Re: [TLS] TLS ECH, how much can the hint stick out?
Christian Huitema <huitema@huitema.net> Fri, 11 September 2020 00:47 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D493A1274 for <tls@ietfa.amsl.com>; Thu, 10 Sep 2020 17:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.848
X-Spam-Level:
X-Spam-Status: No, score=-2.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5kShp1T8u-q for <tls@ietfa.amsl.com>; Thu, 10 Sep 2020 17:47:05 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 234703A1271 for <tls@ietf.org>; Thu, 10 Sep 2020 17:47:04 -0700 (PDT)
Received: from xse127.mail2web.com ([66.113.196.127] helo=xse.mail2web.com) by mx14.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kGXCv-00085t-JS for tls@ietf.org; Fri, 11 Sep 2020 02:47:03 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4BncW1593Tz9wcd for <tls@ietf.org>; Thu, 10 Sep 2020 17:45:49 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kGXCH-0005lV-Jq for tls@ietf.org; Thu, 10 Sep 2020 17:45:49 -0700
Received: (qmail 9559 invoked from network); 11 Sep 2020 00:45:49 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.38.240]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 11 Sep 2020 00:45:48 -0000
To: Christopher Patton <cpatton@cloudflare.com>, Mike Bishop <mbishop@evequefou.be>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <d33c685c-6bf3-1584-4d95-1fe2cf6695e8@huitema.net> <CAG2Zi23NQRPUzHbVKSSSxR_eaNokVF--K9FfCNMagrCKnSHMZQ@mail.gmail.com> <CH2PR22MB2086C4A5232D3605F66D4F1ADA270@CH2PR22MB2086.namprd22.prod.outlook.com> <CAG2Zi22WafCThD3JFpwpq+qys6fSYWvofKvXvYO-ys0rgDGtkQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <1c13374e-f375-0bdb-2316-f6fc222192b4@huitema.net>
Date: Thu, 10 Sep 2020 17:45:48 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <CAG2Zi22WafCThD3JFpwpq+qys6fSYWvofKvXvYO-ys0rgDGtkQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.127
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.127/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.127/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0VKALJWqpbz84ezJUOplsTqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4broyQ7MXfXm8GxdsMD5unzgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cAbkmS6Yl/D6fWX990B0MomdySlZou9qHIGOZDEEo7O2nS6C1mWTD2n8BB0gTSSfDtw+Ut ziY+nbU7qa50sEXj8hEv6ylbrSataIASdByf+qyWDcKgIew/Pqmv8CiR0A+Ffy7fEg460Hn2xYnW avStyzAiWbbj13U46jbWFIz21cHX/YzWyFk7762whX3QQ+5uhkPm88V7ziklAaTl19sU919xeAvO xjeQEcL5lNmXdLn4jABaJqtNDIuGYj2WGeveXgFMyx0sD4hRS2uyMFprER9E+btGG8Xk1uugE/FU 4J9TrjYo22Tif+7yfJXbGyN6EipRzMVZ5LqwTx7Vvn9SP+LiFhV9TEgXGI3XmDfDnFWB11dhDcan IFpyAO2lFVuBXh4TghO1zJNdcdFOsDlHxmtlRyl2vL6xP8EDTxU+rjos8yfsNLC69eujHgZ1YmtU PVcmx1QL+XiKf76y/BgKQOzghtixulElyYQe3c7H/vKY2AXNZGS5G93aGyH8MqMlOQRMVMd0HCeT skOZ5TL8qhmZXq/+CPhkwuOnFbrx+jXg724gFzhHYUe+7aKm0vUedqmE7iQNErcKMLvT641BTi+J 2sBvM/O0p+zizleC4va6FPcpDHjXMKZJK8+chiZlDMQXq5b7Flr9+16hDxla7cTs80/2FnZg/IMs IAdedSzLrjsyfTPCYbMCLdmf5h2vfxw3Qvb2Glio5Cia/9Kfg4kJ0WtAYbrpe3OOAtQNb87OBHCz Hbokiue7PjVB1S6AQRz4SqXhOP5fdiQt7lu5Jm5nk4BSgYHOJJgUtm67rBRli6kULE5BQDZnPvvF VsQ=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PCjtcM3FYLfcbJvETensEvJsDlU>
Subject: Re: [TLS] TLS ECH, how much can the hint stick out?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 00:47:07 -0000
On 9/10/2020 12:43 PM, Christopher Patton wrote: > Hi Mike, > > I've since updated the proposal to address the replay attack, but not > Christian's MITM attack: > https://github.com/tlswg/draft-ietf-tls-esni/pull/287 > > A quick question about Chrisitian's suggestion of using the > "key_shares" to derive the hint. I believe a slightly stronger variant > of the MITM attack beats this mitigation: suppose the server replays > not only the original hint, but also the original "key_shares" shares > extension. It won't be able to decrypt the client's response, but > can't the attacker still detect ECH usage? No, I don't think the server can detect ECH usage by doing that. The client will complete the exchange as if connected to the server. The client's response would pretty much the same as if the server's response had not been modified, and the MITM will not be able to test whether this is ECH or not. If it could, ECH would be seriously broken. But there may be some attack plausible by playing with the ciphersuite, or maybe the TLS version extension. I don't think so, but I can't prove it either way. One solution would be to incorporate more elements in the hash. Another would be to serialize the whole server hello, with a proforma random, and add to the hint hash the server hello bytes that follow the "random" part. -- Christian Huitema
- [TLS] TLS ECH, how much can the hint stick out? Christian Huitema
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christopher Patton
- Re: [TLS] TLS ECH, how much can the hint stick ou… Ben Schwartz
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christopher Patton
- Re: [TLS] TLS ECH, how much can the hint stick ou… Mike Bishop
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christopher Patton
- Re: [TLS] TLS ECH, how much can the hint stick ou… Eric Rescorla
- Re: [TLS] TLS ECH, how much can the hint stick ou… Mike Bishop
- Re: [TLS] TLS ECH, how much can the hint stick ou… Ben Schwartz
- Re: [TLS] TLS ECH, how much can the hint stick ou… Eric Rescorla
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christian Huitema
- Re: [TLS] TLS ECH, how much can the hint stick ou… Martin Thomson
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christopher Patton
- Re: [TLS] TLS ECH, how much can the hint stick ou… Salz, Rich
- Re: [TLS] TLS ECH, how much can the hint stick ou… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] TLS ECH, how much can the hint stick ou… Ben Schwartz
- Re: [TLS] TLS ECH, how much can the hint stick ou… Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can the hint stick ou… Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christian Huitema
- Re: [TLS] TLS ECH, how much can the hint stick ou… Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can the hint stick ou… Martin Thomson
- Re: [TLS] TLS ECH, how much can the hint stick ou… Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christian Huitema
- Re: [TLS] TLS ECH, how much can the hint stick ou… Christopher Patton
- Re: [TLS] TLS ECH, how much can the hint stick ou… Salz, Rich
- Re: [TLS] TLS ECH, how much can the hint stick ou… Eric Rescorla