IETF Logo Mail Archive

Re: [TLS] Alternative ESNI?

Eric Rescorla <ekr@rtfm.com> Sat, 15 December 2018 13:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB64129BBF for <tls@ietfa.amsl.com>; Sat, 15 Dec 2018 05:23:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01IS4hGugrZD for <tls@ietfa.amsl.com>; Sat, 15 Dec 2018 05:23:16 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43235127AC2 for <tls@ietf.org>; Sat, 15 Dec 2018 05:23:16 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id n18-v6so7223282lji.7 for <tls@ietf.org>; Sat, 15 Dec 2018 05:23:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kR5WwuCGav7es0YTeIUopHKE3WhI0E1+m9wz76ibizA=; b=XvUcVNbpbDCT39ruD7LMauasrPaQMlbBT62B/yORkMV22rcnYzSqVvW//UZCrU6L7p rmWgFGhKgcv/yKYSTN9hqQWcRObuixP9x/ADE9XOrCmw8xhA7mq/yhixTjljWQXo+wVQ vG4Andj4e/Y6+ITwyPO3hHs9fb0BjF60IKjuJKkc/iF2xCfGN1uVJOBt0uAdTJu7VVpI qMPtwulIzaK39VlkPrlEcBikJQ8mkP3ZTvAM89mOKfqhFYAcSM22Id+iEPGW31oHHP6w 1vRm8WSljRtVgJUvoo4IXJVHD/8bzQl7PgTRIGkS/mrysyzKVoyNwESEQIYAq+jpzXXt /w7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kR5WwuCGav7es0YTeIUopHKE3WhI0E1+m9wz76ibizA=; b=g7kM8j21vvLE2b8xUkStfDdYavaoYmJyE49Ms+OJIh3IiuxiBxSujE3llxnWYL7hb1 1x9rODyr6mYNlXciqMvuwKbXWQW7KP0PuiaSEEI9BguKYvGL2pPjSQT51QNh3N7tm07T rxPbIuoN1/l7YEU9pyc4XiLss4iGqjUoZpaJBOIRsQ+YyqlQ4YRsYwEvkVDocD+eoAw4 qXbSxhto/IExuIx5VozybkWWRhDjeBPJ+VVrrCtp/I44beZb9V4qYKydpAeLQOVkfmIA Y0A/lDK3RKvCYSaJqJt94OLDFryiOI6rAnrkSjcbemmYQ7xKsluOwYvTFqat+xNceIJM S6WA==
X-Gm-Message-State: AA+aEWbsN0NUprSfu4cnawQDPsej9KBvzgSiv71HJRo3iCUvY11lKwzs 1yQm/vm8D11PrQ8wR/i9PrZdqcHt53MkAmLveuuS3H8N
X-Google-Smtp-Source: AFSGD/UH4L94lHszLUp3SxR+Cf4aqZd2ClknWlDJSwwnHjjFu+21QOfJb+sxj5UY3xwbjQpJYCGSj04lSliRoh/fmGQ=
X-Received: by 2002:a2e:6503:: with SMTP id z3-v6mr3790468ljb.153.1544880194294; Sat, 15 Dec 2018 05:23:14 -0800 (PST)
MIME-Version: 1.0
References: <20181215025346.GJ15561@localhost> <CABcZeBM_7LF-UDH8NR3Kad-8zSJBWwuNsDEJVAagHf1cV4Ow6g@mail.gmail.com> <20181215054836.GK15561@localhost>
In-Reply-To: <20181215054836.GK15561@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 15 Dec 2018 05:22:37 -0800
Message-ID: <CABcZeBNtx4esf7kRAtNUsqKvrCWTR_9_P14KGA1T7ADCVHmy6g@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000033a75c057d0f733b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D8n_JSomA5GtFjOPF1qQBKX1AA8>
Subject: Re: [TLS] Alternative ESNI?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2018 13:23:19 -0000

On Fri, Dec 14, 2018 at 9:48 PM Nico Williams <nico@cryptonector.com> wrote:

