Re: [TLS] ECH Padding
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 22 June 2021 21:40 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB4F3A1AE4 for <tls@ietfa.amsl.com>; Tue, 22 Jun 2021 14:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.337
X-Spam-Level:
X-Spam-Status: No, score=-2.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wk9pdhLwY1g7 for <tls@ietfa.amsl.com>; Tue, 22 Jun 2021 14:39:55 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2129.outbound.protection.outlook.com [40.107.22.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC3E3A1AE9 for <tls@ietf.org>; Tue, 22 Jun 2021 14:39:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eyzexXTPO3lw5/iehCCVXEV2Crn0SnhDDuNDCWmB8WaxY1iJa1+RzucIM8ITNmQZZYgj2L+64L8g1dFXVtEIRV6PBbfav4/YktSYye7kS5qNl9bJ55mxe6Bxx+pCZi5YERahYhJNfXYgxLiDvsyYEMbsYrUua25ubtGT/j0UJcWFiGh6kt0SvU8xa/SVwnfqa8BSVangquIAjy24AKWeg8xkc3lYsHT2GuUyZ8uvzbfr+hEmyoHA/08PtV4p5fxsfL5JKXdt+ITVrt6dCjPvlvu+9D+3hlcgpMvB5SiwwWcdcqcFvLV+DEZA5XAavGmdYF2a1STuP5+MJhed8D73mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e85a/h3fRoSdo5jdAKydOZ8zTDaJkWggfsG89/Fp2CE=; b=LsDV1b/16SmvXRoJOdhv2Uudl65Up8ysYBdMxslY+EuBd6vROxvG0Lm45yvdlZWExBGoRWppYW0/bAcSxGR6UM6FwQLaoIe9DWexhfJr/+eVpoMOCGBjz9lFR5/vWOMJW9BYGZ7jl0IwDGX9bTaV53hdxA70Ib0ucPC+HXA60nt5v0x0tavjgZ2moqGOAlt1VKIrHU8pVbB68eRPi9kCYeXOQRSXHHMTa/OMnmmjah2r+E4/t4kxV7+E0oq4TYlsEtCVta8ny452PULGNVdEmp2HWljKlZlyCfEr7L1KF2THhqm2bxKOGAujnrm+bfxNePQ+pzppbxF9FlEd5YieOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e85a/h3fRoSdo5jdAKydOZ8zTDaJkWggfsG89/Fp2CE=; b=H9rXC79uuR5ZUt5eMdQVe52WS2sxiGD6T2A5TnpTW9ga/0ONgpEfIiizyQZtGovn2PzrTRisxxL5OqnKXifCi1JO57TuVOhHiWQ8qWfxlVZBHV/AhxrcO3tDpkkcs9RXO52n9ZhrWGbaQLoUR+KhyhVphKWirexw6FmSN4Z1OH6/MFTa59SPb4zsf/Z6tx4ayzomM68ur4h6gWxlYgTCImAAtZa2kxLYCF6g3riHNZhKM5P4KVfulLcVcWivzaCoV7fMbQ5Y1VDK+2/qrz5bwgOsDfCVb1yCajJwN9Xi6rl1zW96ypolrhQbPqLhW0t2/ArRg8hG8wSS4hHi4hmOAw==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB6PR0202MB2744.eurprd02.prod.outlook.com (2603:10a6:4:a8::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18; Tue, 22 Jun 2021 21:39:51 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::9c71:9f6:9136:f849]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::9c71:9f6:9136:f849%6]) with mapi id 15.20.4242.023; Tue, 22 Jun 2021 21:39:51 +0000
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, tls@ietf.org
References: <CAG2Zi21oLUmoNLXVD7QuOOLre4XZtxJxt=2SH_ELkigdUT9m6g@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <8f249b27-7ea9-d044-fb87-e2af6b26175b@cs.tcd.ie>
Date: Tue, 22 Jun 2021 22:39:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <CAG2Zi21oLUmoNLXVD7QuOOLre4XZtxJxt=2SH_ELkigdUT9m6g@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="SPjqQcSfm7oaXI1oKF4GvBzgewVAVjwZ2"
X-Originating-IP: [2001:bb6:5e5e:b458:7aa2:cc61:e4c1:c208]
X-ClientProxiedBy: DU2PR04CA0231.eurprd04.prod.outlook.com (2603:10a6:10:2b1::26) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:7aa2:cc61:e4c1:c208] (2001:bb6:5e5e:b458:7aa2:cc61:e4c1:c208) by DU2PR04CA0231.eurprd04.prod.outlook.com (2603:10a6:10:2b1::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Tue, 22 Jun 2021 21:39:51 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6892beb3-4de5-47f7-0a81-08d935c6441e
