Re: [TLS] ECH Padding

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 22 June 2021 21:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB4F3A1AE4 for <tls@ietfa.amsl.com>; Tue, 22 Jun 2021 14:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.337
X-Spam-Level:
X-Spam-Status: No, score=-2.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wk9pdhLwY1g7 for <tls@ietfa.amsl.com>; Tue, 22 Jun 2021 14:39:55 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2129.outbound.protection.outlook.com [40.107.22.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC3E3A1AE9 for <tls@ietf.org>; Tue, 22 Jun 2021 14:39:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eyzexXTPO3lw5/iehCCVXEV2Crn0SnhDDuNDCWmB8WaxY1iJa1+RzucIM8ITNmQZZYgj2L+64L8g1dFXVtEIRV6PBbfav4/YktSYye7kS5qNl9bJ55mxe6Bxx+pCZi5YERahYhJNfXYgxLiDvsyYEMbsYrUua25ubtGT/j0UJcWFiGh6kt0SvU8xa/SVwnfqa8BSVangquIAjy24AKWeg8xkc3lYsHT2GuUyZ8uvzbfr+hEmyoHA/08PtV4p5fxsfL5JKXdt+ITVrt6dCjPvlvu+9D+3hlcgpMvB5SiwwWcdcqcFvLV+DEZA5XAavGmdYF2a1STuP5+MJhed8D73mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e85a/h3fRoSdo5jdAKydOZ8zTDaJkWggfsG89/Fp2CE=; b=LsDV1b/16SmvXRoJOdhv2Uudl65Up8ysYBdMxslY+EuBd6vROxvG0Lm45yvdlZWExBGoRWppYW0/bAcSxGR6UM6FwQLaoIe9DWexhfJr/+eVpoMOCGBjz9lFR5/vWOMJW9BYGZ7jl0IwDGX9bTaV53hdxA70Ib0ucPC+HXA60nt5v0x0tavjgZ2moqGOAlt1VKIrHU8pVbB68eRPi9kCYeXOQRSXHHMTa/OMnmmjah2r+E4/t4kxV7+E0oq4TYlsEtCVta8ny452PULGNVdEmp2HWljKlZlyCfEr7L1KF2THhqm2bxKOGAujnrm+bfxNePQ+pzppbxF9FlEd5YieOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e85a/h3fRoSdo5jdAKydOZ8zTDaJkWggfsG89/Fp2CE=; b=H9rXC79uuR5ZUt5eMdQVe52WS2sxiGD6T2A5TnpTW9ga/0ONgpEfIiizyQZtGovn2PzrTRisxxL5OqnKXifCi1JO57TuVOhHiWQ8qWfxlVZBHV/AhxrcO3tDpkkcs9RXO52n9ZhrWGbaQLoUR+KhyhVphKWirexw6FmSN4Z1OH6/MFTa59SPb4zsf/Z6tx4ayzomM68ur4h6gWxlYgTCImAAtZa2kxLYCF6g3riHNZhKM5P4KVfulLcVcWivzaCoV7fMbQ5Y1VDK+2/qrz5bwgOsDfCVb1yCajJwN9Xi6rl1zW96ypolrhQbPqLhW0t2/ArRg8hG8wSS4hHi4hmOAw==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB6PR0202MB2744.eurprd02.prod.outlook.com (2603:10a6:4:a8::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18; Tue, 22 Jun 2021 21:39:51 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::9c71:9f6:9136:f849]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::9c71:9f6:9136:f849%6]) with mapi id 15.20.4242.023; Tue, 22 Jun 2021 21:39:51 +0000
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, tls@ietf.org
References: <CAG2Zi21oLUmoNLXVD7QuOOLre4XZtxJxt=2SH_ELkigdUT9m6g@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <8f249b27-7ea9-d044-fb87-e2af6b26175b@cs.tcd.ie>
