IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Brian Sniffen <bsniffen@akamai.com> Thu, 17 April 2014 19:59 UTC

Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A315A1A00B9 for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 12:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vI0IzIOO27v8 for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 12:59:54 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id E53021A007B for <tls@ietf.org>; Thu, 17 Apr 2014 12:59:53 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 2AE1E481A3; Thu, 17 Apr 2014 19:59:50 +0000 (GMT)
Received: from prod-mail-relay03.akamai.com (prod-mail-relay03.akamai.com [172.27.8.26]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 1EF0E4813F; Thu, 17 Apr 2014 19:59:50 +0000 (GMT)
Received: from usma1ex-cashub.kendall.corp.akamai.com (usma1ex-cashub7.kendall.corp.akamai.com [172.27.105.23]) by prod-mail-relay03.akamai.com (Postfix) with ESMTP id EFBD32FD72; Thu, 17 Apr 2014 19:59:49 +0000 (GMT)
Received: from Tereva.local (172.19.113.223) by usma1ex-cashub7.kendall.corp.akamai.com (172.27.105.23) with Microsoft SMTP Server (TLS) id 8.3.342.0; Thu, 17 Apr 2014 15:59:48 -0400
From: Brian Sniffen <bsniffen@akamai.com>
To: Andy Lutomirski <luto@amacapital.net>
In-Reply-To: <CALCETrXOaNihRRNQ3RQsctbipAGq67cSUofOm0AOb-YWENFFwQ@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <m2k3apmjk2.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com> <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com> <CALCETrWY_-N+nM9N0_gbeffkX5Jo8vn7XKeFCezGiwq2A74Wjw@mail.gmail.com> <CAKC-DJg6kRLezM+Q60VLY=dBU9C_Q9hb_0u7WD-HHWVJ5Y6tRQ@mail.gmail.com> <CALCETrX7Dv9_+uM7VqotHGurS+k6K5wKzeXEj7zuekd8+0qOJQ@mail.gmail.com> <566E6D8E-ACD5-4B21-9586-84C149F6A1B9@akamai.com> <CALCETrUi+fc9LW1iqx0bFuAsgygmeorR9AnzLN+abGx08y152A@mail.gmail.com> <5204AB60-0B32-4953-9D3D-C2756883D39D@akamai.com> <CALCETrXOaNihRRNQ3RQsctbipAGq67cSUofOm0AOb-YWENFFwQ@mail.gmail.com>
User-Agent: Notmuch/0.17~rc2+11~g8a10ca6 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-apple-darwin12.4.0)
Date: Thu, 17 Apr 2014 14:59:46 -0500
Message-ID: <m238hblob1.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/O7mkTiqN21jYLPB0Tbl28pq3hPs
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 19:59:58 -0000

Andy Lutomirski <luto@amacapital.net> writes:

> On Thu, Apr 17, 2014 at 9:35 AM, Sniffen, Brian <bsniffen@akamai.com> wrote:
>> On Apr 17, 2014, at 9:52 AM, "Andy Lutomirski" <luto@amacapital.net> wrote:
>>>
>>> , Bob can decrypt it in time t(N), and an eavesdropper
>>> who does not know any of the private keys can't distinguish the
>>> message from random?
>>
>> Surely the eavesdropper can measure the decryption delay, probe himself, and discover which key it was---unless every implementation carefully shuffles keys?
>>
>> And now an adversary can cause N decryptions per initiated connection. Ouch.
>
> If N == 4 and the decryption operations are fast, this isn't so bad.

Cryptographic negotiation attacks are already one of the most powerful
DDoS techniques available.  Making them 4x more effective is lethal.
Unless we want to say they're so dangerous as to be no *more* lethal
from quadrupling, this isn't okay.

I hesitate to ask, but: is it plausible to re-open the proof-of-work
conversation, so a server under load can, in the initial opportunistic
encryption phase, push back to a client and ask for a puzzle to be
solved?

> I wonder if there's a way to test a large number of private keys at
> once.  If so, then the cost drops to O(log N).  Off the top of my
> head, I can't think of a cryptosystem with that property.

I certainly don't expect to find any *pair* of cryptosystems with that
property, and continue to maintain that in 3 years we won't find two big
organizations willing to use exactly the same crypto.

-Brian

-- 
Brian Sniffen
Information Security
Akamai Technologies

v2.23.0 | Report a Bug | By Email