Re: [TLS] Proposals to address ESNI issues

Eric Rescorla <ekr@rtfm.com> Tue, 05 November 2019 22:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6393A120C69 for <tls@ietfa.amsl.com>; Tue, 5 Nov 2019 14:15:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOlx9V6zZ5JV for <tls@ietfa.amsl.com>; Tue, 5 Nov 2019 14:15:38 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E13B120C7E for <tls@ietf.org>; Tue, 5 Nov 2019 14:15:35 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id b20so16367169lfp.4 for <tls@ietf.org>; Tue, 05 Nov 2019 14:15:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VMSz41wThLUi5xA9ABDLJTGF3qxOc9P5nwVdUJikxfI=; b=oHwUVcqabDvof9AH02GtoIQoolihhCSu8VYjGPi04nRO+NRow2NtscIEzQT1alwtBr 3NJh84LEnGAwclTl3FpX9HzOlPmcB4UZZ0jynZLYbQqNe1nOoVgITu5FMsjmFigeeJJ5 13EQzeBnibVD8hdcEUS9VeeplPlsoWkJ4HX146uiZSEmb+IiGeWtiUF8sMJUYXHwCH6p gajppBGaFqgzyl+vrQyUGcqkBMYc4FGNr8mSyaxboD0gRa/Qc/N+QvF1sxElsvjToKKy sooZZ8Xj+Yzxhf3vE0PD7x76dnDWGz76Z0dYqwgg5Dx4gjrbc9F/vyNcpbpTxr8eY75s m2qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VMSz41wThLUi5xA9ABDLJTGF3qxOc9P5nwVdUJikxfI=; b=F4fewNUKXAOmXq96wsVi7NiXrwTznvQAWHUoR+/A2A526x8fl6OaN2+EmHhcJDLbGi T+fZS8EimhA1JSbxOaeOiaYK8ZYtAA4LSa1D4nvbN1OsPTHHIp5owpDywd6DmE1K/q8w 56Jur/gwrXCKsHU4T1DBwytjCAkASU3G7RE/BelxGgONZeg45BKmMnRXoNnH/+1zV01f QkOMKpEDHxFaCA+kMe69GhKVTPZrFsaq10OpPrWvreeu0mh4EPZED2/Tnnhke0YVqIqe c+b98UPX+tLtnsldQzju7UHiuAKkx7nCPk7PL34h132NDBnSjv1yRC7MvXqEl2A1W3au nY0A==
X-Gm-Message-State: APjAAAWBukjTYHHv7xbSZUioB2PL27xBgxREGQ0+lOhFX01ksE5IrO8b H/aXLUvvdg1w/g/eIIH9dQNx/B2/d9YvH6ZS8pKEEA==
X-Google-Smtp-Source: APXvYqy1xFEa9CxlxXOxerP+1EgqrsqPTgQmqtQTKn5q0fn7xWeCV+PK20AwnACYo4VRoY/T7smPZzeXw1sbMJ4GMD0=
X-Received: by 2002:a05:6512:75:: with SMTP id i21mr6549544lfo.180.1572992133602; Tue, 05 Nov 2019 14:15:33 -0800 (PST)
MIME-Version: 1.0
References: <304108c8-e8cc-41a6-b931-d5c44cc812e4@www.fastmail.com> <a8a394f7-0586-47cd-9865-429d8a64f056@www.fastmail.com> <CAChr6SydvwjnvbDLvoch8zpyeZm_sFawR_hJfExNrWCzJrx=Bw@mail.gmail.com>
In-Reply-To: <CAChr6SydvwjnvbDLvoch8zpyeZm_sFawR_hJfExNrWCzJrx=Bw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 5 Nov 2019 14:14:57 -0800
Message-ID: <CABcZeBMcRyx7vvP4_jKce3dgq6W=YoCY08VrAw=XYKJEVZB0iA@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bbe480596a0c544"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TSw2kMARoEMRl3UF4IOT_-8Ah24>
Subject: Re: [TLS] Proposals to address ESNI issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 22:15:44 -0000

On Tue, Nov 5, 2019 at 1:58 PM Rob Sayre <sayrer@gmail.com>; wrote:

> On Tue, Nov 5, 2019 at 12:35 PM Christopher Wood <caw@heapingbits.net>;
> wrote:
>
>> >
>> > The attacks on ESNI security above seem to stem from two problems:
>> >
>> > 1. The ESNI contents are not fully bound to the ClientHello contents.
>>
>
> This seems right to me. I was surprised that the current ESNI drafts only
> require the "KeyShareClientHello" as AAD input to the AEAD-Encrypt
> function. Additionally, I've raised the point that even that arrangement
> seems to imply that the client's key share message should appear before the
> ESNI, or that the server must perform some input buffering.
>
> Perhaps a variation on the "Tunnel CH" idea is in order: require that an
> "Encrypted Client Hello" is the last extension in a ClientHello message.
>

This wouldn't change the situation in the tunnel CH, because
ClientHelloInner does not depend at all on the outer part of the CH.



>
>> > 2. The handshake secrets are not bound to the ESNI contents. If this
>> were not the case, servers could not choose attacker-controlled keying
>> material yet proceed with victim-controlled parameters (SNIs).
>>
>
> I had a hard time parsing this point. Doesn't the current protocol require
> echoing some encrypted content?
>

Yes, but that doesn't affect the HRR splicing attack. This is laid out in S
2.2 of the document Chris forwarded.


I think the draft might need to address the case where servers ignore the
> SNI and ESNI messages.
>

I'm not sure what you mean by "address" this case. The purpose of the nonce
checking is to detect when ESNI was not processed.


-Ekr


> thanks,
> Rob
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>