Re: [TLS] Solving HRR woes in ECH
Nick Sullivan <nick@cloudflare.com> Fri, 26 March 2021 01:28 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99D823A1350 for <tls@ietfa.amsl.com>; Thu, 25 Mar 2021 18:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_JAOiNt-Bab for <tls@ietfa.amsl.com>; Thu, 25 Mar 2021 18:28:27 -0700 (PDT)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47AAC3A134C for <tls@ietf.org>; Thu, 25 Mar 2021 18:28:27 -0700 (PDT)
Received: by mail-ua1-x931.google.com with SMTP id 97so1126083uav.7 for <tls@ietf.org>; Thu, 25 Mar 2021 18:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=auofy7eSGh9hVVlv8f3zIdMQMs3uj8R6KdeBe6hUvgc=; b=n3iP87OrTDT3Lse9ZKR8C4UFw980Y8hVU0k27ep7JeJ4zm0DDnUqm6GXgZpORfsAIg TmkVCLMB1xVUsluhaZDO2vLixrrsCJ18MN7NHTUWoeXvTAX67MrLdILVJa9cgQtIdwT1 50bCyeKL3+F9gVQ0+9luTR8z3SMbgIOSKxKX4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=auofy7eSGh9hVVlv8f3zIdMQMs3uj8R6KdeBe6hUvgc=; b=gu29OcfV3giujDCMq6O+RJ9ZHkEIp/43DsUloEH4HffcrciIeoYJ/9KpCVfl1UHY6m SlG1sSL2HsQN7nSGr64LLojnGr1wu050HdgOrPxQWceAKYvCSPFFG8sDNeN9PJbnHn6T Nig3Mw/WSPRbUr30fOcssKdu64lb6XACzNf/yBE4LrVH7d4AkkGDPgR9JTQtE5TryOth wKZ5ry5o7qZOxW4uoQmQeihISsQngjLqIzAfL4wYU/MfKkDiSCjZdRUp5863B8/9nBr3 jQvNowifs2Wjl6gj0ZXRaIKqgY8hnXDa2NTQVl/0HVBWeIbtmN99Pg4SGq6nEtwmkO6v VjHQ==
X-Gm-Message-State: AOAM532DmbCegzyMHT1+fIqwaLv9FrgxGls0YbdclWHsU1Lq76309bpX rW2G6m5kv225X64SfCG4r3ZBEMKkJyvAone2cqizyg==
X-Google-Smtp-Source: ABdhPJzVNkj1jK9YX4E0YLeVXXTLLBluvz1ERa29YzJ0tkQzv+DTpdLXMjzOxwl1/6Ca7nLkN277PsnLrUrBBe8rucM=
X-Received: by 2002:ab0:b14:: with SMTP id b20mr6437544uak.52.1616722105097; Thu, 25 Mar 2021 18:28:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com>
In-Reply-To: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 25 Mar 2021 21:28:09 -0400
Message-ID: <CAFDDyk_0NdYvaXgnUp21DkxTogUJrhN4xwEtnVNTkXvhzKKOGw@mail.gmail.com>
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c68d0e05be6672bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TGjG8puEWxHRJaR47VlvNWOLHkI>
Subject: Re: [TLS] Solving HRR woes in ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 01:28:33 -0000
Hi Chris, HRR in ECH does seem challenging. This may be tangential to the PR you linked, but there may be a way to reduce the likelihood of HRR by moving even more of the handshake negotiation into DNS. The HTTPS RR is already used for some types of negotiation (ALPN and ECH key), so why can't it be extended further to advertise to the client what the server is willing to support for cryptographic negotiations? For example, the HTTPS record could additionally contain the server's supported supported_groups and cipher_suites. With this information, a client could know which key_share extensions a server is likely to accept and adjust its clienthello accordingly. A client who typically sends two key_shares (P256 and x25519) for maximal compatibility could then reduce the size of its client hello (no need to send redundant key_shares) or even prevent an HRR flow altogether in the case that the default key_shares or cipher_suites are not supported by the server. This tweak wouldn't remove the need for HRR completely -- it could be necessary when changing server configuration, for example -- but it could remove the need for HRR in the common case. Nick On Thu, Mar 25, 2021 at 8:05 PM Christopher Patton <cpatton= 40cloudflare.com@dmarc.ietf.org> wrote: > Hi all, > > One of the open issues for ECH is how it interacts with HelloRetryRequest > (HRR). The central difficulty is that a client may advertise different > preferences for HRR-sensitive parameters in the ClientHelloInner and > ClientHelloOuter. And because the HRR path has no explicit signal of which > ClientHello was used, the client may not be able to know how to respond. > The following PR solves this problem by adding to HRR an explicit signal of > which ClientHello was used: > https://github.com/tlswg/draft-ietf-tls-esni/pull/407 > > The design was originally proposed by David Benjamin in the issue > referenced by the PR. Along the way, It also solves a handful of other HRR > issues that have been identified. > > One consequence of this particular solution is that real ECH usage "sticks > out" if the server responds with an HRR. In particular, signaling which > ClientHello was used also signals whether ECH was accepted. However, the > solution is designed to mitigate "don't stick out" attacks that attempt to > trigger the HRR codepath by fiddling with bits on the wire. The > distinguisher only arises when HRR happens organically. > > Feedback is appreciated! > > Best, > Chris P. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Solving HRR woes in ECH Christopher Patton
- Re: [TLS] Solving HRR woes in ECH Nick Sullivan
- Re: [TLS] Solving HRR woes in ECH Carrick Bartle
- Re: [TLS] Solving HRR woes in ECH Ben Schwartz
- Re: [TLS] Solving HRR woes in ECH Stephen Farrell
- Re: [TLS] Solving HRR woes in ECH Christopher Patton
- Re: [TLS] Solving HRR woes in ECH Eric Rescorla
- Re: [TLS] Solving HRR woes in ECH Eric Rescorla
- [TLS] key_share hints in DNS David Benjamin