X-MS-TrafficTypeDiagnostic: DB6PR0202MB2744:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB6PR0202MB2744E176ECB9E68F122081C0A8099@DB6PR0202MB2744.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:5516;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ON0zNMWTRIVsDheImtnNtwxIe+Ig32zHJY2obLvZ/PM5VZ31vMTa3p448rKUIAMv6vzNXpFVdrgzK4HBJdTeW+ACF/VRcXfBI2eSEYoy0N+L0NdEM1VcQTYcsY71YeM2ICHQ7Opl1uQxjcCYJyueA1h9JJtukX35ywXimbt3JvB6UpSzoq42cOrOk0aZTb1qujMVFvu6r89IjZrvYLuDqFwpIDF/4oto16WQnhMk3IyzavZc9OrwAZQDRHHdKuGSzvRhjxIsbk4NGMRQyseqvAvOQJPmw4973tYOqG0B5OI+bydXHNfzJcGIcH2K25fjFCwAs025LKs5/Z/ZbSvPrjq7C54LzW40YzXIFZgPHIvNlXQGGPoNXFhl9W7knOWyv9X1GsmzvC/p6ejaNhBAGiTpCQ9fjD7szCoUtUjP7YUzvC81LgEaZwywKUNHnAPH4ICX13gngVotYPhDOzSY+LHHIuyUatunVX6Aw5ly7dXRYHVMJ/ZhfrHXMJWJh0bk+v04GBy0c9wz4wg5qTzIYlOz6XlWfCS5zdpf5E4RYoiEBqWm7wd3NT6Rv4omlP28jcGyxMGGkl+FHXad6FWEPr8hISE9nAqMEui08GAMmBf6oF67Jy5R/mMArkcP+vnRIvhiHClVfv/nrVan/e6pHkM0qN8Nc9UVcZll/lPY5F5Fwe+Q1keDnhOL63LyS5CcGuosE/OPGOPC6uZcn55k+DxY/rvcSUUb30AFOaskuHTNLQOaCs3kxBxV+UyTsquqWQQmzFBd1CIo4ZohivnaFt7n8c6DZEK3S6odBP7rFCo8MiPoycv6k1MP/NB4nffu
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(136003)(366004)(376002)(346002)(396003)(66556008)(66476007)(66616009)(66946007)(8936002)(53546011)(31696002)(8676002)(86362001)(44832011)(2616005)(21480400003)(16526019)(186003)(2906002)(31686004)(83380400001)(6486002)(5660300002)(36756003)(478600001)(786003)(235185007)(966005)(316002)(33964004)(38100700002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: ThzXreMyPh8xoqAeu4KM8B9hFI8sXKWoYvug15o6A26LLrTZy0gwU3Bo3Dz57kJqolT8A5+6t1Be5AL6mIazPViWVc882IpHU1EdByXBxEtkCdsr3aZjOECyCCkr8v4TdIUBmrQOu849Kgy3aXXVt1uAQSjyaeuM0HgYtILi2eChqMO7UTregcqmtTv+UO83BEGDdklBU9aAsXDoGPApQe3G/s/wv2k6wCyg9xVPGQGkpLOTzef2KLCMd9M2LBM+tFquwkE/lySUJ0zFkR/qTDgH7Vh2NRPYOixqPLcCZ+DnAUdBLoW1lzuPVyLEouqjZhfniznfpBZEKDemBKaTvoU+IZjzLT3f4BH10dK9e74O3zIj1Qe8vBrgov7kwbr6fSuish3eQqYNp9/zoJ2jLB39LkIWXdJl1jJqkhuynZfCrXuNPJ3AvSPUOQs3cRic8DmvNnb+3r4uZj+71/We5OBgQjDHO5ndEdVILlSeFFWyxjY1aESJAsTwwwzwRCU1fkCqGpbLcu276iaZnQRS6Cn7xY2xeIZZ1oOsFrWrBA5y1gZ1C4V0zuxohMKTwh5i5/Zj/tXDhPmhdjyyNoDf+jeDGo/7Ule2Zfbi+YTp7IU6xWTHXe3m2LJN097hcaDFgs6iU0emiovbDlyE+R5eSGgaiYRzBv2/CtLKgLwmUcBv0mVmk44WZ4cSOpS1z/sXo/RScBHNzaPI0CxY9xBU8bViEyOQaI8ZMj1ERERR+Vk3YsxxVBKCfKKIjW+cF8HuV+NG04/AL6mD45fHSuxmBQUNzndp7YVLWtu2bRyEcyz+ZXlqN02IJcP2u8F96LmRPUNLVwoFpihVxqaCplgX5vP57sYBiPAJhPpYGJsYygg1xB5oFF/R3S2sVoijqtPp1XpAYCx56dhCmXTgBPUdvvhmm2EG1ikxPs0I3fIye7Cx3dauZe+c+aarNiTzdDOpbVmLn6iFu/Y2SAuHK9MIkI53Ykcj/SL/A4Y7W1scWgPrm0k0i8NfDjeynyjG/Eb6prnmmPzzihjTxRyg7rDn8hgQXx1/Ovkk4DpaFSZDfxqX4rpLylG9BDRAzLJnCWJNG6Tc7GE8U/QCnlIYrsRy8SmgP3VkcXzJxMMAF5t7GZ1GxiELDFpGMQq2+WltEUEh5rQRMv9OJNUayLhlDRm/Xzzz25D18bP0WAAuQfm3aI+cElYb3DEfwvDgjwZqFpO64z2A7JKK/XTfYXj8P5f/dyowyZ+8iIqlS4dYFPMMBOWBTHmTlDdjkbEm7qWWO4YtY9t7Q5Mx9Vmqi/B6EBmIY6+iz4nDSOLFu9CHNtJ+8pjFyU0wSMr4oAVNGKI/qtTIAoBLGEzHuuHGmNHrWXm1bEMbLPbL69yzSg6LWkfnmsYqneE7ew+N9KGDcnhdtZJJ
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 6892beb3-4de5-47f7-0a81-08d935c6441e
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 21:39:51.5220 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: yHREqT9HoxsTFrtQH5T0vZYFRuE52o+KNpmUZyvWsG1CoHjNN1wIWh3yZZDwNgHc
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0202MB2744
