET)
Date: Mon, 09 Mar 2020 18:25:54 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20200309162554.GA2149461@LK-Perkele-VII>
References: <a212c2da-f2fd-9013-4934-a46e03b024f3@cs.tcd.ie> <87368A1A-0F1E-45C6-938C-0F755208E9B4@heapingbits.net> <7fc87dd2-88dd-16e9-979f-3770d41184b2@cs.tcd.ie> <5f325608-ea37-5ce6-67cd-139fac8a41b3@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <5f325608-ea37-5ce6-67cd-139fac8a41b3@huitema.net>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2k72Dgp6bzuS4bjDXakM2uxMo_c>
Subject: Re: [TLS] three ECHO issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 16:26:06 -0000
On Sun, Mar 08, 2020 at 07:13:05PM -0700, Christian Huitema wrote: > On 3/8/2020 10:14 AM, Stephen Farrell wrote: > > > I'm questioning whether that's a good goal or not. In my > > analysis of the various extensions, only SNI and ALPN seem > > to offer immediate value. > > Uh, No. First, we do have fingerprinting attacks that look at the > pattern of extensions. If the extensions are encrypted in the ESNI, they > cannot do that. And then, we have extensions that reveal a lot about the > app, like for example the QUIC parameters extension. Those are just as > sensitive as the ALPN. The extensions Stephen was complaining about are related to "crypto- graphic context". And these extensions differing in meaning across the two client hellos seems like asking for trouble to me. There are some harmless differences tho, e.g., omitting some banned in TLS 1.3 group from inner supported_groups. These extensions are the ones that are valid in HRR or SH (except tls_cert_with_extern_psk, which is not cryptographic context despite being in SH), plus a few others (supported_groups, record_size_limit, psk_key_exchange_modes). Also included is non-extension ciphersuite list. Then there is the special snowflake that is pre_shared_key. One wants both inner and outer pre_shared_key to have the same number of PSKs, with the same associated hash functions (if the PSKs are real at all). But obviously binders have to differ. Intuitive rule would be for servers to establish cryptographic context before even looking at ECHO. And then if the front server determines that split mode should be used, forward to/from back server, at which point the decisions on cryptographic context are just moot (and the back server does its own cryptographic context based on inner client hello). Unfortunately I suspect that would not actually work due to PSKs. A shared-mode server sees PSK that can be resumed and then resumes it. Now what if the inner client hello contains SNI which is unknown? I suspect pretending that ECHO did not exist would be the best option. And there are more annoying corner cases: What keys would be used for 0-RTT? Inner and outer client hello gives different 0-RTT keys, even if all cryptographic context is as same as possible. And how is lame (misconfiguration) back server supposed to reject the forwarded connection? Plaintext unrecognized name alert? -Ilari
- [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christian Huitema
- Re: [TLS] three ECHO issues Rob Sayre
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Ben Schwartz
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Eric Rescorla
- Re: [TLS] three ECHO issues Ilari Liusvaara