Date: Tue, 22 Jun 2021 22:39:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <CAG2Zi21oLUmoNLXVD7QuOOLre4XZtxJxt=2SH_ELkigdUT9m6g@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SPjqQcSfm7oaXI1oKF4GvBzgewVAVjwZ2"
X-Originating-IP: [2001:bb6:5e5e:b458:7aa2:cc61:e4c1:c208]
X-ClientProxiedBy: DU2PR04CA0231.eurprd04.prod.outlook.com (2603:10a6:10:2b1::26) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:7aa2:cc61:e4c1:c208] (2001:bb6:5e5e:b458:7aa2:cc61:e4c1:c208) by DU2PR04CA0231.eurprd04.prod.outlook.com (2603:10a6:10:2b1::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Tue, 22 Jun 2021 21:39:51 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6892beb3-4de5-47f7-0a81-08d935c6441e
X-MS-TrafficTypeDiagnostic: DB6PR0202MB2744:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB6PR0202MB2744E176ECB9E68F122081C0A8099@DB6PR0202MB2744.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:5516;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ON0zNMWTRIVsDheImtnNtwxIe+Ig32zHJY2obLvZ/PM5VZ31vMTa3p448rKUIAMv6vzNXpFVdrgzK4HBJdTeW+ACF/VRcXfBI2eSEYoy0N+L0NdEM1VcQTYcsY71YeM2ICHQ7Opl1uQxjcCYJyueA1h9JJtukX35ywXimbt3JvB6UpSzoq42cOrOk0aZTb1qujMVFvu6r89IjZrvYLuDqFwpIDF/4oto16WQnhMk3IyzavZc9OrwAZQDRHHdKuGSzvRhjxIsbk4NGMRQyseqvAvOQJPmw4973tYOqG0B5OI+bydXHNfzJcGIcH2K25fjFCwAs025LKs5/Z/ZbSvPrjq7C54LzW40YzXIFZgPHIvNlXQGGPoNXFhl9W7knOWyv9X1GsmzvC/p6ejaNhBAGiTpCQ9fjD7szCoUtUjP7YUzvC81LgEaZwywKUNHnAPH4ICX13gngVotYPhDOzSY+LHHIuyUatunVX6Aw5ly7dXRYHVMJ/ZhfrHXMJWJh0bk+v04GBy0c9wz4wg5qTzIYlOz6XlWfCS5zdpf5E4RYoiEBqWm7wd3NT6Rv4omlP28jcGyxMGGkl+FHXad6FWEPr8hISE9nAqMEui08GAMmBf6oF67Jy5R/mMArkcP+vnRIvhiHClVfv/nrVan/e6pHkM0qN8Nc9UVcZll/lPY5F5Fwe+Q1keDnhOL63LyS5CcGuosE/OPGOPC6uZcn55k+DxY/rvcSUUb30AFOaskuHTNLQOaCs3kxBxV+UyTsquqWQQmzFBd1CIo4ZohivnaFt7n8c6DZEK3S6odBP7rFCo8MiPoycv6k1MP/NB4nffu
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(136003)(366004)(376002)(346002)(396003)(66556008)(66476007)(66616009)(66946007)(8936002)(53546011)(31696002)(8676002)(86362001)(44832011)(2616005)(21480400003)(16526019)(186003)(2906002)(31686004)(83380400001)(6486002)(5660300002)(36756003)(478600001)(786003)(235185007)(966005)(316002)(33964004)(38100700002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VGh6WHJlTXlQaDh4b3FBZXU0S004QjloRkk4c1hLV29ZdnVnMTVvNkEyNkxM?= =?utf-8?B?clRaeTBnd1UzQm8zRHo1N2tKcW9sVDhBNSs2dDFCZTVBTDZtSWF6UFZpV1Zj?= =?utf-8?B?ODgySXBIVTFFZEJ5WEJ4RXRrQ2RzcjNhWmpPRUN5Q0Nrcjh2NFRkSVVCbXJR?= =?utf-8?B?T3U4NDlLZ3kzYVhYVnQxdUFRU2p5YWV1TTBIZ1l0SUxpMmVDaHFNTzdVVHJl?= =?utf-8?B?Z2NxbXRUditVTzgzQkVHRGRrbEJVOWFBc1hEb0dQQXBRZTNHL3Mvd3YyazZ3?= =?utf-8?B?Q3lnOXhWUEdRR2twTE9UemVmMktMQ01kOU0yTEJNK3RGcXV3a0UvbHlTVUow?