IETF Logo Mail Archive

Re: [TLS] Solving HRR woes in ECH

Eric Rescorla <ekr@rtfm.com> Fri, 26 March 2021 21:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C33C3A1084 for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 14:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gA0QatYLCrx for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 14:24:58 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3515B3A10B1 for <tls@ietf.org>; Fri, 26 Mar 2021 14:24:56 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id u20so8908710lja.13 for <tls@ietf.org>; Fri, 26 Mar 2021 14:24:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0kCsdwoJsNzbFcD/O65L/Cnasnf56wAxR0e01axlUao=; b=wR169GNR3C9LaDoMKV7eO5tVnzNDphKdBANXGjEy9VZatUgoJllRxsD9Z4KxEf7KVs jOgUt3MuTCvW6rRyqxqfqjGXc06plVRAeF6iKqbnE5QecWLsh7dLysOLTlBBfrAcXkss igFMSiMIE1Mzy9Zxuqwd99eYEJxee4EdjHub/3iHY0TUohiB9woudWzEa+VjHYSOdKrg yR3IIG88aYRSm/yVlAGFZVFTEfSrc1uVanY+Ysgcm6TNRKpkZyF1Qqa1uVNi7XKE8CUZ 0CbkJaNEbJxpA4/x6Qkkp/PgjVUnl1STBiMhLnzrdZU3Jlf0t+eXna52KbaV1iW5KreO Qb/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0kCsdwoJsNzbFcD/O65L/Cnasnf56wAxR0e01axlUao=; b=cxoPh6x8yWzrOkf5fE+xlZNUbdHVYCTdPwhQh7tGkCCTKRwhNH1SY7SRNLs/gWy2CH gF3Ti9/RbVgIfU/X7FdVqUg7nFSwkFUNRDoSrIRx8Vw6Q/feBxGZS3FCqhRLB2y3cVx9 lyND5x8C9nxAn9kyjrmgRvXfQCXUMeJzpwd5EYVzNexX3CXN+GR6OyuHOi/UdtfGStwV w0pCS6XAuTUihtVRjeBstmhNXyIXuk73v8DZ/5/YAgm8ZY1RD2wLojadyU44mtIEcG5f 4pFNvim9S8arB04iYOOFJka2x2F1Bn4YEZZVRurF3LeUWpB+kdHWvWtpYuI/aFfxhYtA VZHw==
X-Gm-Message-State: AOAM532dpoANzVpeo2Ud48lnXrgP6nYMnVoL96tn5p4oHy+o3nrGqvAV BKkD19zMz2QGz1+vd4MDGFOGIwFwvoiuhEuPK2KAPZNiCUGT8g==
X-Google-Smtp-Source: ABdhPJx99GmLSNNWKCjaZvi7pTNBrKpmFFxg6Opc/dXy3CYihqqEAMizzTkcrxjaL0/JGX3HzfLWyX9tucF8EawIoeU=
X-Received: by 2002:a2e:b053:: with SMTP id d19mr9993199ljl.82.1616793892905; Fri, 26 Mar 2021 14:24:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com>
In-Reply-To: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 26 Mar 2021 14:24:16 -0700
Message-ID: <CABcZeBPQmd2gq7nxp=YpG1CMo9tkNdy=LqBzaR7agGsd_552EA@mail.gmail.com>
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a978d105be7729c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DjPrs0hJRIr3Pf4S_MbIdCKoyV8>
Subject: Re: [TLS] Solving HRR woes in ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 21:25:00 -0000

This is more complicated than I would have liked, but I also don't see how
to simplify it. As of now, I think it's the best we can do.

-Ekr


On Thu, Mar 25, 2021 at 5:05 PM Christopher Patton <cpatton=
40cloudflare.com@dmarc.ietf.org> wrote:

> Hi all,
>
> One of the open issues for ECH is how it interacts with HelloRetryRequest
> (HRR). The central difficulty is that a client may advertise different
> preferences for HRR-sensitive parameters in the ClientHelloInner and
> ClientHelloOuter. And because the HRR path has no explicit signal of which
> ClientHello was used, the client may not be able to know how to respond.
> The following PR solves this problem by adding to HRR an explicit signal of
> which ClientHello was used:
> https://github.com/tlswg/draft-ietf-tls-esni/pull/407
>
> The design was originally proposed by David Benjamin in the issue
> referenced by the PR. Along the way, It also solves a handful of other HRR
> issues that have been identified.
>
> One consequence of this particular solution is that real ECH usage "sticks
> out" if the server responds with an HRR. In particular, signaling which
> ClientHello was used also signals whether ECH was accepted. However, the
> solution is designed to mitigate "don't stick out" attacks that attempt to
> trigger the HRR codepath by fiddling with bits on the wire. The
> distinguisher only arises when HRR happens organically.
>
> Feedback is appreciated!
>
> Best,
> Chris P.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email