IETF Logo Mail Archive

Re: [TLS] three ECHO issues

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 08 March 2020 17:38 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169AE3A0DE9 for <tls@ietfa.amsl.com>; Sun, 8 Mar 2020 10:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OcdfnVimXBph for <tls@ietfa.amsl.com>; Sun, 8 Mar 2020 10:38:43 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 459C83A0DE8 for <tls@ietf.org>; Sun, 8 Mar 2020 10:38:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 252CBBE3E; Sun, 8 Mar 2020 17:38:41 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8bYOWkSAu5T; Sun, 8 Mar 2020 17:38:38 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id ACF8BBE2F; Sun, 8 Mar 2020 17:38:38 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1583689118; bh=6yqKd9iY19jFji5iUn8cCpYrN6a1Iiud4nu/hAYYQ5M=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=JBobwJkclsTkC5L+2OUgyg7iyEujbXW7v0BsrS1cxmLCcgy1UXK3Oi6lhGSg+XlsI xsPs9C2l1jLokrAAKFHwoMUvPJyyjs1NMgP6/MmVWz29D2MT4zXH0fUwwBpuU82XMr RY/0M0s/yJQt2NQ+78/DklboH/3H57/Y+RW9/+NU=
To: Christopher Wood <caw@heapingbits.net>
Cc: tls@ietf.org
References: <a212c2da-f2fd-9013-4934-a46e03b024f3@cs.tcd.ie> <87368A1A-0F1E-45C6-938C-0F755208E9B4@heapingbits.net> <7fc87dd2-88dd-16e9-979f-3770d41184b2@cs.tcd.ie> <AB6F27E7-FC02-4E1C-850D-C51D00379EC1@heapingbits.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <c0e9a3a3-be45-849f-84e0-767f2331e6f4@cs.tcd.ie>
Date: Sun, 08 Mar 2020 17:38:38 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <AB6F27E7-FC02-4E1C-850D-C51D00379EC1@heapingbits.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="c2Dz2X4l6MfQZWjIa5DDuz8q32B3wu189"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JonoUYvrkuZ624VQxdaqCETy2Qw>
Subject: Re: [TLS] three ECHO issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 17:38:46 -0000

Moar below... :-)

On 08/03/2020 17:25, Christopher Wood wrote:
> 
> 
> On 8 Mar 2020, at 10:14, Stephen Farrell wrote:
> 
>> Hiya,
>> 
>> On 08/03/2020 16:07, Christopher Wood wrote:
>>> Thanks for raising these issues! Please see inline below.
>>> 
>>> On 8 Mar 2020, at 8:18, Stephen Farrell wrote:
>>> 
>>>> Hiya,
>>>> 
>>>> Thanks for the new ECHO PR. [1] I think this is the right
>>>> direction but I have three issues with how it's done in the PR
>>>> right now that I think would benefit from list discussion
>>>> before a new I-D is produced or the PR is merged.
>>>> 
>>>> 1) Padding. This should be easy but somehow seems to be
>>>> hard;-( ISTM the current text is broken as it'd expose length
>>>> information about ALPN in the CH and also in the
>>>> EncryptedExtensions. I think it'd be good if the list reached
>>>> some level of agreement on the goals of padding here rather
>>>> than keep making different tweaks that don't work. I think the
>>>> goal for padding ought be that we don't expose information
>>>> about the content of the inner CH via the length of any h/s
>>>> message. If we agree that (or some similar thing) then 
>>>> hopefully it should be just a matter of tweaking the algorithm
>>>> so it works. (I've raised this before but seemingly not
>>>> convincingly enough;-)
>>> 
>>> We kept maximum_name_length so as to not change “too much” in the
>>> PR. As this is orthogonal to the overall change, it can be
>>> addressed separately. Can you please file an issue and propose
>>> text?
>> 
>> Sure. But ECHO vs. ESNI does make a difference here e.g. due to the
>> ALPN in the inner. If the outcome of (2) below is to keep the
>> flexibility they may be other extensions that create length issues,
>> either just in the inner CH or else there and possibly also in
>> other bits of the h/s.
>> 
>> That said, if the goal I stated above is something on which
>> everyone's agreed, I'd be happy to craft a PR. But if that goal is
>> not agreed, then probably any PR I make won't be useful, hence
>> raising this on the list.
> 
> In general I think it’s a fine goal, but I think it’s probably a bit 
> more challenging to specify this correctly than we might think. Take 
> ALPN as an example. Servers can’t possibly know what ALPN tokens
> each client might offer up in their CH, so how can they express a
> maximum limit?

IMO there's no need. If a server wants to opine, then it
could publish a min-length-inner-CH-plaintext value, to
match the longest total of SNI+ALPN it knows about, but
it no longer makes sense for a server to opine on the
length of parts of the plaintext inner CH, only on the
overall plaintext length, if even that. The client, being
the one who knows what's in the inner CH plaintext and how
those fields might vary in length, is really the only one
who can figure out the padding.