= =?utf-8?B?ekZrUi9xVERnSDdWaDJOUlBZT2l4cVBMY0NaK0RuQVVkQkxvVzFsenVQVnlM?= =?utf-8?B?RW91cWpaaGZuaXpuZnBCWkVLRGVtQkthVHZvVStJWmp6TFQzZjRCSDEwZEs5?= =?utf-8?B?ZTc0TzN6SWoxUWU4dkJyZ292N2t3YnI2ZlN1aXNoM2VRcVlOcDkvem9KMmpM?= =?utf-8?B?QjM5TGtJV1hkSmwxakpxa2h1eW5aZkNyWHVOUEozQXZTUFVPUXMzY1JpYzhE?= =?utf-8?B?bXZObmIrM3I0dVpqKzcxL1dlNU9CZ1FqREhPNW5kRWRWSUxsU2VGRld5eGpZ?= =?utf-8?B?MWFFU0pBc1R3d3d6d1JDVTFma0NxR3BiTGN1Mjc2aWFablFSUzZDbjd4WTJ4?= =?utf-8?B?ZUlaWjFvT3NGcldyQkE1eTFnWjFDNFYwenV4b2hNS1R3aDVpNS9aai90WERo?= =?utf-8?B?UG1oZGp5eU5vRGYramVER28vN1VsZTJaZmJpK1lUcDdJVTZ4V1RIWGUzbTJM?= =?utf-8?B?Sk4wOTdoY2FERmdzNmlVMGVtaW92YkRseUUrUjVlU0dnYWlZUnpCdjIvQ3RM?= =?utf-8?B?S2dMd21VY0J2MG1WbWs0NFdaNGNTT3BTMXovc1hvL1JTY0JITnphUEkwQ3hZ?= =?utf-8?B?OXhCVThiVmlFeU9RYUk4Wk1qMUVSRVJSK1ZrM1lzeHhWQktDZktLSWpXK2NG?= =?utf-8?B?OEh1VitORzA0L0FMNm1ENDVmSFN1eG1CUVVOem5kcDdZVkxXdHUyYlJ5RWN5?= =?utf-8?B?eitaWGxxTjAySUpjUDJ1OEY5NkxtUlBVTkxWd29GcGloVnhxYUNwbGdYNXZQ?= =?utf-8?B?NTdzWUJpUEFKaFBwWUdKc1l5Z2cxeEI1b0ZGL1IzUzJzVm9panF0UHAxWHBB?= =?utf-8?B?WUN4NTZkaENtWFRnQlBVZHZ2aG1tMkVHMWlreFBzMEkzZkl5ZTdDeDNkYXVa?= =?utf-8?B?ZStjK2Fhck5pVHpkRE9wYlZtTG42aUZ1L1kyU0F1SEs5TUlrSTUzWWtjai9T?= =?utf-8?B?TC9BNFk3VzFzY1dnUHJtMGswaThOZkRqZXlueWpHL0ViNnBybm1tUHp6aWhq?= =?utf-8?B?VHhSeWc3ckRuOGhnUVh4MS9PdmtrNERwYUZTWkRmeHFYNHJwTHlsRzlCRFJB?= =?utf-8?B?ekxKbkNXSk5HNlRjN0dFOFUvUUNubElZcnNSeThTbWdQM1ZrY1h6SnhNTUFG?= =?utf-8?B?NXQ3R1oxR3hpRUxERnBHTVFxMitXbHRFVUVoNXJRUk12OU9KTlVheUxobERS?= =?utf-8?B?bS9Yenp6MjVEMThiUDBXQUF1UWZtM2FJK2NFbFliM0RFZnd2RGdqd1pxRnBP?= =?utf-8?B?NjR6MkE3SktLL1hUZllYajhQNWYvZHlvd3laKzhpSXFsUzRkWUZQTU1CT1dC?= =?utf-8?B?VEhtVGxEZGprYkVtN3FXV080WXRZOXQ3UTVNeDlWbXFpL0I2RUJtSVk2K2l6?= =?utf-8?B?NG5EU09MRnU5Q0hOdEorOHBqRnlVMHdTTXI0b0FWTkdLSS9xdFRJQW9CTEdF?= =?utf-8?B?ekh1dUhHbU5IcldYbTFiRU1iTFBiTDY5eXpTZzZMV2tmbm1zWXFuZUU3ZXcr?= =?utf-8?Q?N9KGDcnhdtZJJ?=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 6892beb3-4de5-47f7-0a81-08d935c6441e
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 21:39:51.5220 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: yHREqT9HoxsTFrtQH5T0vZYFRuE52o+KNpmUZyvWsG1CoHjNN1wIWh3yZZDwNgHc
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0202MB2744
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XnSP1kv4n_rZkuNQnpmueAsJVis>
Subject: Re: [TLS] ECH Padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2021 21:40:00 -0000

(1) aka #443 is the way to go here I think. (Such an aptly
numbered PR has to be accepted I'd say:-) I'm only convinced
of that because of QUIC, but that seems like enough or a
rationale.

I'm against (3) - it'd break too much and cost too much.

