IETF Logo Mail Archive

[TLS] key_share hints in DNS

David Benjamin <davidben@chromium.org> Fri, 26 March 2021 21:28 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445E93A116F for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 14:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.499
X-Spam-Level:
X-Spam-Status: No, score=-9.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.251, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FnUgr5PAuJHr for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 14:28:51 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836813A1116 for <tls@ietf.org>; Fri, 26 Mar 2021 14:28:49 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id p12so823382pgj.10 for <tls@ietf.org>; Fri, 26 Mar 2021 14:28:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dqhA7k6mZSDtkZrRtMbFdQSJnFj3aS3K6o5gpWjC4Kc=; b=CjJuvLIaGnRZZd4le0lADJS3sXtGHZPUNbGJGNXHpK7Kcl+p7+W1lyIAH7iQdNYSK7 dLwnAVOw9JGdNBSwXur2PdmYChGZqrEz1oeL0IpyvqIbUA9nN+yvkndA1Yi1jESXUpws xPbr+vQ9j2URSUd6EHmZOGUUqR3bzOGF9ypY0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dqhA7k6mZSDtkZrRtMbFdQSJnFj3aS3K6o5gpWjC4Kc=; b=ZgyR3pcIIo2bIH8Ck3uxW3mRyrc2eFQe5zO1hursOXIc9+es1THXDsLVq1Ee1kSC96 WCJQ2CfrC2jR0FLn8cU6M/KrbjLPorYH9abRrBeQ5Oe3FSTgqBNYKH4ltQaEeDdrrc4h LeB+5A/FnRPwzUJJ0FktMviyyBqFS2A629QZx/at05wg3DMRGlzwEOZNdZn56Guy5vKm sw37F4nrFr9p+vIk5L76t9phah/j5kyhNegL03nGLwyIAg+IYHOGaTpbekJFO7ALjcHl p1Xqie8QYoIey8c7pUm4wnuOcj2hIQfSqSYGrsg6wmY11m18ICUp6Rw4sTONXw4I1UMj hbaw==
X-Gm-Message-State: AOAM532mZnXhdj3QKtTWJbZPXlQyadPquUYKgERRFfWXIqJagpg5Z/NN y2bFLyCTTPUAuah5o1VM/kAfhlgQemp/Y0rsruw7sdamiA==
X-Google-Smtp-Source: ABdhPJzFcmUc5BAuj25TeouJ3pC29vgp5tQ15tuH7af/rftRHwePVmE8ZDLhueW9eek1l8WbqvEouP0fzBYJRVobwrk=
X-Received: by 2002:a65:4c01:: with SMTP id u1mr14233368pgq.182.1616794128369; Fri, 26 Mar 2021 14:28:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com> <CAFDDyk_0NdYvaXgnUp21DkxTogUJrhN4xwEtnVNTkXvhzKKOGw@mail.gmail.com> <CAHbrMsA4ng7nJj-O+H0uhC6qULsP7jgiFD8gT-S6Lcmfq+k9Ow@mail.gmail.com> <c9df2a3a-dd87-ea30-49cb-c69ea4f2ef20@cs.tcd.ie> <CAG2Zi21YTHDMK_-WMFtYBo2Xnj1Sx-VR1SQeyyc0uwomRO1GUQ@mail.gmail.com>
In-Reply-To: <CAG2Zi21YTHDMK_-WMFtYBo2Xnj1Sx-VR1SQeyyc0uwomRO1GUQ@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 26 Mar 2021 17:28:32 -0400
Message-ID: <CAF8qwaDiN0JFxgvqzM77+jQwaid4e6jKq9e89F8dTN9ahHJNfw@mail.gmail.com>
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b2d83305be773779"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BA1tgToNrEHdsBUxD4syeQem-Zk>
Subject: [TLS] key_share hints in DNS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 21:28:58 -0000

(Switching the subject line because the key share hints idea seems
orthogonal to the ECH HRR issue.)

I agree with Stephen that, if we do the key share hint idea, it should be
separate from the ECHConfigList. In addition to a mismatch in describing
client-facing vs. backend servers, there are also multiple ECHConfigs. This
is to manage different ECH versions, key types, sets of critical
extensions, etc. Adding things that aren't correlated with ECH information
would interact awkwardly.

There's also a downgrade nuisance to work through, depending on how the
server interprets key_share vs. supported_groups. Information from DNS is
not authenticated. If your server selects the group based exclusively on
supported_groups, and then only looks at key_share *after* the group
selection is set, unauthenticated key_share hints are fine. Attacker
influence on key_share won't translate to a downgrade attack.

If, however, the server incorporates key_shares into group selection, this
is not okay. An attacker could inject a hint for weaker key shares, and the
server may select that instead. I remember this coming up for TLS 1.3, and
I think we ended up allowing either flow, which is why HelloRetryRequest
retains the handshake transcript. Moreover, the client doesn't know how the
server will interpret the key_share list, but it's the client that decides
whether to honor the hint.

And, yeah, it wouldn't solve ECH's HRR problems because of synchronization
issues and cookies. Also, I don't think this is right:

> NIck's idea boils down to providing a recipe for how to construct the
CHOuter, [...]

It would most likely be a hint towards CHInner, since that's the "actual"
ClientHello, and the aim of such a feature would be to reduce HRRs. This
really seems just orthogonal to ECH.

