Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt

Kazuho Oku <kazuhooku@gmail.com> Tue, 11 July 2017 01:37 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 308821300BB for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 18:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsiAc2kHCpdj for <tls@ietfa.amsl.com>; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE83812EC27 for <tls@ietf.org>; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id u62so58039610pgb.3 for <tls@ietf.org>; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q5bDDXIxoiAdCSECvaVoHe/aWxqv8lg4kBVsCzOLEw8=; b=Umrc6a9Oya+0m9sPW8yGc17xA/odtk6yrQXDQBOLgSRde56EdwvNv4AcyFBZG0yFkX Iu0B/6Rm/gOfIez026Xs1snzdH4mKIsoMkw0usysapD8EO6A0YfZRLed7VoFxFtv6NQu QzsTuOq58JtelfubDj/01nEf4Y3lT8z9elc3l1bIEhUJHK1nMXEkWXRuvSSVUISQA62g taRaOzrzaKnfaC/mQk9Qn+DOWN7uc/e/6fIZlxGFfI64J9hFWdVlSNpGb3Rq5eDUtIoY yYs8LhFtGCtWEFKPoHO/etXjlQh74F3DnCVqzlOWCYZ8gBQyEBozWVE1n6Y8w2TFQv3p 6zsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q5bDDXIxoiAdCSECvaVoHe/aWxqv8lg4kBVsCzOLEw8=; b=Fve6O8oTdNhM8nJ/XKq8qqdTUHjDyAgckpzDXnt/SuL4aTDc59z7Ptm88pQrvlwG+5 rAPrcZhKBFXcW6zkPM8aCCDMsX7lmdaubKWb5JR0ZjdKceV+L2d+2nEH/ZQDJmapt8HC qmv7f7VAmz4Gp92UOFK0kqHMnLBx7OC3WxtcsgFEP0vFL1eM0LStC7lcvc4tlh4miBo6 E2pwUhzhlg+s8VcN7JeS4JohnvWJJi4vzUI1EplVY8nWQiq6v+9UrRwgG/pJTUVPX2RX nqM/jO7QEFqob9E+y3vWN+IUHaeSHGvzlxWg22aOo2IxqpbxiJjrI2vxahVo32Wb5iM2 bLtQ==
X-Gm-Message-State: AIVw111KA1rqB90GEgD3N66GHS5A9CoWRwJ/10YOMsD9O31O4JOdfqN+ s6s4qE7tvZR00wrTU8GB7JZNRHWHvyhmrC8=
X-Received: by 10.98.197.130 with SMTP id j124mr48256280pfg.117.1499737047041; Mon, 10 Jul 2017 18:37:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.130.3 with HTTP; Mon, 10 Jul 2017 18:37:26 -0700 (PDT)
In-Reply-To: <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net>
References: <149810504637.30481.937244297632371838.idtracker@ietfa.amsl.com> <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Tue, 11 Jul 2017 10:37:26 +0900
Message-ID: <CANatvzyCQNp7+yxeYp1ecRDQ_Rd_iZp8cOvg21ns33ftWwC0eQ@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>, Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c184d78f20dc0055400bd30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NH9Ln_t-teN85jZVMY78iUnWchY>
Subject: Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 01:37:30 -0000

Thank you for writing the draft.

I agree for the need to hide hostnames from passive attackers, and I really
like the fact that the draft discusses of various attack vectors that a
proper SNI protection should take care of.

OTOH, it makes me sad that the proposed methods require an additional
roundtrip (when compared to no encrypted SNI).

Can't we consider adopting a method that improves both performance and
privacy, instead of choosing one between the two?

Specifically, I wonder if we could consider embedding part of the TLS
handshake within a secure DNS query / response. That will make the
connection setup even faster than today at the same time providing us more
privacy.

Note that regardless of the approach, it is mandatory to migrate DNS onto a
secure channel (i.e. over TLS or QUIC) in order to protect the hostname
that the client is going to access. Protecting just the SNI is insufficient.

Approach 1. embed TLS handshake in the DNS query and response

A client queries a DNS over a secure channel. ClientHello is embedded to
the DNS query. The resolver that receives the query will always contact the
authoritative server by using a secure channel, transmitting both the DNS
query and the ClientHello. Upon receiving the query, the authoritative
server will send a DNS response that embeds the server's first flight of
the TLS handshake (i.e. from ServerHello to ServerFinished). The resolver
relays the DNS response (with the handshake messages) to the client.

