IETF Logo Mail Archive

Re: [TLS] TLS ECH, how much can the hint stick out?

Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Sat, 12 September 2020 11:55 UTC

Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9B53A083F for <tls@ietfa.amsl.com>; Sat, 12 Sep 2020 04:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vi6yCz0Kgqvo for <tls@ietfa.amsl.com>; Sat, 12 Sep 2020 04:55:47 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E78C3A0365 for <tls@ietf.org>; Sat, 12 Sep 2020 04:55:45 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.76,359,1592863200"; d="scan'208,217";a="358796094"
Received: from 89-156-101-160.rev.numericable.fr (HELO [192.168.0.20]) ([89.156.101.160]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Sep 2020 13:55:43 +0200
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Message-Id: <92B8A28A-D274-4554-BAEC-4C7CC352BFC6@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC64CA88-AE23-48F6-AFA1-4F10CE361D9A"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Sat, 12 Sep 2020 13:55:43 +0200
In-Reply-To: <52b2e6d6-7a18-6c18-1974-7dab7e3bda63@huitema.net>
Cc: Ben Schwartz <bemasc@google.com>, "tls@ietf.org" <tls@ietf.org>
To: Christian Huitema <huitema@huitema.net>
References: <d33c685c-6bf3-1584-4d95-1fe2cf6695e8@huitema.net> <696D22EB-2B7C-47AB-946F-B3246709A10B@inria.fr> <CAHbrMsDq9fxH9Yvw-BozrZtF4iUU-oeOiMucJ1FBpCZurQsnNQ@mail.gmail.com> <5575396A-0588-4CF8-A88B-E9255C473D60@inria.fr> <52b2e6d6-7a18-6c18-1974-7dab7e3bda63@huitema.net>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JVaelDZXMPt-OnV2bIs08GTHPNg>
Subject: Re: [TLS] TLS ECH, how much can the hint stick out?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 11:55:49 -0000

> Any big issue keeping N=8
> 
Regarding the length of N, I gather that the trade-off is that if it is too short, the probability of collisions between the signal and randomly generated server randoms becomes significant,
and so does the probability of an active MitM forging the signal. Is there some other concern? 
8 bytes seems fine for these considerations. Is the idea that we would reuse the downgrade sentinel?

v2.23.0 | Report a Bug | By Email