IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Erik Nygren <erik+ietf@nygren.org> Wed, 16 April 2014 18:56 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEAE11A02A8 for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 11:56:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97lGEcsE_VZy for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 11:56:32 -0700 (PDT)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 9AED31A02A7 for <tls@ietf.org>; Wed, 16 Apr 2014 11:56:31 -0700 (PDT)
Received: by mail-vc0-f175.google.com with SMTP id lh14so11050788vcb.6 for <tls@ietf.org>; Wed, 16 Apr 2014 11:56:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=VgBe//Onpfj5Wjsz3Hi1Av6kyMGuCrrDQhHFZebkW+4=; b=m1RjnKZB3aNh0E0EvmUMHZz0swGOY3XeL+RoSW8Ntmoe+ziEJWFXZciMsqPdSCYB3J PI9i0u4jN+7Bn6gXVyRGX4fwqukHh0ypE6e/QISVthNc+miGDl+NOVWolSK7QHVJYHTm Q01BBoSGd6V1TAtcjYSP25k+lc96i4WdgaAP/7UgI9q6kxo5HR4Yqo1ynETzAK6MxynJ dGB/0A4RCngJfz/K1vtlKN3UzBb5k93xWfs766y1x8LiSV90gxBjB72HhH2vRXeS5W8a 33tvFIyrvgbMyvn9+y68Oxj42RM0aJDslJZ1oPw0xEG1nO51irBPuWrsU+5FNEUovK9x 0VgA==
MIME-Version: 1.0
X-Received: by 10.52.3.129 with SMTP id c1mr1497102vdc.37.1397674588137; Wed, 16 Apr 2014 11:56:28 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.221.18.70 with HTTP; Wed, 16 Apr 2014 11:56:27 -0700 (PDT)
In-Reply-To: <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <m2k3apmjk2.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com>
Date: Wed, 16 Apr 2014 14:56:27 -0400
X-Google-Sender-Auth: Xs5TE0dLhXtOqsqLKJIfK-J_V6Y
Message-ID: <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: multipart/alternative; boundary="20cf30363731566d6e04f72d7983"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OLdgDMZwkTSEiDj53IjeMeRoclg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 18:56:36 -0000

If we do anything with DNS, we need to be very conscious that individual
records change asynchronously from other records.  For example, we can't
assume that an A/AAAA record and a DANE record refer to the same operator
(webserver, hosting provider, CDN, etc).   In order for anything along
these lines to be deployable, it must be possible for everything associated
with a particular name->service binding to change together.  In addition,
browser vendors are extremely wary of doing extra DNS lookups synchronous
to a request which is one reason that SRV records aren't in-use today for
HTTP(S).

After thinking about this some, if we are looking towards a future world
where additional DNS security and privacy has been added, a new "service
binding" record type (I'll call it a "B-record") might help partially
address a number of these issues and raise the bar a little about SNI
privacy.  The B-record would glue together information needed for
establishing a connection (and provide a client with a number of options to
choose from).  For example:

     _https._b.www.example.com B  "AAAA=2001::abcd, port=443, alpn=h2s,
handshake_ecdhe_key=68sgjbjfsd8fyjgbsgd7863, handshake_token=5sdfkj335,
pri=5, dane_cert_name=version83.ca.example.com"
     _https._b.www.example.com B  "A=1.2.3.4, port=443, alpn=h2s,
handshake_ecdhe_key=68sgjbjfsd8fyjgbsgd7863, handshake_token=5sdfkj335,
pri=5,  dane_cert_name=version83.ca.example.com"
     _https._b.www.example.com B  "A=1.2.3.5, port=443, alpn=h1s,
handshake_ecdhe_key=438nkgj8utjs89we0t8tjer, handshake_token=asdjhk887,
pri=3,  dane_cert_name=version82.ca.example.com"

Defines a set of HTTPS service bindings for a few sets of IP addresses with
different ALPN settings.

In the above, the handshake_ecdhe_key is the public part of the server key
to encrypt the handshake (including SNI to and the handshake_token is the
"opaque" value from ekr's flows proposal.  Clients could select between
which of them they'd use based on their ALPN support.

At least for HTTP(S), something like this might be more deployable than
current options.

Note that the handshake_token (sent in the clear in the TLS handshake like
the "opaque" value) will leak information to passive attackers who are
building up correlation tables.

Also if the key is used *only* for the handshake, it's not clear that this
is any worse against active attackers even if DNSSEC is not used than the
"new flows" proposal.  (In both cases a MitM can provide an alternate
handshake key or build up a table of ids to SNIs.)  Clearly DNSSEC would
need to be used for *every* step before DANE could be used, however.


I think the question from above arises of whether it is worth doing all of
the engineering work here if there's still no fundamental way to guard
against active attackers or resourceful passive attackers.  Some of this
will come down to trade-offs.

        Erik









On Wed, Apr 16, 2014 at 10:39 AM, Andy Lutomirski <luto@amacapital.net>wrote:

> On Wed, Apr 16, 2014 at 7:32 AM, Brian Sniffen <bsniffen@akamai.com>
> wrote:
> >> Furthermore, no offence to Rich, but I suspect if you told him "We'll
> >> build the DNS subdomain forwarding, and you can use that or just not
> >> encrypted SNI", he will choose not to use it. Maybe I'm wrong, but
> >> since he argued against it initially, I'll make the leap.  So making
> >> it opt-in seems to be as equivalent to building an optional feature
> >> that almost no one will use from the beginning.
> >
> > Yes: we will not use encrypted SNI.  We can't.  We need to put thousands
> > of HTTP hosts with incompatible crypto requirements on each IP address.
> > Per-IP keys don't help us very much.
>
> Would a protocol along the lines of my strawman work for you?  I
> explicitly did not require that the eventual cipher suite match for
> different SNI values.  I even made it possible to for whatever
> receives the initial SSL connection to strip the SNI encryption and
> hand the connection of to something else, without sharing any
> long-term secrets between the machines in question.
>
> --Andy
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email