IETF Logo Mail Archive

Re: [TLS] "Encrypted" SNI

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 11 May 2017 18:40 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36DD112944A for <tls@ietfa.amsl.com>; Thu, 11 May 2017 11:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZtlxqLgg06j for <tls@ietfa.amsl.com>; Thu, 11 May 2017 11:40:38 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C75129C41 for <tls@ietf.org>; Thu, 11 May 2017 11:35:15 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 751677A3309; Thu, 11 May 2017 18:35:14 +0000 (UTC)
Date: Thu, 11 May 2017 18:35:14 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20170511183514.GE25754@mournblade.imrryr.org>
Reply-To: tls@ietf.org
References: <3768598.32hupQ9b2b@pintsize.usersys.redhat.com> <87ziekihp6.fsf@fifthhorseman.net> <m28tm34g8x.fsf@abstraction.kendall.corp.akamai.com> <2687686.v67HcTzOUq@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2687686.v67HcTzOUq@pintsize.usersys.redhat.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/P0iJqvbGx2YWf8aBdSASfLWuR78>
Subject: Re: [TLS] "Encrypted" SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 18:40:40 -0000

On Thu, May 11, 2017 at 08:01:58PM +0200, Hubert Kario wrote:

> > But beware of:
> > 
> >   - the adversary can replay this SNI and see what site he gets
> >   - DDoS risk: servers can't be try lots of crypto (no asymmetric ops,
> >     no operations that scale linearly with number of sites hosted)
> 
> Doesn't that create a Catch 22?
> 
> I need to get the key to encrypt the SNI. But if we don't want the names to 
> leak, how do I authenticate the key without telling the server what 
> certificate I will accept to authenticate the key?
> 
> That doesn't look to me like a problem we can solve with typical symmetric or 
> asymmetric crypto - it looks to me like more of a zero-knowledge proof issue.

No zero-knowledge schemes come to mind that are suitable to this task.

What can work, but costs latency is to do anon-(EC)DH key agreement
first, and only *then* exchange certificates under the established
keys and sign the session transcripts as required.  That is enable
encryption first, and authentication second, with SNI sent after
you have an unauthenticated encrypted channel.

Yes, an active MiTM attack could capture the SNI, but it would
prevent full session establishment, and so would be tamper-evident.

(One might imagine that initial opportunistic crypto being TCPinc,
with channel bindings extracted into a light-weight authentication
protocol on top, that no longer needs to do the key agreement bits).

The TLS 1.3 draft protocol, while eschewing weaker crypto primitives,
seems optimized more for lower-latency than for greater resistance
to traffic analysis.  I don't think that you can have both.

To really address the issue, one needs a more complete architecture,
that combines all the relevant bits of TCP, TLS and HTTP, ....
Such holistic (r)evolution is extremely difficult.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email