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XnSP1kv4n_rZkuNQnpmueAsJVis>
Subject: Re: [TLS] ECH Padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2021 21:40:00 -0000
(1) aka #443 is the way to go here I think. (Such an aptly numbered PR has to be accepted I'd say:-) I'm only convinced of that because of QUIC, but that seems like enough or a rationale. I'm against (3) - it'd break too much and cost too much. WRT (2) I'd prefer to drop that extensibility rather than try use it because it's there. Cheers, S. On 22/06/2021 22:27, Christopher Patton wrote: > Hi all, > > One of the last design questions for Encrypted ClientHello (ECH) is to > decide how to pad encrypted handshake messages so that their length does > not leak privacy-sensitive handshake-parameters. The current approach is to > insert padding into the record layer as needed. However, the consensus > reached in [1] is that computing record-layer padding based on the contents > of handshake messages entails implementation complexity that is untenable, > particularly for QUIC and DTLS. The alternative that most folks are happy > with is to insert padding into the handshake messages themselves, as this > prevents details of the handshake logic from bleeding into the record layer > code. > > There are a few PRs for adding handshake-level padding that we could use > feedback on. > > (1) https://github.com/tlswg/draft-ietf-tls-esni/pull/443 Adds padding > to EncodedClientHelloInner, the message that is encrypted and stuck into > the ECH extension of the ClientHelloOuter. This prevents leakage of > sensitive parameters in ClientHelloInner. > > (2) https://github.com/tlswg/draft-ietf-tls-esni/pull/313 Defines a new > extension, which the client sends in ClientHelloInner in order to solicit a > response in the backend server's EncryptedExtensions message. The server''s > response contains padding it can use to prevent leakage of sensitive > parameters in its first flight of handshake messages. > > (3) https://github.com/tlswg/draft-ietf-tls-esni/pull/457 (alternative > to (2)) Defines a new handshake message, Padding, which the client and > backend server always send just before Finished in case of ECH acceptance. > One advantage of this approach over (2) is that the length of the padding > can be evaluated after the Certificate/CertificateVerify messages have been > chosen, making it possible to account for sensitive parameters in these > messages without needing to buffer the whole flight of messages. The > downside is that it may add complexity to the state machine of TLS 1.3 > implementations. > > There are some open questions regarding how to compute the padding length, > but these should be orthogonal to deciding the mechanism. > > Thanks on behalf of (some of) the contributors, > > Chris P. > ____ > [1] "Handshake-level vs record-level padding." > https://github.com/tlswg/draft-ietf-tls-esni/issues/264 > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] ECH Padding Christopher Patton
- Re: [TLS] ECH Padding Stephen Farrell
- Re: [TLS] ECH Padding Christopher Patton
- Re: [TLS] ECH Padding David Benjamin
- Re: [TLS] ECH Padding Stephen Farrell
- Re: [TLS] ECH Padding David Benjamin
- Re: [TLS] ECH Padding Martin Thomson
- Re: [TLS] ECH Padding Christopher Patton