IETF Logo Mail Archive

Re: [TLS] Alternative ESNI?

Nico Williams <nico@cryptonector.com> Tue, 18 December 2018 18:19 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1A21311A5 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 10:19:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9gS4HtOdRAm for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 10:19:46 -0800 (PST)
Received: from bonobo.maple.relay.mailchannels.net (bonobo.maple.relay.mailchannels.net [23.83.214.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A1011311A1 for <tls@ietf.org>; Tue, 18 Dec 2018 10:19:45 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A9E9828376B; Tue, 18 Dec 2018 18:19:44 +0000 (UTC)
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (unknown [100.96.26.166]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6481D28382C; Tue, 18 Dec 2018 18:19:44 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Tue, 18 Dec 2018 18:19:44 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Power-Attack: 6287628f3b538451_1545157184523_3746086845
X-MC-Loop-Signature: 1545157184523:1424425059
X-MC-Ingress-Time: 1545157184523
Received: from pdx1-sub0-mail-a65.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a65.g.dreamhost.com (Postfix) with ESMTP id 1565E8140A; Tue, 18 Dec 2018 10:19:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=GWWE4Cti4Tw8LKFk2UZkfV33bFk =; b=XeDbLwyubiKuvuQyUvIw+xll4dihHlokoHtftFS19pzH5yrP7pgCpWgvdxQ MvbOqspeAFVpdWwhwexhOBfIn21Nnxf2TDzuu99pdZqKjUQEMrwdNp5Ob8A5+XIE XaI/LeNpWWk3yLbNBa+B956u5yKxoJpDCDdo6KuLGBqNCESk=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a65.g.dreamhost.com (Postfix) with ESMTPSA id 5240481407; Tue, 18 Dec 2018 10:19:42 -0800 (PST)
Date: Tue, 18 Dec 2018 12:19:40 -0600
X-DH-BACKEND: pdx1-sub0-mail-a65
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Message-ID: <20181218181939.GA20422@localhost>
References: <20181215025346.GJ15561@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20181215025346.GJ15561@localhost>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrudeikedgiedtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LvMYrDapaNybqN68LeNwlOxGQQA>
Subject: Re: [TLS] Alternative ESNI?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 18:19:49 -0000

On Fri, Dec 14, 2018 at 08:53:47PM -0600, Nico Williams wrote:
>              Figure 1: Alternative ESNI w/o active protection

Figure 1 was expositional.  Please forget it.

>               Figure 2: Alternative ESNI w/ active protection


>              Figure 3: Alternative ESNI w/ active protection,
>                           with worst-case latency

There's a different way to do the third case _without_ an extra round
trip in the worst case.  Now there are no cases with worse latency than
the worst latency in RFC 8446.

This is the case where the client's initial key_share is not acceptable
to the server.

The key observation is that we can send the server's Certificate and
CertificateVerify in the clear when they are for the fronting name,
which means we can authenticate the server in the first flight, which
means that we can have handshake traffic keys in the second flight:


        ClientHello
        + key_share             -------->
                                                        ServerHello
                                                        + key_share
                                                        Certificate
                                                  CertificateVerify
                                <--------         HelloRetryRequest
        ClientHello
        + key_share
        {EncryptedExtensions}   -------->
                                              {EncryptedExtensions}
                                              {CertificateRequest*}
                                                      {Certificate}
                                                {CertificateVerify}
                                                         {Finished}
                                <--------       [Application Data*]
        {Certificate*}
        {CertificateVerify*}
        {Finished}              -------->
        [Application Data]      <------->        [Application Data]

             Figure 4: Like figure #2 but with initial client
               key_share that is unacceptable to the server


Note that the server's Certificate and CertificateVerify goes
unencrypted.  Why?  Well, it is the Certificate for the *fronting*
name, the one that went unencrypted in the ClientHello, so it doesn't
really need protection.

As Stephen Farrell points out, we get to have *two* server key_shares,
one from the SH and one from the HRR, which gives us the opportunity to
have one of them be something of a static key share shared with a
traffic director.  So we get to have *two* sets of handshake traffic
keys, one that gives a traffic director visibility, and one that does
not.

Do we ever need confidentiality protection relative to the traffic
director?  If so we'll need notation for indicating which handshake
traffic key set to use for what encrypted extensions.

Nico
--

v2.23.0 | Report a Bug | By Email