> 
>> 
>>>> 2) Variance between inner and outer CH. The current scheme is
>>>> that almost any variation is allowed. In the work I've done so
>>>> far looking at how to code that up, the trial decryption
>>>> required becomes a major pain in the client code as soon as the
>>>> TLS key-share differs between inner and outer. I don't know if
>>>> that affects other code bases or if that's mostly an OpenSSL
>>>> thing but think we ought establish on the list if that level of
>>>> flexibility is needed now, or maybe later, or even never. The
>>>> cost there is not just working out how to code it up, but this
>>>> also creates new complex code paths that will be rarely
>>>> executed which is usually a recipe for sadness later. So, I'd
>>>> hope other code bases are checked for this before we merge the
>>>> PR. (The problem here could be OpenSSL's internal, eh...
>>>> "intricacy" is a polite term I guess, or it could be me being
>>>> dim, but it seems real;-)
>>> 
>>> Yes, this will be a pain to implement. But variance between the 
>>> inner and outer CH is permitted, and indeed a goal.
>> 
>> I'm questioning whether that's a good goal or not. In my analysis
>> of the various extensions, only SNI and ALPN seem to offer
>> immediate value. Until one gets to new algos, which may mean PQC,
>> there doesn't seem much more that's worth supporting really. And
>> when one looks at the level of complexity to implement generic
>> variance, I'm really not sure it's worthwhile. That said, I'd hack
>> away at it as needed if others have taken a look at their code and
>> found it ok to support. I've just not heard that so far and am
>> concerned we're trading v, simple text in the I-D vs. really
>> horribly complex and maybe flakey code, which doesn't seem like a
>> good plan to me.
>> 
>> Just to be clear: I do like the idea that the analysis be done on
>> the flexible/full-variance scheme and I also like the idea of
>> reconstructing a full CH from the recovered plaintext of the inner
>> CH. Even with all that though, the ECHO spec can still impose
>> interop restrictions on inner/outer CH variance to simplify 
>> implementation and make interop easier and more likely. My guess is
>> that that'd be a worthwhile simplification.
> 
> Yep, it can, and that’s something we can tighten down as needed
> later on. For example, if we later decide that we never want to
> duplicate key shares, we can just make that so. For now, starting
> general aligns with the analysis and gives us the flexibility we need
> to further refine as needed.

Well, at the cost of code complexity and likely harder
interop, I'd say. I'd much prefer we make it easier to
implement now, but with the ability to be more flexible
later. (That's the bit where I think having multiple
implementers comment will be useful.)

Like I said, I like that the abstract scheme is general,
and flexible, but much prefer we start with some added MUSTs to make it
easier now. If we added one line that
the inner and outer CH MUST use the same TLS key-share
(and suites etc.) that'd be a really big help in getting
multiple interoperable implementations sooner is my bet.

> 
>> 
>> If more variation is needed later (e.g. to help incremental
>> deployment of PQC algs), then that could just use a new extension
>> instead of ECHO.
>> 
>>> 
>>>> 3) I think we might be better off leaving out the compression
>>>> stuff for now, and only figuring that out later. The current 
>>>> OuterExtensions thing is pretty ugly, and if the result of (2) 
>>>> above were that we constrain the variance between inner and
>>>> outer some more then a generic compression scheme may not be
>>>> needed. I do think we will want some compression thing in the
>>>> RFC we end up with, but we might be better off to get interop
>>>> without that first and then add compression later. (That's what
>>>> I plan to do fwiw, so this is a less pressing issue for me
>>>> given I'll be ignoring it for now:-)
>>> 
>>> Can you elaborate on why it’s ugly?
>> 
>> Allowing more than 1 OuterExtensions - that'd break some code in
>> OpenSSL's generic extension handling. Not sure how bad that'll be
>> to handle.
> 
> Whoops! Good catch. We should remove this paragraph:
> 
> Multiple "outer_extension" extensions MAY appear in a
> ClientHelloInner (this is a violation of normal TLS rules, but the
> resulting ClientHelloInner is never processed directly). However,
> there MUST NOT be multiple "outer_extension" extensions with the same
> extension code point.
> 
> That’s leftover from a previous version. I’ll do that now.
> 
>> 
>>> What could we do differently?
>> 
>> If e.g. we required the same TLS key-share in inner and outer, then
>> you could just omit most of the octets from the inner and
>> deterministically reconstruct. With a small number of such MUSTs,
>> there might be no real need for a generic compression scheme at
>> all. That's linked to (2) above though.
>> 
>> If a generic compression is needed, then yes something ugly will
>> likely be needed, but it could be simple and ugly, e.g.
>> extension-specific, for those extensions that would make a
>> difference. (And maybe we could punt on it too - e.g. require the
>> definition of the PQC stuff to spec this compression if that's when
>> it actually gets useful.)
> 
> That might work, too. For now, I’d prefer we not get bogged down in 
> compression as it’s merely an optimization.

Me too! Just encouraging nobody to implement it for now
would be fine by me, so we'd not have to code it up and
interop would be that bit easier. Adding a line to the
PR that says "don't write this code yet" would be great.

Cheers,
S.

> 
>>> Text suggestions are welcome!
>> 
>> Sure. And happy to offer some, but would like to see guidance from
>> the WG on the mailing list first. (Sorry for being less
>> github-cooperative about this, but being logged in there is not my
>> normal state of being:-)
> 
> No problem. :-)
> 
> Cheers, Chris

v2.23.0 | Report a Bug | By Email