Re: [TLS] Some comments on draft-rescorla-tls-esni-00
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 24 July 2018 15:01 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C993131110 for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 08:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v8R-hQbjD0AX for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 08:00:59 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE5B130E96 for <TLS@ietf.org>; Tue, 24 Jul 2018 08:00:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 6172F33C67; Tue, 24 Jul 2018 18:00:56 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id itfu1UKXoj28; Tue, 24 Jul 2018 18:00:55 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 8E8BF72; Tue, 24 Jul 2018 18:00:53 +0300 (EEST)
Date: Tue, 24 Jul 2018 18:00:53 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "TLS@ietf.org" <TLS@ietf.org>
Message-ID: <20180724150053.GA27089@LK-Perkele-VII>
References: <D9DA5A34-8B1D-4C45-89F2-8668CBC7F229@ericsson.com> <CABcZeBMv5w=bPZNhTAb4AYHbzJTA8d38B6QeJhtSaqXnUt7Eiw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMv5w=bPZNhTAb4AYHbzJTA8d38B6QeJhtSaqXnUt7Eiw@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/H8ksiXPgvlZ3-i-ysnxuqICvc1g>
Subject: Re: [TLS] Some comments on draft-rescorla-tls-esni-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 15:01:03 -0000
On Fri, Jul 20, 2018 at 01:02:19PM -0700, Eric Rescorla wrote: > On Fri, Jul 20, 2018 at 12:52 PM, John Mattsson <john.mattsson@ericsson.com> > wrote: > > > encrypted_sni = AEAD-Encrypt(key, iv, KeyShareClientHello, > > PaddedServerNameList) > > > > Unless it causes problems of some kind, I would recommend doing that. > > > > Thanks. This seems like a good plan. Would an acceptable alternative be to > hash the KeyShare into the key? Might also consider hashing in the server side public key and group identification. Also, one might consider post-quantum already. Even if the algorithms are not known, the characteristics of the algorithms are: The client key share is not useful to derive the shared secret (because client key share is client's public key), and furthermore none of the algorithms client key shares use might be useful, because they all might only be secure for one use, where SNI encryption needs security with many uses (whereas key exchange only needs to be secure for one use[2]). That one can reuse the key shares for both purposes only works with Diffie-Hellman type schemes. The ones similar enough that are known for PQC are of quite uncertain security and very slow. Also, the document says: "Note that the length of this structure MUST NOT exceed 2^16 - 1, as the RDLENGTH is only 16 bits [RFC1035]." Actually, you get trouble before that point: - 48,960 byte ESNI keys structure would blow the DNS RDLENGTH field due to BASE64 and TXT overheads (binary data in TXT record is a bad idea, even if in theory it would work). - About 48750 byte or thereabouts total ESNI keyset could blow DNS maximum message size, which just breaks DNS, with no recovery possible[1]. No sharp limit can be given due to precise limit depending on the domain. Also, searching if there is some pre-emptive answer in the document as to why it uses TXT as opposed to new RRTYPE, I found the following: "Clients SHOULD not fall back to cleartext SNI," I presume "SHOULD not" should be "SHOULD NOT". [1] Many DNS implementations probably treat exceeding maximum DNS message size as Undefined Behavior: They assume it never happens, and if it happens, the consequences can be anything. And these implementations can internally add stuff, and assume this added stuff will fit. [2] The one-use schemes tend to be much more efficient even with key generation for each connection included. And one can not eliminate that many key generations even for use-multiple algorithms, because reusing a key across SNI values is insecure. -Ilari
- [TLS] Some comments on draft-rescorla-tls-esni-00 John Mattsson
- Re: [TLS] Some comments on draft-rescorla-tls-esn… Eric Rescorla
- Re: [TLS] Some comments on draft-rescorla-tls-esn… Ilari Liusvaara