IETF Logo Mail Archive

Re: [TLS] TLS ECH, how much can the hint stick out?

Christian Huitema <huitema@huitema.net> Sat, 12 September 2020 18:39 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EC43A0CD8 for <tls@ietfa.amsl.com>; Sat, 12 Sep 2020 11:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.846
X-Spam-Level:
X-Spam-Status: No, score=-2.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2wfeK0mRGXy for <tls@ietfa.amsl.com>; Sat, 12 Sep 2020 11:39:03 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6ED23A0CCD for <tls@ietf.org>; Sat, 12 Sep 2020 11:39:02 -0700 (PDT)
Received: from xse192.mail2web.com ([66.113.196.192] helo=xse.mail2web.com) by mx169.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kHAQJ-000TaT-HZ for tls@ietf.org; Sat, 12 Sep 2020 20:38:59 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4BphGh6LcVz1dBy for <tls@ietf.org>; Sat, 12 Sep 2020 11:38:52 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kHAQG-0006KV-Oc for tls@ietf.org; Sat, 12 Sep 2020 11:38:52 -0700
Received: (qmail 20414 invoked from network); 12 Sep 2020 18:38:52 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.98]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 12 Sep 2020 18:38:51 -0000
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, Ben Schwartz <bemasc@google.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <d33c685c-6bf3-1584-4d95-1fe2cf6695e8@huitema.net> <696D22EB-2B7C-47AB-946F-B3246709A10B@inria.fr> <CAHbrMsDq9fxH9Yvw-BozrZtF4iUU-oeOiMucJ1FBpCZurQsnNQ@mail.gmail.com> <3452C763-05CA-459C-A114-BB0163AB59EC@inria.fr>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <20152961-ce54-da26-997b-a527a44571b5@huitema.net>
Date: Sat, 12 Sep 2020 11:38:51 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <3452C763-05CA-459C-A114-BB0163AB59EC@inria.fr>
Content-Type: multipart/alternative; boundary="------------F0698E0D1B0939A3C9B2F8CD"
Content-Language: en-US
X-Originating-IP: 66.113.196.192
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.192/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.192/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0Ux9i8jFyHj5FzBttN4d2CmpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4YiGaacPtgolJ5ZstJtJuw5gyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cAdwcW/8Ox85Le8wqlbs5X1QmdZsu6kxo/qWEj6Z1d7Y6jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhLSQQ4vSj0QEim26t/Moy0UPX5E73H1QfrH/5kkrV/Cr0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAm6ZQhvJRsM2m I6SM4wXHHdyYQa4hoJtrV/Sn0lX8Myv9pSCk7xI4JaNPsmkzP0KfktSZJLkcHZ80zjRWIe/L+z8M 7OYFXYdC3tRq275m/U3Vrse0V/J1leD2sXuTL1zOXrdCp3Zd9clP8wSiJZWbJCj+xRrjVmRxpGtS cvUmgj1Lfp2SZX9H5UYHNpVBVgYw+12jZAOanSBpz6Rja2u/0jIp19pZ6MQQSh2GRJYsAcXtrlkE 3aAqWVZMOtIjXbBoKfysta6u1iHEyuS7GD1uvcrCv+R7oBwKyGvdIB3wizbCJOYIJd4MvQ0Nf4Ec bvHO1diDanHV9KirFAIIecsyj+YNTo81GR+jDXFsz/ZQnbbTizvwlZsrbltGiZoUh+c+5pFVgpT1 b21uZVckGp0ccOa2XhkGbmsUNPNkere1WheNsVXmhO8BzADiszcWR9bz/SDtF09JpSbuuCeiIDK0 C/0=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PH0i22zUol17K3uBLQBSeev243E>
Subject: Re: [TLS] TLS ECH, how much can the hint stick out?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 18:39:05 -0000

The ServerHello ECH extension approach has lots of good properties, but
also one big risk. What if a server decides that ECH is not needed for
this connection, and does not send the extension at all? The connection
will work just fine, because for the client absence of the extension
implies "using the outer CH". Implementation laziness could easily lead
to a state in which only the ECH-using connections use the ECH
extensions in the Server Hello. That would fail both (1) and (2).

