Re: [TLS] Proposals to address ESNI issues

Rob Sayre <sayrer@gmail.com> Tue, 05 November 2019 21:58 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19EA912008F for <tls@ietfa.amsl.com>; Tue, 5 Nov 2019 13:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w9phLDba4PXq for <tls@ietfa.amsl.com>; Tue, 5 Nov 2019 13:58:02 -0800 (PST)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 450A2120018 for <tls@ietf.org>; Tue, 5 Nov 2019 13:57:59 -0800 (PST)
Received: by mail-il1-x12f.google.com with SMTP id n18so12731946ilt.9 for <tls@ietf.org>; Tue, 05 Nov 2019 13:57:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+k7fzRulxnryDUypUNmQNOzumN5OhKMyMmfdF7d7JPk=; b=oJ8AioudgJL/qCRuKN588ZNGZV3Y37LcgixebLEBRk2Qh/t55GUY+Br5XbKCdM2OUu qxYZOk8+INI2GRzLz7CplILw0b/F+qLyn19GkfIQjsdrdOQEoXSb59EyynjO1NpHPXr5 WUoDgGJfTpQOblPJtpj1KA7omXex4aRX0OZHtCecUy9/A4vzIsnq2eRtTT9bpoJzJ/7H EMNUzayOqZCFAKFp8/9QG21ACPnOt14fBWCIOpBCqkoBzSSzQp1Noa5avvHobOHbz0Br ZtloLEP64orrPpvxmpoTuq34of08HHX8acnqHxfPqnzwCXJA48feaLMJYIuwYAQTVJPg P62g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+k7fzRulxnryDUypUNmQNOzumN5OhKMyMmfdF7d7JPk=; b=M1UWDeIQlpL0ISIw1Uw4aV7kWZIni+zsLHKS56DZiYjJAEsqHjp+0We6NQzm8nesTQ /fPC8TxeVsgxKA1QDuuujk7qrGxrxjcFazkLYPHSey/rIKPGFV5bBLJJmm+ihStKSlpk nrMCm3z88ChKovKQvHuKbNNAP0HJBIPwb9XB0O87yyki21I8yo3pq0TsgiE8Z2VreaXe Xnuy4C5YO50NmrFrnfqRTtadyUKhViwggOZ8fvHmUPfGzhw/vTML0s5XP2F8jLhqcq2w 0Eq1EA1Qofnv+QXiWk9QbJIPxG1Q3dx7BBcN9/ckNI5TmX5XCAyBM5iC/SW4tYFwZmRV mUhw==
X-Gm-Message-State: APjAAAXxG4siVH/fa7ah70AIoNHcf/0jiYJ5YJyJv/xaUV0/Xa6L61c8 0XS49jfSGUxKi26yEpNQTL9N0zz5nIstpOpvjeO1msBD/1U=
X-Google-Smtp-Source: APXvYqyP1ggbWfJPiml2TO5sSq0ahgIX/fTcw28wDl6K7kQuIq/xFYkFbzASWr3ZujRMeNdZp1wAVGg1pjLEml9Gh1c=
X-Received: by 2002:a92:8388:: with SMTP id p8mr15714070ilk.49.1572991078409; Tue, 05 Nov 2019 13:57:58 -0800 (PST)
MIME-Version: 1.0
References: <304108c8-e8cc-41a6-b931-d5c44cc812e4@www.fastmail.com> <a8a394f7-0586-47cd-9865-429d8a64f056@www.fastmail.com>
In-Reply-To: <a8a394f7-0586-47cd-9865-429d8a64f056@www.fastmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 5 Nov 2019 13:57:45 -0800
Message-ID: <CAChr6SydvwjnvbDLvoch8zpyeZm_sFawR_hJfExNrWCzJrx=Bw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000076ac880596a086f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZlmIYpXCd0884jSO9HfsU_AMnXo>
Subject: Re: [TLS] Proposals to address ESNI issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 21:58:04 -0000

On Tue, Nov 5, 2019 at 12:35 PM Christopher Wood <caw@heapingbits.net>;
wrote:

> >
> > The attacks on ESNI security above seem to stem from two problems:
> >
> > 1. The ESNI contents are not fully bound to the ClientHello contents.
>

This seems right to me. I was surprised that the current ESNI drafts only
require the "KeyShareClientHello" as AAD input to the AEAD-Encrypt
function. Additionally, I've raised the point that even that arrangement
seems to imply that the client's key share message should appear before the
ESNI, or that the server must perform some input buffering.

Perhaps a variation on the "Tunnel CH" idea is in order: require that an
"Encrypted Client Hello" is the last extension in a ClientHello message.



> > 2. The handshake secrets are not bound to the ESNI contents. If this
> were not the case, servers could not choose attacker-controlled keying
> material yet proceed with victim-controlled parameters (SNIs).
>

I had a hard time parsing this point. Doesn't the current protocol require
echoing some encrypted content? I think the draft might need to address the
case where servers ignore the SNI and ESNI messages. Maybe that's the idea:
build this requirement into the handshake. It wasn't clear to me from the
email, though.

thanks,
Rob