IETF Logo Mail Archive

Re: [TLS] ESNI and padding

Ben Schwartz <bemasc@google.com> Thu, 20 June 2019 11:21 UTC

Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1631712003F for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 04:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0AlMueptEaIu for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 04:21:02 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5099D12002F for <tls@ietf.org>; Thu, 20 Jun 2019 04:21:02 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id v18so1444927uad.12 for <tls@ietf.org>; Thu, 20 Jun 2019 04:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/zAIZAfCHAa3h1EIgGHSpb/HM8mOuxdk5I4577guMXU=; b=rrQfwxGkEKkVM7hk+uMJd8QGI8Q6lwqgSfaDsrKoz00hmCGW9uf0vm/oAA7YYZH2JT h2UpjR14TfH971MTTAdgYu1UZz+KtEPpA3JQQNnOylZ1XfbRGKVmBezJQEN/m0u2ej2D +mhlSNn0XlB5imZCqjx1/FWBmsliCGR+Pw+aqqMRlBDmZ/3vi2UxG6vE3KTtZ2y6cD/m aCeTFvHhSIaB4r3u2wiqMy6wSlV1EiHa+9Oblj7r5VFx5nlKaF+5y1glIx4AP+MQHmWB K9EU0cD1yFhzTRKQL9qLm8Tdj+qMXGZjk1T6gwyTofU1z5vJpv1fOxHtnt/l7BiTDF/U kprg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/zAIZAfCHAa3h1EIgGHSpb/HM8mOuxdk5I4577guMXU=; b=Q2S/W7C77RvAZ3VGT8guoSvkPKciUA8IdEvCUbrNdljUNQgGJwENTvxq4gof24fZP4 Ucpn23P9lr84zhpq4lygf/Z14/qtH1V46IsbhMVMjBBImdBIdnQ7LToSHisW6pmaMhu6 QfBlHXh26tsdR4Q3eCBYWr2tmkMX1DIA80kuhkn98TLUoDLO2Zdw+y1jd9/1jmZ3Jqmx 6sD0a0DmeYIDiq4nD+cdyGrFgRc0Xs3oKZ2MuhEcb1w0SjNjLqxDh6lhJv9Qkr300lqq 03SwfGVyK2KQfMER5qPxC0Z1B0sv7rH00aXm0OcDjaMIbfgqb4ZOwjPvoHSMiaLwf/Ol 6Sfg==
X-Gm-Message-State: APjAAAVeiOo8n/i56eNW8WofdWkkuqeWPvBwfEO4PqVxmSuokuO/2YOa 7107mJAQWAzecPChgUDyZDFoMBT9Qlp/Q9XobKnvDLQehOs=
X-Google-Smtp-Source: APXvYqyliXjMiDlDKQgTwzniwPhmJ5neQUAouAo+s/ptamHzpT+BxxqRYvfVpukuI+4N4eKnkPNlpHHdH+ouJLjtp1Q=
X-Received: by 2002:a9f:31a2:: with SMTP id v31mr17315158uad.15.1561029660896; Thu, 20 Jun 2019 04:21:00 -0700 (PDT)
MIME-Version: 1.0
References: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie>
In-Reply-To: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 20 Jun 2019 07:20:48 -0400
Message-ID: <CAHbrMsAa+FudZ-t3MOnxa37rz=D_-1=izaPqBk-2nHaO_L9czA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000764311058bbf8a68"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QDRTIKMw7QfERsYRKJe0dl0hmog>
Subject: Re: [TLS] ESNI and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 11:21:06 -0000

On Wed, Jun 19, 2019 at 6:34 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:
...

> What I'd suggest instead:
>
> - delete the padded_length field from ESNIKeys, so nobody needs
>   to configure anything for padding
> - clients MUST pad to a multiple of N octets where N is in the
>   spec (I'd suggest N=32, but any number that's longer than
>   nearly all real TLS server names would be good)
> - we RECOMMEND clients randomly add an additional N octets of
>   padding with probability X%, perhaps with X=10 (btw - am I
>   right in thinking that if X% is greater than the percentage
>   of real names that are longer than N, then we're good?)
> - we STRONGLY RECOMMEND that servers choose names shorter than
>   N octets for hidden web sites


As you are clearly aware, this approach provides essentially no privacy
protection in the case where a user is repeatedly connecting to a very long
domain on a server whose other domains are reasonably short.

Rather than make a privacy-vs-efficiency tradeoff in the spec, the current
text leaves this option to the implementer.  For example, within the
current protocol (albeit bending the recommendations slightly), an
implementer could easily bucket names by length, and offer separate
ESNIKeys for each length bucket.  I think this is preferable; only the
server operator knows their own privacy and efficiency goals.  In my view,
setting N=32 for the first bucket would reproduce most of the benefits of
this proposal without altering the current protocol.

v2.23.0 | Report a Bug | By Email