> On Fri, Dec 14, 2018 at 08:01:35PM -0800, Eric Rescorla wrote:
> > On Fri, Dec 14, 2018 at 6:54 PM Nico Williams <nico@cryptonector.com>
> wrote:
> > > OpenSSL extracts and uses SNI from session resumption tickets.
> > > This gave Viktor Dukhovni and Matt Caswell an idea that I'll relay here
> > > on their behalf.
> > >
> > > Also, while we're at it, I'd like to note that SNI is not the only
> thing
> > > requiring privacy protection from the client.  There's also the PSK
> > > identity payload for non-resumption PSKs...  Not as important as SNI,
> > > perhaps, nonetheless I think we should maximize privacy, else we'll be
> > > engaging in repeated encrypted-{fill-in-the-blank} exercises.
> > >
> > > Our proposal makes DNS optional (for co-tenancy fronting discovery) and
> > > DNSSEC not necessary.
> > >
> > > The basic idea is to use a HelloRetryRequest to make a handshake
> traffic
> > > secret available to the client for it to use in its subsequent hanshake
> > > messages.  This form is susceptible to an SNI disclosure active attack
> > > -- same as the current ESNI proposal w/o DNSSEC.  This variant adds one
> > > round-trip to full handshakes.
> > >
> >
> > We looked at this class of design during the initial work on TLS 1.3
> > because (a) it has trivial active attacks, as you note and (b) we
> > don't want people to have to accept an extra round trip in order to
> > get ESNI, because that's a major disincentive to doing it.
>
> One of the two has no active attack


It only doesn't have an active attack because you have assumed away
some method of distributing the name to put in the SNI in the clear.


and the extra round trip is already
> possible due to the existing HelloRetryRequest flow.


Yes, but we expect that HRR is going to be quite rare. If it's not,
other things have generally gone wrong.


BTW, the flows I presented have no multi-CDN keyshare private key
> distribution issues because there are no keyshares to publish in the
> DNS.
>

No, but they have similar problems in terms of coordinating the SNI
you put in the clear. Consider the case where domain X desires to
use ESNI and is hosted on CDN 1, which also hosts domains A, B, and
C, and CDN 2, which also hosts domains U, V, and W. What domain
does it put in the cleartext version of the SNI?






> > WRT to the active attack point, DNSSEC isn't necessary with the
> > current ESNI design. What's necessary is that the client be able to
> > get the ESNIKeys record (and the A/AAAA records) securely wrt to the
> > attacker trying to get the SNI.  However, in a large number of cases
> > (e.g., an attacker on your local network, there are non-DNSSEC ways of
> > obtaining this property, such as using DoH.  In addition, if the
>
> DoH?
>

DNS over HTTPS.


> > We can then optionally piggy-back the server's Certificate and
> > > CertificateVerify along with the HelloRetryRequest (provided the
> > > client's initial key_share is acceptable to the server), and now we
> have
> > > authenticated the server under its fronted name, which means there is
> no
> > > active attack on the ESNI.  This still only adds just the one
> round-trip
> > > to full handshakes.  And look ma', now w/ no DNSSEC requirement to
> avoid
> > > active attacks.
> > >
> >
> > This seems like a more invasive version of what David Benjamin et al.
> > proposed the other day, just without the ESNI key at all. I don't
> > think this is an acceptable general solution for latency reasons (as
> > opposed to fallback), and of course you still need some way to
>
> Again, it's comparable to the existing HelloRequestRetry flow case.
>

A case which we try to avoid.



> > securely obtain the domain name you put in the SNI, and if this isn't
> > done with DNS, then you end up with a situation where very few people
> > use ESNI and so you stick out.
>
> Granted.  But not having to coordinate privte keys for the keyshares to
> be published in the DNS seems like a very big win.
>

As noted above, I don't think you're meaningfully avoiding this,

-Ekr


> Nico
> --
>
> Nico
> --
>

v2.23.0 | Report a Bug | By Email