Re: [TLS] TLS ECH, how much can the hint stick out?

Christian Huitema <huitema@huitema.net> Fri, 11 September 2020 00:47 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D493A1274 for <tls@ietfa.amsl.com>; Thu, 10 Sep 2020 17:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.848
X-Spam-Level:
X-Spam-Status: No, score=-2.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5kShp1T8u-q for <tls@ietfa.amsl.com>; Thu, 10 Sep 2020 17:47:05 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 234703A1271 for <tls@ietf.org>; Thu, 10 Sep 2020 17:47:04 -0700 (PDT)
Received: from xse127.mail2web.com ([66.113.196.127] helo=xse.mail2web.com) by mx14.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kGXCv-00085t-JS for tls@ietf.org; Fri, 11 Sep 2020 02:47:03 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4BncW1593Tz9wcd for <tls@ietf.org>; Thu, 10 Sep 2020 17:45:49 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kGXCH-0005lV-Jq for tls@ietf.org; Thu, 10 Sep 2020 17:45:49 -0700
Received: (qmail 9559 invoked from network); 11 Sep 2020 00:45:49 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.38.240]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 11 Sep 2020 00:45:48 -0000
To: Christopher Patton <cpatton@cloudflare.com>, Mike Bishop <mbishop@evequefou.be>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <d33c685c-6bf3-1584-4d95-1fe2cf6695e8@huitema.net> <CAG2Zi23NQRPUzHbVKSSSxR_eaNokVF--K9FfCNMagrCKnSHMZQ@mail.gmail.com> <CH2PR22MB2086C4A5232D3605F66D4F1ADA270@CH2PR22MB2086.namprd22.prod.outlook.com> <CAG2Zi22WafCThD3JFpwpq+qys6fSYWvofKvXvYO-ys0rgDGtkQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <1c13374e-f375-0bdb-2316-f6fc222192b4@huitema.net>
Date: Thu, 10 Sep 2020 17:45:48 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <CAG2Zi22WafCThD3JFpwpq+qys6fSYWvofKvXvYO-ys0rgDGtkQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.127
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.127/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.127/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0VKALJWqpbz84ezJUOplsTqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4broyQ7MXfXm8GxdsMD5unzgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cAbkmS6Yl/D6fWX990B0MomdySlZou9qHIGOZDEEo7O2nS6C1mWTD2n8BB0gTSSfDtw+Ut ziY+nbU7qa50sEXj8hEv6ylbrSataIASdByf+qyWDcKgIew/Pqmv8CiR0A+Ffy7fEg460Hn2xYnW avStyzAiWbbj13U46jbWFIz21cHX/YzWyFk7762whX3QQ+5uhkPm88V7ziklAaTl19sU919xeAvO xjeQEcL5lNmXdLn4jABaJqtNDIuGYj2WGeveXgFMyx0sD4hRS2uyMFprER9E+btGG8Xk1uugE/FU 4J9TrjYo22Tif+7yfJXbGyN6EipRzMVZ5LqwTx7Vvn9SP+LiFhV9TEgXGI3XmDfDnFWB11dhDcan IFpyAO2lFVuBXh4TghO1zJNdcdFOsDlHxmtlRyl2vL6xP8EDTxU+rjos8yfsNLC69eujHgZ1YmtU PVcmx1QL+XiKf76y/BgKQOzghtixulElyYQe3c7H/vKY2AXNZGS5G93aGyH8MqMlOQRMVMd0HCeT skOZ5TL8qhmZXq/+CPhkwuOnFbrx+jXg724gFzhHYUe+7aKm0vUedqmE7iQNErcKMLvT641BTi+J 2sBvM/O0p+zizleC4va6FPcpDHjXMKZJK8+chiZlDMQXq5b7Flr9+16hDxla7cTs80/2FnZg/IMs IAdedSzLrjsyfTPCYbMCLdmf5h2vfxw3Qvb2Glio5Cia/9Kfg4kJ0WtAYbrpe3OOAtQNb87OBHCz Hbokiue7PjVB1S6AQRz4SqXhOP5fdiQt7lu5Jm5nk4BSgYHOJJgUtm67rBRli6kULE5BQDZnPvvF VsQ=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PCjtcM3FYLfcbJvETensEvJsDlU>
Subject: Re: [TLS] TLS ECH, how much can the hint stick out?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 00:47:07 -0000

On 9/10/2020 12:43 PM, Christopher Patton wrote:
> Hi Mike,
>
> I've since updated the proposal to address the replay attack, but not
> Christian's MITM attack:
> https://github.com/tlswg/draft-ietf-tls-esni/pull/287
>
> A quick question about Chrisitian's suggestion of using the
> "key_shares" to derive the hint. I believe a slightly stronger variant
> of the MITM attack beats this mitigation: suppose the server replays
> not only the original hint, but also the original "key_shares" shares
> extension. It won't be able to decrypt the client's response, but
> can't the attacker still detect ECH usage?

No, I don't think the server can detect ECH usage by doing that. The
client will complete the exchange as if connected to the server. The
client's response would pretty much the same as if the server's response
had not been modified, and the MITM will not be able to test whether
this is ECH or not. If it could, ECH would be seriously broken.

But there may be some attack plausible by playing with the ciphersuite,
or maybe the TLS version extension. I don't think so, but I can't prove
it either way. One solution would be to incorporate more elements in the
hash. Another would be to serialize the whole server hello, with a
proforma random, and add to the hint hash the server hello bytes that
follow the "random" part.

-- Christian Huitema