Re: [TLS] ECH Padding
Christopher Patton <cpatton@cloudflare.com> Wed, 23 June 2021 23:24 UTC
Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8AF23A13B3 for <tls@ietfa.amsl.com>; Wed, 23 Jun 2021 16:24:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPlovJX6aZjM for <tls@ietfa.amsl.com>; Wed, 23 Jun 2021 16:24:09 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAFCF3A13B7 for <tls@ietf.org>; Wed, 23 Jun 2021 16:24:08 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id j184so9694707qkd.6 for <tls@ietf.org>; Wed, 23 Jun 2021 16:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B9QxV8oOrR5EZqn/nNbwIiE6Qo49lFKg2IlSKb3gAog=; b=rmKtwKieuK3vTjd8K8EH5QOALI+OmQzo6BhmtUsWnoZrecGZXy2Qvl2Rs5MtKZCsBc Decj1ieDaKlQHU1sk6EeN8Kc/ITqGw6ARLfop+gGT0cEiTDw0KbBhZUnGhkGjNJaxQB8 43AJqYVg91d/15JDW9v3hA/JklLQxq6puuQ4k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B9QxV8oOrR5EZqn/nNbwIiE6Qo49lFKg2IlSKb3gAog=; b=YeEU3/7REZyocBhBBpq68I1N8madjnXY6xSTHI9WDzrLZlpEzPOJ5EfzKnHl3jsp6N B8X4pVN6tqgKzsuJl8AvEH5NuzKTr1SmyckFkL626mBeuzLaNBI71SrFgamzF/41rvIG ojjvoQEy5Eui8slx1e3mprBM0Czr7BtZwq8QvM9UxOozY8bvI+VfWTlw5UbtMI7g1wbC ws6jgIO/CgfB3zVdh2X5jAStxNvU2nBSBPPxXx9BObyBQiD4jFaLeRaAB9rcYLAQw7ob EoBk3pVNQs2+9w0m+ILJnhUUnZkGnGv/nMtLEyY3vYxiTtR+EulzvYgsC30hsN3hRumQ MjSw==
X-Gm-Message-State: AOAM532mtaNRd81jdNocq/pl5XdX+BZfdXC7tiD5819XykNfVFNnhcco j9X0qpqkarxpBVoaiprdlR3K314ouCJYbsbYgqnqCQ==
X-Google-Smtp-Source: ABdhPJzGAt43DV3yTFOAVA7ocTAIIdA6IzfCc0du4k4i40RdHE14SeoOeSxXzcFn0yHhMVJ5mjTPe+ICZzystybu/Bg=
X-Received: by 2002:a37:9c84:: with SMTP id f126mr2683273qke.329.1624490646921; Wed, 23 Jun 2021 16:24:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi21oLUmoNLXVD7QuOOLre4XZtxJxt=2SH_ELkigdUT9m6g@mail.gmail.com> <9079ead0-cf72-4d90-937d-4d1637f984d7@www.fastmail.com>
In-Reply-To: <9079ead0-cf72-4d90-937d-4d1637f984d7@www.fastmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Wed, 23 Jun 2021 16:23:56 -0700
Message-ID: <CAG2Zi204AhtZ_jdz69G8ROdg8uOOvDiVBx58TuRDC6D0FGOkbg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f385d805c577338c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4o6JkJ-IQpbN3Rk4k9UwJcdQs80>
Subject: Re: [TLS] ECH Padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2021 23:24:14 -0000
I support adopting #443. For the server side, I have a weak preference for #457 (2) over #313 (3) because it makes it easier to implement a complete solution. I have not yet assessed how hard it is to implement ... perhaps it would be best if we all tried it out in our respective stacks and report back on the complexity? Chris P. On Tue, Jun 22, 2021 at 3:56 PM Martin Thomson <mt@lowentropy.net> wrote: > So I like #443 as I have said. It simplifies padding for CHInner a lot. > > I also like #457 (option 3). My initial reaction was not positive, but > I've come to appreciate the value of it. I don't like that this has to be > in the transcript (QUIC doesn't need it by virtue of a design that > separates protection levels from content type), but as far as solutions go > it is the easiest to implement. In other words, it has the fewest awful > shortcomings - a benchmark that has come to define ECH. > > On Wed, Jun 23, 2021, at 07:27, Christopher Patton wrote: > > Hi all, > > > > One of the last design questions for Encrypted ClientHello (ECH) is to > > decide how to pad encrypted handshake messages so that their length > > does not leak privacy-sensitive handshake-parameters. The current > > approach is to insert padding into the record layer as needed. However, > > the consensus reached in [1] is that computing record-layer padding > > based on the contents of handshake messages entails implementation > > complexity that is untenable, particularly for QUIC and DTLS. The > > alternative that most folks are happy with is to insert padding into > > the handshake messages themselves, as this prevents details of the > > handshake logic from bleeding into the record layer code. > > > > There are a few PRs for adding handshake-level padding that we could > > use feedback on. > > > > (1) https://github.com/tlswg/draft-ietf-tls-esni/pull/443 Adds > > padding to EncodedClientHelloInner, the message that is encrypted and > > stuck into the ECH extension of the ClientHelloOuter. This prevents > > leakage of sensitive parameters in ClientHelloInner. > > > > (2) https://github.com/tlswg/draft-ietf-tls-esni/pull/313 Defines a > > new extension, which the client sends in ClientHelloInner in order to > > solicit a response in the backend server's EncryptedExtensions message. > > The server''s response contains padding it can use to prevent leakage > > of sensitive parameters in its first flight of handshake messages. > > > > (3) https://github.com/tlswg/draft-ietf-tls-esni/pull/457 > > (alternative to (2)) Defines a new handshake message, Padding, which > > the client and backend server always send just before Finished in case > > of ECH acceptance. One advantage of this approach over (2) is that the > > length of the padding can be evaluated after the > > Certificate/CertificateVerify messages have been chosen, making it > > possible to account for sensitive parameters in these messages without > > needing to buffer the whole flight of messages. The downside is that it > > may add complexity to the state machine of TLS 1.3 implementations. > > > > There are some open questions regarding how to compute the padding > > length, but these should be orthogonal to deciding the mechanism. > > > > Thanks on behalf of (some of) the contributors, > > > > Chris P. > > ____ > > [1] "Handshake-level vs record-level padding." > > https://github.com/tlswg/draft-ietf-tls-esni/issues/264 > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] ECH Padding Christopher Patton
- Re: [TLS] ECH Padding Stephen Farrell
- Re: [TLS] ECH Padding Christopher Patton
- Re: [TLS] ECH Padding David Benjamin
- Re: [TLS] ECH Padding Stephen Farrell
- Re: [TLS] ECH Padding David Benjamin
- Re: [TLS] ECH Padding Martin Thomson
- Re: [TLS] ECH Padding Christopher Patton