David

On Fri, Mar 26, 2021 at 12:30 PM Christopher Patton <cpatton=
40cloudflare.com@dmarc.ietf.org> wrote:

> I really like this idea, but I don't see it as a solution to ECH's HRR
> woes. NIck's idea boils down to providing a recipe for how to construct the
> CHOuter, but AFAICT, there's nothing in the TLS or HTTPS-RR specs that
> requires the client to follow this recipe. We would still need a way of
> reconciling differences in preferences between CHInner and CHOuter.
>
> I think we should pursue using HTTPS-RR this way independently of ECH.
> It's not just useful for ECH, after all. All connections would benefit from
> knowing the server's preferences in advance of the ClientHello.
>
> Chris P.
>
> On Fri, Mar 26, 2021 at 8:10 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>>
>> Hiya,
>>
>> On 26/03/2021 13:44, Ben Schwartz wrote:
>> > This seems like a reasonable suggestion to me, so long as the value is
>> > purely a "hint", as you seem to be proposing.  I would suggest
>> structuring
>> > it as an ECHConfig extension.  This would avoid the need for multiple
>> > points of integration between TLS and DNS, support the use of HRR hints
>> in
>> > other ECH use cases that don't involve DNS, and help to exercise the
>> > ECHConfig extension mechanism.
>>
>> (I'm not stating an opinion on the PR yet but...) If there
>> is to be some new data included in SVCB/HTTPS RR values then
>> that ought be structured bearing in mind who produces which
>> bits of data. An ECHConfig is a binary blob mostly produced
>> by the client-facing server, whereas TLS parameters for the
>> backend server are not produced at the same place. Including
>> the latter as an ECHConfig.extension is not therefore a good
>> design IMO. Justifying those (IMO:-) unnecessary ECHConfig
>> extensions is also not a goal.
>>
>> Information about the backend's TLS preferences, if published
>> in the DNS, ought be outside the ech value in HTTPS RRs. If
>> we wanted to publish information about the client-facing
>> server's TLS preferences in the backend's zone file, then
>> that could be put into the ECHConfig all right. (It's a pity
>> that we didn't split out the ECHConfigs from different
>> client-facing servers in SVCB/HTTPS to make all that easier
>> isn't it?)
>>
>> Cheers,
>> S.
>>
>> >
>> > On Thu, Mar 25, 2021 at 9:28 PM Nick Sullivan <nick=
>> > 40cloudflare.com@dmarc.ietf.org> wrote:
>> >
>> >> Hi Chris,
>> >>
>> >> HRR in ECH does seem challenging. This may be tangential to the PR you
>> >> linked, but there may be a way to reduce the likelihood of HRR by
>> moving
>> >> even more of the handshake negotiation into DNS. The HTTPS RR is
>> already
>> >> used for some types of negotiation (ALPN and ECH key), so why can't it
>> be
>> >> extended further to advertise to the client what the server is willing
>> to
>> >> support for cryptographic negotiations?
>> >>
>> >> For example, the HTTPS record could additionally contain the server's
>> >> supported supported_groups and cipher_suites. With this information, a
>> >> client could know which key_share extensions a server is likely to
>> accept
>> >> and adjust its clienthello accordingly. A client who typically sends
>> two
>> >> key_shares (P256 and x25519) for maximal compatibility could then
>> reduce
>> >> the size of its client hello (no need to send redundant key_shares) or
>> even
>> >> prevent an HRR flow altogether in the case that the default key_shares
>> or
>> >> cipher_suites are not supported by the server.
>> >>
>> >> This tweak wouldn't remove the need for HRR completely -- it could be
>> >> necessary when changing server configuration, for example -- but it
>> could
>> >> remove the need for HRR in the common case.
>> >>
>> >> Nick
>> >>
>> >> On Thu, Mar 25, 2021 at 8:05 PM Christopher Patton <cpatton=
>> >> 40cloudflare.com@dmarc.ietf.org> wrote:
>> >>
>> >>> Hi all,
>> >>>
>> >>> One of the open issues for ECH is how it interacts with
>> HelloRetryRequest
>> >>> (HRR). The central difficulty is that a client may advertise different
>> >>> preferences for HRR-sensitive parameters in the ClientHelloInner and
>> >>> ClientHelloOuter. And because the HRR path has no explicit signal of
>> which
>> >>> ClientHello was used, the client may not be able to know how to
>> respond.
>> >>> The following PR solves this problem by adding to HRR an explicit
>> signal of
>> >>> which ClientHello was used:
>> >>> https://github.com/tlswg/draft-ietf-tls-esni/pull/407
>> >>>
>> >>> The design was originally proposed by David Benjamin in the issue
>> >>> referenced by the PR. Along the way, It also solves a handful of
>> other HRR
>> >>> issues that have been identified.
>> >>>
>> >>> One consequence of this particular solution is that real ECH usage
>> >>> "sticks out" if the server responds with an HRR. In particular,
>> signaling
>> >>> which ClientHello was used also signals whether ECH was accepted.
>> However,
>> >>> the solution is designed to mitigate "don't stick out" attacks that
>> attempt
>> >>> to trigger the HRR codepath by fiddling with bits on the wire. The
>> >>> distinguisher only arises when HRR happens organically.
>> >>>
>> >>> Feedback is appreciated!
>> >>>
>> >>> Best,
>> >>> Chris P.
>> >>> _______________________________________________
>> >>> TLS mailing list
>> >>> TLS@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/tls
>> >>>
>> >> _______________________________________________
>> >> TLS mailing list
>> >> TLS@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/tls
>> >>
>> >
>> >
>> > _______________________________________________
>> > TLS mailing list
>> > TLS@ietf.org
>> > https://www.ietf.org/mailman/listinfo/tls
>> >
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email