WRT (2) I'd prefer to drop that extensibility rather than
try use it because it's there.

Cheers,
S.

On 22/06/2021 22:27, Christopher Patton wrote:
> Hi all,
> 
> One of the last design questions for Encrypted ClientHello (ECH) is to
> decide how to pad encrypted handshake messages so that their length does
> not leak privacy-sensitive handshake-parameters. The current approach is to
> insert padding into the record layer as needed. However, the consensus
> reached in [1] is that computing record-layer padding based on the contents
> of handshake messages entails implementation complexity that is untenable,
> particularly for QUIC and DTLS. The alternative that most folks are happy
> with is to insert padding into the handshake messages themselves, as this
> prevents details of the handshake logic from bleeding into the record layer
> code.
> 
> There are a few PRs for adding handshake-level padding that we could use
> feedback on.
> 
>      (1) https://github.com/tlswg/draft-ietf-tls-esni/pull/443 Adds padding
> to EncodedClientHelloInner, the message that is encrypted and stuck into
> the ECH extension of the ClientHelloOuter. This prevents leakage of
> sensitive parameters in ClientHelloInner.
> 
>      (2) https://github.com/tlswg/draft-ietf-tls-esni/pull/313 Defines a new
> extension, which the client sends in ClientHelloInner in order to solicit a
> response in the backend server's EncryptedExtensions message. The server''s
> response contains padding it can use to prevent leakage of sensitive
> parameters in its first flight of handshake messages.
> 
>      (3) https://github.com/tlswg/draft-ietf-tls-esni/pull/457 (alternative
> to (2)) Defines a new handshake message, Padding, which the client and
> backend server always send just before Finished in case of ECH acceptance.
> One advantage of this approach over (2) is that the length of the padding
> can be evaluated after the Certificate/CertificateVerify messages have been
> chosen, making it possible to account for sensitive parameters in these
> messages without needing to buffer the whole flight of messages. The
> downside is that it may add complexity to the state machine of TLS 1.3
> implementations.
> 
> There are some open questions regarding how to compute the padding length,
> but these should be orthogonal to deciding the mechanism.
> 
> Thanks on behalf of (some of) the contributors,
> 
> Chris P.
> ____
> [1] "Handshake-level vs record-level padding."
> https://github.com/tlswg/draft-ietf-tls-esni/issues/264
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>