IETF Logo Mail Archive

Re: [TLS] ESNI interoperability questions

Rob Sayre <sayrer@gmail.com> Mon, 28 October 2019 04:51 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654601200DE for <tls@ietfa.amsl.com>; Sun, 27 Oct 2019 21:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQswisjJMtw6 for <tls@ietfa.amsl.com>; Sun, 27 Oct 2019 21:51:29 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3638120013 for <tls@ietf.org>; Sun, 27 Oct 2019 21:51:29 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id y5so7067143ilb.5 for <tls@ietf.org>; Sun, 27 Oct 2019 21:51:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=N/p/6js6wihd4gP6wE93cq4fQYPsiefJySPj6k9PCPg=; b=V8USGyoqxY8fh9vdvAnb1oGBrV3xvlLKhmp4cY7vCSNeyt1+og7WIF8gFS64g8xwV2 WzSph5Ju7ryLhhxay06NGwQmkS2JDcB28hGV9sJc8J54Y43f5e5kci+v+K4qtNAhbbj5 UfApDeFtklKNClOZkEIQIy772DLTiPe9rtpBm7t8phediIbcHwxaMtdwpTSyR3c2zA5U SSefCRK/nEGdondd5LmgcfWJTErEiv/IM4MRCKb4rgeTwl8NDeDrfTnpoQ9OKs0yQIvu cTJQWa4gjA9zr3Dezxw7Hf2opWgrZB6tpxZuiSSlQijhdRhJBA+5OLZcoA8CFuHlew6I +spw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=N/p/6js6wihd4gP6wE93cq4fQYPsiefJySPj6k9PCPg=; b=FGt5D9W/j7VWyrwO/t1KDebLpBCoYf5bVxB/s62jUoLDHbpDxYmTAKOWhqhkloAehD opTpj7ngEAbRlitgzRT7xDkdgrbHPUve7k2xXc32JDdS3Wc828rCFdN6RVxwUdMkXQtS l0wkrNgnnqN50moAVHYHQytHZPLuOvQ6H8aHpDGToSMrtcfSr0KT5pySimwGzzJcCMSl WI9WZfKwf3B2jcNBiV4RCBbUXddyYd57sYE+T2WtNwqvsRYCMA4rHiEQ1rchBD+11xw3 Nzp348xyvCrSsTRnXrDl9JnlAY9nSckbsF6N8hzGLPrDDljBiG4XvM37H8q+EKWuGOEc y7UA==
X-Gm-Message-State: APjAAAX6vVtRw5YrnxCtimwQahWbMq0F6EqtuE0UX9uo2IGCsgyhwnno 9ieaIAJqKIDe4oxXG0LMr+if0FnD6bDkpR7Bj28BdOzJ
X-Google-Smtp-Source: APXvYqztKokwpLlUbv/c4skjSOC/WdpAZmgaWVxDQ0/cE53qDLNUX53HTLXxmRGn18t3IggqXhOf0GyL/4higZrkXSU=
X-Received: by 2002:a92:8394:: with SMTP id p20mr18788825ilk.73.1572238288608; Sun, 27 Oct 2019 21:51:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SxUN5o+SXKGVoFGD_hkhprjnqj4RtzsS0+fFKFWJZOnBg@mail.gmail.com> <CAChr6SysjJJ2VXmqRjauMsTUoDSZU0yAH7Z3KV0A8BUhPTEFrA@mail.gmail.com> <CAChr6Swrh3aaAyoewphNQwRRcHPsPfbp5wFkUn80cE2jG-tOLA@mail.gmail.com> <CAChr6Sz+FNps_nSVF6cTXPVE-dCRVOSROxF_hdQh97_SS1j1WA@mail.gmail.com>
In-Reply-To: <CAChr6Sz+FNps_nSVF6cTXPVE-dCRVOSROxF_hdQh97_SS1j1WA@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Sun, 27 Oct 2019 21:51:15 -0700
Message-ID: <CAChr6SyO9vgvBTbcJ==v04ZAsjA2_=Pyw2zH3hONEfOQve75ug@mail.gmail.com>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b1e3080595f140cd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LmDF9uZ-ZURiGKaaC3-TbyM6NLI>
Subject: Re: [TLS] ESNI interoperability questions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 04:51:31 -0000

On Sun, Oct 27, 2019 at 8:46 PM Rob Sayre <sayrer@gmail.com> wrote:

> Hi,
>
> The joke is on me, because medium.com also does not check any SNI / ESNI
> field. :)
>
> However, I did notice that my record_digest value was off vs Firefox. And,
> now, I don't feel so bad.
>
> I noticed that esni-02 and esni-03 defined record_digest as:
>
> record_digest  A cryptographic hash of the ESNIKeys structure from
>       which the ESNI key was obtained, i.e., from the first byte of
>       "checksum" to the end of the structure.  This hash is computed
>       using the hash function associated with "suite".
>
> but, esni-04 defines record_digest like so:
>
> record_digest  A cryptographic hash of the ESNIKeys structure from
>       which the ESNI key was obtained, i.e., from the first byte of
>       "version" to the end of the structure.  This hash is computed
>       using the hash function associated with "suite".
>
> By following the record_digest algorithm from esni-04, I was able to match
> Firefox's record_digest fields for a given domain. This strikes me as very
> odd, since the ESNIKeys structure changed in esni-04, but I'm still using
> the older, esni-02 definition. So, it sure seems like people are running a
> strange mix of drafts at the moment. I think there's still something wrong
> with my calculation of the encrypted_sni field--perhaps I will have to read
> more NSS source code to figure out what that is. :)
>

Oh, and sorry for the postscript, but a common piece of cryptographic
mythology is that using the same first bytes for every hash input can
weaken it. I have never looked into that assertion, and I also haven't
looked into whether using a checksum in the way -02 or -03 did could be
problem. Why did the draft originally omit the version number, and why does
it no longer do that?

thanks,
Rob

v2.23.0 | Report a Bug | By Email