Re: [TLS] three ECHO issues
Eric Rescorla <ekr@rtfm.com> Mon, 09 March 2020 16:25 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48BAB3A134C for <tls@ietfa.amsl.com>; Mon, 9 Mar 2020 09:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nw-fyNeI9rM for <tls@ietfa.amsl.com>; Mon, 9 Mar 2020 09:25:34 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC8A63A0C1B for <tls@ietf.org>; Mon, 9 Mar 2020 09:25:33 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id t21so8220367lfe.9 for <tls@ietf.org>; Mon, 09 Mar 2020 09:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MZ7eEjnPgXDHiv5uIrGsjLPzMp1tqKKOYhaStakiId8=; b=myY87zBUBojdJiO4Zu156BCE+/dDTmo2pm6T9HSdFYomg7LvcKj9syNlUoMWXTsvQ6 57ReBhmQ/A0UXOngFJFOOs/tPAulS4YTJGTPKtbG3zAJyMDaFy59BeBUa77IJ6L8Ixne CNHKjAvldlf3vlK2pcxsvlY0a1hIhhVtZde+voZhVPNbAGZ9PAg19u/tiE00cce+H0zO LY4jdI1KkHozfLhTqoNed5CTIuSIKtVfPqERyhWo/g3CbH7BPciZZjoF/CKTtG1Hm/Eo zGZHhIYn71KAwK7LkztR2ULTL0z1izGVYw4L53vqz07jIeC7q4dkoq8Fw5yJWV5EpmHg YLGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MZ7eEjnPgXDHiv5uIrGsjLPzMp1tqKKOYhaStakiId8=; b=iXw0AEn3thH7OtXdPsHl1y7fW6QBIpfC3zF0EMCmiVXmIqlLch1dAJVOStmfUxpjYF mwpiQlETI7Bpd0Fndi7YvW+sVt8JTKn+EpPLguDhI9IT3gRQLkgfh5Zsz0DYd8ZWqUCw HXN+mWxZLwkblf1gCYVghQHxULNAhixJhJJGyKoidEUW8Wy8vv3ukIZOh7hUPStO1ixG jnQQ1dpTsZsimycjql8HqY0+AQoqqD44ya1J3waPT0bTlsq6EYoBki+AMCzIpE6BvbCS o1ZNI8lWpUc0U7PJqmH7mghB1Po4pYbVfcgXgjArfSWSPWx5sdRHaHZdByMWqU0u/uga qwPw==
X-Gm-Message-State: ANhLgQ2LoBxhs7IeU90biHHGTBlHYFakZzzMD/jT0mhd5qdSpNqTNTdR 5ylDCE2X/8dOUssBf1/zrdW3x0be2Bh8wHynCXjAvQ==
X-Google-Smtp-Source: ADFU+vvXRzpwiTInJrsobaUsty2BTix5URneB/d7XiXPPvkr62/GZDsvcYuZTZKRBpfj9dtFjZd5EIhuIUKXGFj7vNE=
X-Received: by 2002:ac2:5e37:: with SMTP id o23mr3236256lfg.201.1583771131792; Mon, 09 Mar 2020 09:25:31 -0700 (PDT)
MIME-Version: 1.0
References: <a212c2da-f2fd-9013-4934-a46e03b024f3@cs.tcd.ie> <87368A1A-0F1E-45C6-938C-0F755208E9B4@heapingbits.net> <7fc87dd2-88dd-16e9-979f-3770d41184b2@cs.tcd.ie> <5f325608-ea37-5ce6-67cd-139fac8a41b3@huitema.net> <f2b57747-54b0-118a-b4e3-ef7558d4d911@cs.tcd.ie> <CAHbrMsCdC3oebHKxQp6OF2RCmeZZpg6TH-tjJbMNcgrTjfj8Jw@mail.gmail.com> <32c734ae-46cb-48f9-b586-595c0b24ef6b@www.fastmail.com>
In-Reply-To: <32c734ae-46cb-48f9-b586-595c0b24ef6b@www.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 09 Mar 2020 09:24:55 -0700
Message-ID: <CABcZeBORcxP2WhoUg368JihRhYcfTn9TLMH+FTw1b819=uzAJw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Ben Schwartz <bemasc@google.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7641705a06e7397"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Z9Myazwva-K3SOhCBMVXELPxgLI>
Subject: Re: [TLS] three ECHO issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 16:25:37 -0000
I tend to agree. there's an open issue in the spec about this and I've sort of come to the conclusion that it's going to be pretty easy to determine just by sending your own ECH with the same key id and looking at what comes back. On Mon, Mar 9, 2020 at 8:32 AM Christopher Wood <caw@heapingbits.net> wrote: > On Mon, Mar 9, 2020, at 8:23 AM, Ben Schwartz wrote: > > > > > > On Mon, Mar 9, 2020 at 6:49 AM Stephen Farrell > > <stephen.farrell@cs.tcd.ie> wrote: > > > > > > Hiya, > > > > > > On 09/03/2020 02:13, Christian Huitema wrote: > > > > On 3/8/2020 10:14 AM, Stephen Farrell wrote: > > > > > > > >> I'm questioning whether that's a good goal or not. In my > > > >> analysis of the various extensions, only SNI and ALPN seem > > > >> to offer immediate value. > > > > > > > > Uh, No. First, we do have fingerprinting attacks that look at the > > > > pattern of extensions. If the extensions are encrypted in the ESNI, > they > > > > cannot do that. > > > > > > Well... that depends on whether or not the outer CH that > > > includes the inner exposes fingerprintable detail. If it > > > were possible to define a minimal outer CH profile that > > > everyone could use, then I'd be for that, but not sure > > > it's feasible. > > > > Instead of one profile for "everyone", the ECHOConfig could provide > > instructions for forming the ClientHelloOuter. > > > > BTW, enumerating the supported ALPNs in the ECHOConfig would solve the > > ALPN padding problem (but now we're awfully close to cTLS...). > > > > > > And then, we have extensions that reveal a lot about the > > > > app, like for example the QUIC parameters extension. Those are just > as > > > > sensitive as the ALPN. > > > > > > Wasn't in the OpenSSL code I looked at:-) But sure, if > > > there are others that offer immediate value, good to know > > > about 'em. What's a good ref for that? (I've not been > > > keeping up to date with QUIC-detail.) > > > > > > The main problems I've seen in inner/outer variance > > > so far relate to the TLS key share though - because > > > that (and associated values) generate loads of internal > > > state that has to be duplicated and that can have a > > > bunch of hard to track side-effects in the code when > > > the trial decryption is being checked. > > > > It seems like trial decryption can be avoided by tagging the > > ServerHello. For example, the client could include X random bytes in > > the ClientHelloInner, and the server could echo them in cleartext if > > ECHO is in use, or send X random bytes if ECHO decryption failed. (The > > extra upstream bytes can probably be avoided by returning a hash of the > > nonce or something.) Would this make implementation easier? > > We might also consider dropping the "do not stick out" requirement > altogether. That would make this much simpler: just put a flag in SH. > > Best, > Chris > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Christian Huitema
- Re: [TLS] three ECHO issues Rob Sayre
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Stephen Farrell
- Re: [TLS] three ECHO issues Ben Schwartz
- Re: [TLS] three ECHO issues Christopher Wood
- Re: [TLS] three ECHO issues Eric Rescorla
- Re: [TLS] three ECHO issues Ilari Liusvaara