Re: [TLS] ESNI and padding
Ben Schwartz <bemasc@google.com> Thu, 20 June 2019 13:16 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB308120045 for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 06:16:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjyELEc-8eVJ for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 06:16:25 -0700 (PDT)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2152C12000E for <tls@ietf.org>; Thu, 20 Jun 2019 06:16:25 -0700 (PDT)
Received: by mail-ua1-x933.google.com with SMTP id s4so1610002uad.7 for <tls@ietf.org>; Thu, 20 Jun 2019 06:16:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m8We00VKw0xpVJoZnRcMcpBJ4snuEicwp/V8gY9vBgA=; b=kCgSgCIhUjDVPX5vuPvdRokLbdsFrMvvZmtbavNvDkzoUkzCnS24Ufl3xkJJYwP+tS Ehxj8SuYMPOdA24DXQxtGy5cS5J54Buh9e9tkGnGJw63gpbIZ2nvdDuSXB3r5QjbMPtE XykkNQrI3rLNv1jT+cicwk0bVcS0kYRBHLBDT1qFG7xG3Zl7AyFhNBWhsyTi+zQCDddn 8SiqJZE1h03+BuI4DmSeIbyZt5RPi+uOBboeIK1RTqbjbw0Ha3AwwdO5cnFiaDQ98Yu/ zw250au4360ZFmtbdn6nFe9+dqKty/8ZLTxK/i+k9HqWsOPMJ8raPLrr9VpRERfFJgvh i+sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m8We00VKw0xpVJoZnRcMcpBJ4snuEicwp/V8gY9vBgA=; b=ui1daesNxOVlTm0AwZWAp0lmser9+i3S4uBivVGXTUCdQGEc46QGVode4/RguLaIMi MS3TBV2RU0Cn7g2PubHkQyfu38Sxc4exF29t0KuvPgIFqumdvTayBE6KkRtJPZDJtDU3 z4V96FZ1JJNXWqTCt7iUYDIF1qHs9VU/fpjjc5yHXeYzbe0I1Oox769DkL8lzAktmcdQ cuEqMiA4NZmTexAjvfkwQqQhJQJp9/TWpZNb+PyLeHRGABQ/R+453D8FF38LTF/90zfs qe6CRdH5cxcownhAOgPlx0NBqNKzEJeO16Wt5udkSmhIVCKIs0XoeNxwuV4rhGo35I61 uUYA==
X-Gm-Message-State: APjAAAXxCSyFq/VemBN4iHvR4NJDH1gYNaDci6kqUfErNTVantpWxN1t srCq+tc7DzMm5uDTRurMLqlRaw4dPYgL2G6mmZj9bHbS7/s=
X-Google-Smtp-Source: APXvYqz4WlzXV0BwYw4G/vqv2hCJK+iE+bEW6+WMVLwaMXf8101hEAaHymTVukAhcV7IDR9Fyd3B5ex4227NzmESS+0=
X-Received: by 2002:a9f:2e0e:: with SMTP id t14mr25613541uaj.119.1561036583626; Thu, 20 Jun 2019 06:16:23 -0700 (PDT)
MIME-Version: 1.0
References: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie> <CAHbrMsAa+FudZ-t3MOnxa37rz=D_-1=izaPqBk-2nHaO_L9czA@mail.gmail.com> <65bae8fa-36b1-4724-4107-2e0e02a6adc6@cs.tcd.ie>
In-Reply-To: <65bae8fa-36b1-4724-4107-2e0e02a6adc6@cs.tcd.ie>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 20 Jun 2019 09:16:10 -0400
Message-ID: <CAHbrMsCBzUH_Pk-qTAOR37qPsQogxa41Qbnrkoiub79tQHsAzA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000016de23058bc12714"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AGNjaQ_u1jS6qv2oxEGUoD0rFMQ>
Subject: Re: [TLS] ESNI and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 13:16:28 -0000
On Thu, Jun 20, 2019 at 8:04 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 20/06/2019 12:20, Ben Schwartz wrote: > > > > As you are clearly aware, this approach provides essentially no privacy > > protection in the case where a user is repeatedly connecting to a very > long > > domain on a server whose other domains are reasonably short. > > Yep. I don't believe that that's at all a common scenario, > but if I'm wrong then sure, the approach I outlined wouldn't > be a good plan, at least not with N=32, but maybe some other > N would work fine. Do we know how common very long SNI names > are? (I don't.) > > If we think that scenario is a real problem, that can't be > sufficiently mitigated via picking a good N, then I guess > always having padding_length==260 would be the only answer. > In which case I see no upside and some downsides in having > that field in ESNIkeys. > > > Rather than make a privacy-vs-efficiency tradeoff in the spec, the > current > > text leaves this option to the implementer. For example, within the > > current protocol (albeit bending the recommendations slightly), an > > implementer could easily bucket names by length, and offer separate > > ESNIKeys for each length bucket. I think this is preferable; only the > > server operator knows their own privacy and efficiency goals. In my > view, > > setting N=32 for the first bucket would reproduce most of the benefits of > > this proposal without altering the current protocol. > > Fair point. OTOH, if you did that, the last (or maybe even > all but the first) bucket would likely mean an ESNIKey used > for very few names, so you end up with the same issue you > called out above. And it adds some more complexity to what's > an already complicated thing. So while that could always > be done, and with the current spec, I'd not be keen to > recommend it myself. > > I just looked back at RFC8467 which recommends padding DNS > queries to a multiple of 128 octets. I also looked at a couple > of DNS queries on my laptop just now and there seems to be > about 40 octets overhead over and above the qname length > (each "." adds two octets in the encoded length vs. the > string length it seems). So one could I guess argue for some > commensurate amount of padding in the ESNI extension and > whatever was used for DoT or DoH. I wonder if the data DKG > used to generate that recommendation in 8467 might tell us > anything here? > I've implemented RFC 8467 myself, and I'm grateful for the recommendation, but I think it's rightly marked Experimental. It's not clear how to judge the amount of privacy protection it offers, or whether it's truly a good balance between privacy and efficiency. However, as a matter of overhead, your test suggests that RFC 8467 roughly doubles the size of each query packet. That's similar to the proportional effect of maximum ESNI padding on a typical ClientHello. Proportionally, I expect RFC 8467 adds more padding to the whole DNS transaction than current ESNI adds to the whole TLS handshake. It might even be true in absolute terms, on average. In the context of a full TLS connection, the proportional impact of ESNI is even smaller. Again though, I think considering DNS query padding argues > that this ought be a client-driven thing and not tied to the > ESNIKeys. One important difference between these cases is that DNS is essentially an "open world", where no one knows the whole space of possibilities, whereas a specific server is a "closed world", a finite set of domains (known only to the server operator). That puts the server operator in the unique position to make correct padding decisions, and also makes the adversary's job much easier if the padding is incorrect. If no padding was used for DoT or DoH, the ESNI > length may already have leaked regardless of the padded_length. > That said, I'm not sure what, if any, padding is being done > by DoT or DoH clients. (I use stubby and it does some padding > sometimes but I'm not sure what.) > In general, I think we should assume that no SNI information is leaking through other channels when making design choices for ESNI. Otherwise, we risk ESNI itself becoming the limiting factor in the future as those other leaks are fixed. > > Cheers, > S. > > > > >
- [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Christopher Wood