Re: [TLS] predictability of inputs in ESNI
Eric Rescorla <ekr@rtfm.com> Fri, 01 November 2019 22:09 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 222A212088B for <tls@ietfa.amsl.com>; Fri, 1 Nov 2019 15:09:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJN9TI4ZX4Dm for <tls@ietfa.amsl.com>; Fri, 1 Nov 2019 15:09:45 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F189C120130 for <tls@ietf.org>; Fri, 1 Nov 2019 15:09:43 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id a6so4848150lfo.3 for <tls@ietf.org>; Fri, 01 Nov 2019 15:09:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PnywTRhr+G77dnJlvGFqPaTedlPTUmcd+zzUYj/D5tA=; b=Z9DFR6k4VfbPQ2fiTe2jlAtC96fMpp1LmBkbZJ5DXTxdRctFBmGCSfiVOsPy1mP37i d70dxM9AVX4fxVwEPJyRDKQ/2Q0gvvhDkGsvUW1UbbvX7/Tjmce5PscKXL/ZUcamFS0K 476f4HUXIVhDZIJmEozZVHaMzQzT1nIF1hGJC6GqtDRzjQgSXG8MAlo2oGAp4IsHXMSP jZT+JzJMF80Ow7lb/wytcij04EwLcnLGsSMXGKEKSFwFbgdSeBmAN2tM0Nt3HlBDzqvt UC4MmQNFjezQtimve08l/7DiUJJPnbLzWQCfHBT+ToMIyxlC4EKMCsll55Wp6DSTPu/T LfXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PnywTRhr+G77dnJlvGFqPaTedlPTUmcd+zzUYj/D5tA=; b=iy4aTAHJwW0HUMLEotnPWMcefpV4kr5dLAeXoEkCYhfYsckSK64HV1aoZDlUjRg1I2 +pN7VOWoyI3rqyKhM9TXOKkmZyaFeQmnZ1EuJjRoOoAcapnIiWLr/2zMsvoQs+jv0bF8 j2sJEUyzm31UwJvU0P6VR8I1/iN1rYY9JhiaqASYypwjy7OyqKsIx5A9diXkiBkjm0D1 tog69U8vjMSxb5zl9Pf/wjSvzdaOcPIYX9Ezgtf40WtN7RiemOoOYr320aCs71bbstAy 1FM1bgIr58Za5oAzS2OEd2ItHPn3u/qej1DfGoRF8O8hFOjhMlDcSUyrd+fLQ0rkcfUs SVXQ==
X-Gm-Message-State: APjAAAWC8Zc71SOou4gcZL8nZKe871HPi6KD+rkQMj1gHpNNLIQkIANO 06sB7QuBR8MPhL3PtYcWXd43zHcH0rgP5cIaTffwpw==
X-Google-Smtp-Source: APXvYqysUvwWqEdXIjsNloRo74N6tihmRE8etuLeJn9F/a055joEl1AN/XyLiCJPEYuGq31XdY934UKfgfIBXhmsU34=
X-Received: by 2002:ac2:4a72:: with SMTP id q18mr8891471lfp.184.1572646182226; Fri, 01 Nov 2019 15:09:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SxZQkbLExmFYX8obdvMw_oFY2=k9Q3YUTUW67HUo74vLg@mail.gmail.com>
In-Reply-To: <CAChr6SxZQkbLExmFYX8obdvMw_oFY2=k9Q3YUTUW67HUo74vLg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Nov 2019 15:09:06 -0700
Message-ID: <CABcZeBMA0gnsw+pqmx0vtYXvd6aAWxTR6yAybDRxut+XJQonbg@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000ca068059650397e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YG7aiQeEO6VGVB-_CttItt9rflI>
Subject: Re: [TLS] predictability of inputs in ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 22:09:47 -0000
On Fri, Nov 1, 2019 at 2:28 PM Rob Sayre <sayrer@gmail.com> wrote: > Hi, > > I am not sure how important these findings are, but I've noticed three > instances of unnecessarily predictable inputs in ESNI: > > 1) Trailing padding after domain names are zeros. > 2) The checksum calculation seems to start with predictable version bytes > in draft -04, and in shipping implementations > I'm not aware of any cryptographic reason why these would be a problem. It's reasonably common practice to have partially fixed inputs to the TLS cryptographic functions (see, for instance, HMAC labels and the trailing padding 0s in the record protection). In general, if this sort of thing turns out to be a problem for some algorithm, we consider it to be a problem with the algorithm. 3) In practice, NSS inserts 8 bytes of zeros at the beginning of its AAD > input (<https://github.com/tlswg/draft-ietf-tls-esni/issues/190>) > I believe you're misreading the code. For historical reasons, the internal NSS TLS AEAD API prefixes the AAD argument with the sequence number. When we repurposed this code for ESNI, we just passed in a 0 sequence number. That value is stripped off and is not part of the AAD computation. It seems like these values should all be allowed to be opaque, and I am not > sure why NSS is prepending zeros to its AAD (although I asked in the github > issue). > As I said, it's not. -Ekr
- [TLS] predictability of inputs in ESNI Rob Sayre
- Re: [TLS] predictability of inputs in ESNI Eric Rescorla
- Re: [TLS] predictability of inputs in ESNI Rob Sayre
- Re: [TLS] predictability of inputs in ESNI Eric Rescorla
- Re: [TLS] predictability of inputs in ESNI Rob Sayre
- Re: [TLS] predictability of inputs in ESNI Eric Rescorla
- Re: [TLS] predictability of inputs in ESNI Rob Sayre
- Re: [TLS] predictability of inputs in ESNI Christopher Wood