When the client receives the DNS response and the TLS handshake messages,
it connects to the server (that is designated by the DNS response) and
immediately sends the client's second flight of the TLS handshake (i.e.
ClientFinished) with an identifier that correlates that message to the
first flight of the messages transmitted through DNS, followed by
application data.

The merit of the approach is that connection setup will be even more faster
than now, since the time being spent changes from 1 RTT-to-DNS + 1
RTT-to-origin to 1 RTT-to-origin-through-DNS (note that reducing the
roundtrip to DNS has become important than before due to the fact that
resolvers are less common to be located near the client. This is especially
the case for mobile networks). Though there could be replay issues until
the client receives the server's first flight through the direct connection.

In short, the connection setup latency (including DNS) will be reduced from
2 RTT to 1 RTT, whereas in the approaches that are discussed in the draft
it will change from 2 RTT to 3 RTT.

Approach 2. embed TLS handshake originating from the server in DNS response

This is a variation of the former approach.

In this approach, a DNS query is sent over a secure channel but does not
convey any TLS handshake massage. OTOH it is the server that initiates the
handshake, upon receiving a DNS query. The DNS response (sent over a secure
channel) will include the necessary parameters to establish an end-to-end
secure channel (e.g. nonce, cryptographic parameters, server certificate,
and a signature signing the values). When the client receives the DNS
response that contains the handshake messages, it will use that to
establish a secure connection to the server (by sending it's nonce and the
negotiated parameters that are signed).

The time required for establishing a connection will be the same as the
first approach.

However, one interesting difference from the former approach is that it
will be possible for a DNS resolver to cache the DNS response including the
server's first flight of the handshake messages (at the cost of losing
single-op DH). Hence the change required to existing DNS infrastructure
could be somewhat smaller.

The risk would be that if the resolver reuses the DNS response, a passive
observer could determine whether if multiple new connections went to the
same origin (by looking at the identifier that designates the handshake
that the client is responding to). If that is an issue, a client may want
to inject randomness into the query to suppress the resolver from reusing
the response.

2017-06-22 13:25 GMT+09:00 Christian Huitema <huitema@huitema.net>;:

> We has many discussions of SNI encryption on this list recently, and that
> was enough motivation to write a draft about it. I am pretty sure that this
> will be met with wide approval and no discussion at all :-).
>
> -- Christian Huitema
>
> -------- Forwarded Message --------
> Subject: New Version Notification for draft-huitema-tls-sni-
> encryption-00.txt
> Date: Wed, 21 Jun 2017 21:17:26 -0700
> From: internet-drafts@ietf.org
> To: Christian Huitema <huitema@huitema.net>; <huitema@huitema.net>;, Eric
> Rescorla <ekr@rtfm.com>; <ekr@rtfm.com>;
>
> A new version of I-D, draft-huitema-tls-sni-encryption-00.txt
> has been successfully submitted by Christian Huitema and posted to the
> IETF repository.
>
> Name:		draft-huitema-tls-sni-encryption
> Revision:	00
> Title:		SNI Encryption in TLS Through Tunneling
> Document date:	2017-06-20
> Group:		Individual Submission
> Pages:		19
> URL:            https://www.ietf.org/internet-drafts/draft-huitema-tls-sni-encryption-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-huitema-tls-sni-encryption/
> Htmlized:       https://tools.ietf.org/html/draft-huitema-tls-sni-encryption-00
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-huitema-tls-sni-encryption-00
>
>
> Abstract:
>    This draft describes the general problem of encryption of the Server
>    Name Identification (SNI) parameter.  The proposed solutions hide a
>    Hidden Service behind a Fronting Service, only disclosing the SNI of
>    the Fronting Service to external observers.  The draft starts by
>    listing known attacks against SNI encryption, and then presents two
>    potential solutions that might mitigate these attacks.  The first
>    solution is based on TLS in TLS "quasi tunneling", and the second
>    solution is based on "combined tickets".  These solutions only
>    require minimal extensions to the TLS protocol.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>


-- 
Kazuho Oku