Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
Kazuho Oku <kazuhooku@gmail.com> Tue, 11 July 2017 01:37 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 308821300BB for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 18:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsiAc2kHCpdj for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE83812EC27 for <tls@ietf.org>; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id u62so58039610pgb.3 for <tls@ietf.org>; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q5bDDXIxoiAdCSECvaVoHe/aWxqv8lg4kBVsCzOLEw8=; b=Umrc6a9Oya+0m9sPW8yGc17xA/odtk6yrQXDQBOLgSRde56EdwvNv4AcyFBZG0yFkX Iu0B/6Rm/gOfIez026Xs1snzdH4mKIsoMkw0usysapD8EO6A0YfZRLed7VoFxFtv6NQu QzsTuOq58JtelfubDj/01nEf4Y3lT8z9elc3l1bIEhUJHK1nMXEkWXRuvSSVUISQA62g taRaOzrzaKnfaC/mQk9Qn+DOWN7uc/e/6fIZlxGFfI64J9hFWdVlSNpGb3Rq5eDUtIoY yYs8LhFtGCtWEFKPoHO/etXjlQh74F3DnCVqzlOWCYZ8gBQyEBozWVE1n6Y8w2TFQv3p 6zsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q5bDDXIxoiAdCSECvaVoHe/aWxqv8lg4kBVsCzOLEw8=; b=Fve6O8oTdNhM8nJ/XKq8qqdTUHjDyAgckpzDXnt/SuL4aTDc59z7Ptm88pQrvlwG+5 rAPrcZhKBFXcW6zkPM8aCCDMsX7lmdaubKWb5JR0ZjdKceV+L2d+2nEH/ZQDJmapt8HC qmv7f7VAmz4Gp92UOFK0kqHMnLBx7OC3WxtcsgFEP0vFL1eM0LStC7lcvc4tlh4miBo6 E2pwUhzhlg+s8VcN7JeS4JohnvWJJi4vzUI1EplVY8nWQiq6v+9UrRwgG/pJTUVPX2RX nqM/jO7QEFqob9E+y3vWN+IUHaeSHGvzlxWg22aOo2IxqpbxiJjrI2vxahVo32Wb5iM2 bLtQ==
X-Gm-Message-State: AIVw111KA1rqB90GEgD3N66GHS5A9CoWRwJ/10YOMsD9O31O4JOdfqN+ s6s4qE7tvZR00wrTU8GB7JZNRHWHvyhmrC8=
X-Received: by 10.98.197.130 with SMTP id j124mr48256280pfg.117.1499737047041; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.130.3 with HTTP; Mon, 10 Jul 2017 18:37:26 -0700 (PDT)
In-Reply-To: <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net>
References: <149810504637.30481.937244297632371838.idtracker@ietfa.amsl.com> <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Tue, 11 Jul 2017 10:37:26 +0900
Message-ID: <CANatvzyCQNp7+yxeYp1ecRDQ_Rd_iZp8cOvg21ns33ftWwC0eQ@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>, Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c184d78f20dc0055400bd30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NH9Ln_t-teN85jZVMY78iUnWchY>
Subject: Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 01:37:30 -0000
Thank you for writing the draft. I agree for the need to hide hostnames from passive attackers, and I really like the fact that the draft discusses of various attack vectors that a proper SNI protection should take care of. OTOH, it makes me sad that the proposed methods require an additional roundtrip (when compared to no encrypted SNI). Can't we consider adopting a method that improves both performance and privacy, instead of choosing one between the two? Specifically, I wonder if we could consider embedding part of the TLS handshake within a secure DNS query / response. That will make the connection setup even faster than today at the same time providing us more privacy. Note that regardless of the approach, it is mandatory to migrate DNS onto a secure channel (i.e. over TLS or QUIC) in order to protect the hostname that the client is going to access. Protecting just the SNI is insufficient. Approach 1. embed TLS handshake in the DNS query and response A client queries a DNS over a secure channel. ClientHello is embedded to the DNS query. The resolver that receives the query will always contact the authoritative server by using a secure channel, transmitting both the DNS query and the ClientHello. Upon receiving the query, the authoritative server will send a DNS response that embeds the server's first flight of the TLS handshake (i.e. from ServerHello to ServerFinished). The resolver relays the DNS response (with the handshake messages) to the client. When the client receives the DNS response and the TLS handshake messages, it connects to the server (that is designated by the DNS response) and immediately sends the client's second flight of the TLS handshake (i.e. ClientFinished) with an identifier that correlates that message to the first flight of the messages transmitted through DNS, followed by application data. The merit of the approach is that connection setup will be even more faster than now, since the time being spent changes from 1 RTT-to-DNS + 1 RTT-to-origin to 1 RTT-to-origin-through-DNS (note that reducing the roundtrip to DNS has become important than before due to the fact that resolvers are less common to be located near the client. This is especially the case for mobile networks). Though there could be replay issues until the client receives the server's first flight through the direct connection. In short, the connection setup latency (including DNS) will be reduced from 2 RTT to 1 RTT, whereas in the approaches that are discussed in the draft it will change from 2 RTT to 3 RTT. Approach 2. embed TLS handshake originating from the server in DNS response This is a variation of the former approach. In this approach, a DNS query is sent over a secure channel but does not convey any TLS handshake massage. OTOH it is the server that initiates the handshake, upon receiving a DNS query. The DNS response (sent over a secure channel) will include the necessary parameters to establish an end-to-end secure channel (e.g. nonce, cryptographic parameters, server certificate, and a signature signing the values). When the client receives the DNS response that contains the handshake messages, it will use that to establish a secure connection to the server (by sending it's nonce and the negotiated parameters that are signed). The time required for establishing a connection will be the same as the first approach. However, one interesting difference from the former approach is that it will be possible for a DNS resolver to cache the DNS response including the server's first flight of the handshake messages (at the cost of losing single-op DH). Hence the change required to existing DNS infrastructure could be somewhat smaller. The risk would be that if the resolver reuses the DNS response, a passive observer could determine whether if multiple new connections went to the same origin (by looking at the identifier that designates the handshake that the client is responding to). If that is an issue, a client may want to inject randomness into the query to suppress the resolver from reusing the response. 2017-06-22 13:25 GMT+09:00 Christian Huitema <huitema@huitema.net>: > We has many discussions of SNI encryption on this list recently, and that > was enough motivation to write a draft about it. I am pretty sure that this > will be met with wide approval and no discussion at all :-). > > -- Christian Huitema > > -------- Forwarded Message -------- > Subject: New Version Notification for draft-huitema-tls-sni- > encryption-00.txt > Date: Wed, 21 Jun 2017 21:17:26 -0700 > From: internet-drafts@ietf.org > To: Christian Huitema <huitema@huitema.net> <huitema@huitema.net>, Eric > Rescorla <ekr@rtfm.com> <ekr@rtfm.com> > > A new version of I-D, draft-huitema-tls-sni-encryption-00.txt > has been successfully submitted by Christian Huitema and posted to the > IETF repository. > > Name: draft-huitema-tls-sni-encryption > Revision: 00 > Title: SNI Encryption in TLS Through Tunneling > Document date: 2017-06-20 > Group: Individual Submission > Pages: 19 > URL: https://www.ietf.org/internet-drafts/draft-huitema-tls-sni-encryption-00.txt > Status: https://datatracker.ietf.org/doc/draft-huitema-tls-sni-encryption/ > Htmlized: https://tools.ietf.org/html/draft-huitema-tls-sni-encryption-00 > Htmlized: https://datatracker.ietf.org/doc/html/draft-huitema-tls-sni-encryption-00 > > > Abstract: > This draft describes the general problem of encryption of the Server > Name Identification (SNI) parameter. The proposed solutions hide a > Hidden Service behind a Fronting Service, only disclosing the SNI of > the Fronting Service to external observers. The draft starts by > listing known attacks against SNI encryption, and then presents two > potential solutions that might mitigate these attacks. The first > solution is based on TLS in TLS "quasi tunneling", and the second > solution is based on "combined tickets". These solutions only > require minimal extensions to the TLS protocol. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > -- Kazuho Oku
- [TLS] Fwd: New Version Notification for draft-hui… Christian Huitema
- Re: [TLS] Fwd: New Version Notification for draft… Kazuho Oku
- Re: [TLS] Fwd: New Version Notification for draft… Brian Sniffen
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Daniel Kahn Gillmor