-- Christian Huitema


On 9/12/2020 9:59 AM, Karthik Bhargavan wrote:
>> Karthik: That approach works, but unless the ECH echo is universally
>> deployed, it still reveals to a passive observer whether the server
>> is ECH-enabled.  That means, at least for several years, exchanges
>> that are using ECH will likely "stick out" to a passive observer. 
>> This is something we are trying to avoid.
>
> I would like to return to this point, after some discussion with Chris
> Wood, who points out that anybody can query a server to see if it
> supports ECH.
>
> So, hiding whether a server supports ECH or not (which I called level
> 2) is a significantly higher bar than hiding whether a particular
> connection is using ECH or not (level 1).
> I would like to understand how the WG feels about this requirement and
> that there is consensus that we need (2) and not just (1).
>
> If we only need (1) then using a ServerHello ECH extension feels more
> principled to me.
> Of course, the ServerHello.random trick should work for both, but at
> the cost of implementation complexity.
>
> -Karthik
>
>>
>> On Fri, Sep 11, 2020 at 10:00 AM Karthik Bhargavan
>> <karthikeyan.bhargavan@inria.fr
>> <mailto:karthikeyan.bhargavan@inria.fr>> wrote:
>>
>>     Perhaps I am misunderstanding the design constraints and the
>>     following idea
>>     has been thought of and discarded, but could we not remove trial
>>     decryption
>>     and replace it with a trial HMAC, at the cost of adding yet more
>>     crypto.
>>
>>     - The outer ClientHello contains an ECH extension as usual.
>>     - The ServerHello ALWAYS echoes the ECH extension, whether it
>>     chooses the inner or outer ClientHello.
>>     - This ServerHello extension contains an HMAC  of (say) an empty
>>     bytestring (or the current transcript)
>>        with a key derived from the chosen handshake secret (i.e.
>>     either using the innerCH or outerCH),
>>     - On receiving the ServerHello, the client generates both
>>     possible handshake secrets and both
>>       possible HMAC keys, verifies the HMAC and uses it to choose the
>>     correct handshake secret.
>>
>>     Does the above still conflict with QUIC and open up active MitM
>>     attacks?
>>
>>     Best,
>>     Karthik
>>
>>     > On 8 Sep 2020, at 17:19, Christian Huitema <huitema@huitema.net
>>     <mailto:huitema@huitema.net>> wrote:
>>     >
>>     > The ECH proposal for Encrypted SNI is almost ready, but for a
>>     very small
>>     > debate. The original proposal was using trial description to
>>     distinguish
>>     > between ECH aware responses to the encrypted inner Client-Hello
>>     from non
>>     > ECH aware response to the "cover" outer CH. This is problematic
>>     in the
>>     > QUIC use case. The latest proposal is to embed a "hint" in 8
>>     bytes of
>>     > the Server Random. The proposal was for ECH-aware servers to
>>     use eight
>>     > bytes of a hash of the inner Client Random as a hint. Analysis
>>     shows
>>     > that this enables two attacks:
>>     >
>>     > 1) If the Client Hello is replayed, the same hint will be
>>     present in the
>>     > response to the original CH and to the response to the copy,
>>     providing
>>     > observers with a clear indication that ECH was used.
>>     >
>>     > 2) If the Client Hello is intercepted by an MITM attacker, the
>>     attacker
>>     > can rewrite the server's response before presenting it to the
>>     client.
>>     > The attacker formats its own Server Hello that reuses the
>>     Server Random
>>     > from the original server response, but use its own key share,
>>     etc. The
>>     > hint will cause the ECH aware client to create an handshake key
>>     using
>>     > the inner CH. In a QUIC set up, the MITM attacker can easily detect
>>     > that, before even transmitting the server's certificate. Thus,
>>     the MITM
>>     > attacker can detect usage of ECH.
>>     >
>>     > We have a simple proposal that solves the replay attack: set
>>     the hint as
>>     > a hash of both the inner Client Random and the "non-hint" bytes
>>     of the
>>     > Server Random. That's clearly a good idea, but it does not
>>     solve the
>>     > active MITM attack. Solving that requires tying the hint with the
>>     > handshake key derived by the original server, for example by
>>     hashing the
>>     > inner Client Random, the "non-hint" bytes of the Server Random,
>>     and the
>>     > server key share. That's harder to implement, so the question
>>     is about
>>     > cost and opportunity.
>>     >
>>     > This all relates to how much ECH is "sticking out". The current
>>     stance
>>     > is that a passive attacker cannot distinguish between a client
>>     using ECH
>>     > to access a hidden SNI and a client merely greasing the ECH
>>     extension.
>>     > The observation is that there may be many potential active attacks,
>>     > especially if the server shares its ESNI/ECH configuration
>>     publicly. If
>>     > there are many such attacks, and if defense of the hint against
>>     MITM is
>>     > hard to implement, implementing the defense might make the code
>>     more
>>     > fragile, with little actual gain. But I am not convinced by that
>>     > argument, because it smells a lot like "the other side of the
>>     boat is
>>     > leaking too, why should I plug this particular leak?"
>>     >
>>     > And so, at Chris Wood's request, I am sending this message to
>>     the list.
>>     >
>>     > -- Christian Huitema
>>     >
>>     >
>>     > _______________________________________________
>>     > TLS mailing list
>>     > TLS@ietf.org <mailto:TLS@ietf.org>
>>     > https://www.ietf.org/mailman/listinfo/tls
>>
>>     _______________________________________________
>>     TLS mailing list
>>     TLS@ietf.org <mailto:TLS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/tls
>>
>

v2.23.0 | Report a Bug | By Email