Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
Michael StJohns <msj@nthpermutation.com> Mon, 17 March 2014 15:09 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2EDA1A0401 for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 08:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPIOzkp6FJBj for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 08:09:15 -0700 (PDT)
Received: from mail-ee0-f49.google.com (mail-ee0-f49.google.com [74.125.83.49]) by ietfa.amsl.com (Postfix) with ESMTP id 138F01A014D for <tls@ietf.org>; Mon, 17 Mar 2014 08:09:14 -0700 (PDT)
Received: by mail-ee0-f49.google.com with SMTP id c41so4231128eek.36 for <tls@ietf.org>; Mon, 17 Mar 2014 08:09:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=4/joxz4lIuPO8j9g3cTX05pCY9IxUVKARqcgZSv59as=; b=D0MxKV1Qvz/0tK4BhvSNouXMgJ/dM0tlmjlfYIJlHx8Ks8vglrKR0ina9mhmA9IKQX xGWbnQeDI4AL4gE4lT6RGGaS07BbznCQPigYvpNWi9+0x2BFqlb5lawvP2EzVjQMz/yn 5lt7O3Jp2ejiSmf2/kBi/CFJZgCumF/KBNTbSElokOO/x/cGyBjn1Y9DpjbnhdnTntUa jMIFacZOtAjhNxTcat+NK9RelQOG+swd4Eoc/qblWOL6A4HXUX51Ns+PEEjhmVsL6b59 kO/m+stkaGmzi4DZRUVnxTfZrQbTgxE0V1X09Ew8EGaOcdKVRPOtszbB5UV5NS/6VGay y4kw==
X-Gm-Message-State: ALoCoQkT4mHhXw8rfIfuUfOBzZ2nndRmMySvdIFJiaE7aVTQtoftBItOEUmvH+rWq4Ts5Z7vcL7w
X-Received: by 10.14.225.132 with SMTP id z4mr3463785eep.92.1395068937323; Mon, 17 Mar 2014 08:08:57 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id e42sm27761092eev.32.2014.03.17.08.08.55 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 17 Mar 2014 08:08:56 -0700 (PDT)
Message-ID: <53271007.8050902@nthpermutation.com>
Date: Mon, 17 Mar 2014 11:08:55 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <5325DDA0.9030006@nthpermutation.com> <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com> <53260C51.10407@nthpermutation.com> <CACsn0cnKFQdiq8kx3w4SViN20-9UTxA_1riq-A5XJyaqLUQuFA@mail.gmail.com>
In-Reply-To: <CACsn0cnKFQdiq8kx3w4SViN20-9UTxA_1riq-A5XJyaqLUQuFA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/L-3Lf77NQhEYcJPIuDofdwDdQaw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 15:09:21 -0000
On 3/17/2014 12:23 AM, Watson Ladd wrote: > Dear Mr. StJohns, > > Suppose you work at the Chinese Ministry of Truth, in the department > of web truthmaking, domain forgetting division. > > Right now, if you want to ensure HTTP content is in conformance with > the truth you simply scan for the Host header and check against a > list. > > For HTTPS life could get nasty. But luckily we decided to put SNI > information on the outside, so you can see if that connection needs to > go down the memory hole. Or the CMT just blocks all access to the device because its a known SNI encryption box. If you get to assign super powers to an entity to make your point, then so do I. > > Now you hear about this TLS 1.3 coming along, and how it obfuscates > SNI. So you present the following design to your boss: > 1: Each device on the filtering maintains a global IP->[Hosts] mapping. > 2: When an obfuscated SNI comes along, you check against all hosts in > the mapping > 3: If it is marked as untruthful block > 4: If unknown, transmit it to a dedicated cracking machine. > > Within a week the cracking machine is likely to figure out what the > hostname is, at which point it can be added to the list. If the agents > watching the spreading of untruth see a domain, we can just add it. > The computational cost will never exceed that of the hosting device. > > Your proposal doesn't stop censorship or even make it more expensive. > It doesn't hide visits to websites effectively if the attacker is > interested in checking against a big list. It doesn't accomplish any > of the goals we need it to. And unfortunately, I don't think EKRs proposal does it either. There are a few things you need to do symmetric encryption - a mutual key and an agreed upon cipher suite. EKR proposes retaining the keys and suite from a previous connection and using them to encrypt the negotiation for the next connection. To do this, both client and server cache the previous keys. If you have no previous connection, or you or the server have timed out the cached keys, EKR has you fall back to doing an unencrypted negotiation followed by an encrypted negotiation. Unfortunately, as I understand how this works, the SNI needs to be in the first negotiation so that the director can steer the packets to the appropriate server. Assuming super powers that let me twiddle with packets in flight - I modify the MAC over the negotiation records to cause it to fail verification at the server. Or I intercept the response from the server and replace it with an unsigned "sorry, no cached key" error message. Either way causing the client to fall back into unencrypted mode. This gets worse when the virtual server director isn't actually on the same server as the actual server, as the director will need copies of the keys in the same timely fashion as the servers. And that makes the director a big juicy target. (Seriously a single box with all the session keys for 1000s of sessions with 100s of servers? Let me at it) The threat could be partly mitigated by deriving a separate set of keys for "next session encryption negotiation", but that would change the current key expansion stages a bit. And still begs the question of how keys get from the virtual server to the director so this can be done. Another approach might be for the client (only) to retain the public key of the specific destination server, or a special use public key handed to the client by the server as part of another negotiation (and which related private key is shared with the director - said key being very long lived). Use that to encrypt the SNI (either RSA encryption, or something like ECIES for elliptic curve). And even use that as the encryption over the negotiation. Mike > > Sincerely, > Watson Ladd
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Watson Ladd
- [TLS] draft-rescorla-tls13-new-flows-01 - Thought… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Eric Rescorla
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Erik Nygren
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Tom Ritter
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Watson Ladd
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Alyssa Rowan
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Nikos Mavrogiannopoulos
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Erik Nygren
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Eric Rescorla
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Tom Ritter
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns