Re: [TLS] About encrypting SNI
Eric Rescorla <ekr@rtfm.com> Wed, 16 April 2014 03:51 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BBA1A006F for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 20:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AV_3WtzSiHOr for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 20:51:10 -0700 (PDT)
Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) by ietfa.amsl.com (Postfix) with ESMTP id 4B92B1A0022 for <tls@ietf.org>; Tue, 15 Apr 2014 20:51:10 -0700 (PDT)
Received: by mail-we0-f180.google.com with SMTP id p61so10129032wes.25 for <tls@ietf.org>; Tue, 15 Apr 2014 20:51:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Kc+JJQxif7bg+xVkB3hnd8vHufa8wtt9NYl5EMrd0yg=; b=fCZcpkwVyH+lwzRS7zZl7s7OgMzwNgi7IFs9sVhbS+nwo+jJzvzIHzY/O83Edeghtm tNtW8KKKcuMfx1NS5pFUySlbXy61B3OD+WketwBb2x1/UeF8IlQ+hfQ9eIiXnikM98CH 8IDTdsVk5CnypNslt50pvLdWIqRtn4Um60QyKyttP8M1P+ZUAmv/4u/k8uanroTqXwS/ tfFRy580Oaoh3syx779fSmuFxC4x0uuvqpyyYYWOdSu3ETdb4uiN+p/zwBVVUAA48TTf 9xfQhmDKETtRFXt6XZHJo3SB4v5eIIwPZAt+2HOTVUKj+wgKASjnOuiC1jFVGSXKmPhz 4uLw==
X-Gm-Message-State: ALoCoQk9WTU7MNeTPEyr8lDA27goRoqdMutU/HGAkPBdTSm7IlF5Va8GXdTbmKtajnUpoKsu6KpN
X-Received: by 10.180.90.140 with SMTP id bw12mr5399126wib.18.1397620266783; Tue, 15 Apr 2014 20:51:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Tue, 15 Apr 2014 20:50:26 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <534DB18A.4060408@mit.edu>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Apr 2014 20:50:26 -0700
Message-ID: <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: multipart/alternative; boundary="f46d043c811a88717904f720d342"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/b-9xzdtSI6kkQS2xd_y3Gs2OKHg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 03:51:15 -0000
Andy, This is an interesting idea and as you say, it has the virtue that it doesn't require messing with the state machine at all. I have a few comments: 1. You probably have to frame this as a ClientHello with some opaque extensions which happen to be encrypted. The reason for this is that there are stateful inspection devices which examine data on port 443 and enforce that it looks like TLS. As these devices are associated with the client not the server, the server's TLS 1.3 compatibility does not guarantee that the client will in fact be able to send a non-TLS framed ClientHello. 2. It might (or might not) be easier to frame the advertised information as a TLS cipher suite. 3. This only prevents downgrade attacks if the information is secured via DNSSEC. There are intermediate elements which damage enough of the DNS resolution process that they will cause DNS signature failures even when the client knows that the records are supposed to be signed. Hard-failing in these cases will likely result in unacceptably high failure rates, but if you don't hard fail, then a network-based downgrade to unencrypted SNI is possible. More generally, I note that a number of the suggestions that people have provided here (yours, Watson's Rich's, my modification of Rich's) have the common factor that they require the server to opt-in in some way. This has the major advantage that it allows us to design a mechanism which might be inconvenient for some network environments because they can just not opt-in, as well as allowing out-of-band delivery of some data in the DNS. The disadvantage seems to be that a smaller fraction of sites will offer encrypted SNI, which slightly paints a target on them. I think that's probably OK, since no matter what mechanism we use for encrypted SNI, it seems likely that an attacker will be able to get a good handle on the virtual hosts served by a given site, and so can use that to identify which sites he is interested in tracking even if everyone were to use encrypted SNI. However, it's worth considering and I'd love to hear from people who want encrypted SNI what they think of this tradeoff. -Ekr On Tue, Apr 15, 2014 at 3:24 PM, Andy Lutomirski <luto@amacapital.net>wrote: > On 04/14/2014 10:21 PM, Watson Ladd wrote: > > Now, the best mechanism I can think off would be to use DNS to preload > > a per-IP SNI encryption key, or have the handshake optionally involve > > getting one. But I still can't figure out how to authenticate the > > gotten key without a lot of complexity. The best solution is for the > > client and server to do a DH, then pass the desired website (which > > might get you investigated when the initial handshake is intercepted), > > and have that cert sign the handled DH, then go back and do a TLS > > connection. Ugh. > > What if it were an opt-in thing? A hypothetical DANE extension could > associate with each domain a tuple (ClientHello-protection public key, > TLS version guaranteed to be supported). Clients could resolve that > essentially for free as long as they're already querying DNS, and this > could prevent downgrade attacks and give an efficient way to encrypt the > entire ClientHello. > > Note that there's no reason that the public key in here should have > anything to do with the eventual TLS handshake. In fact, I would argue > that it should be completely independent, so that large-scale load > balancers could strip the encryption off the ClientHello and hand the > connection off to something else that knows the real key. > > As a concrete algorithm, the extra DNS information could be 36 bytes: 34 > for ("Curve25519/ElGamal + AES-128-GCM" || "B = b*G") and 2 for "TLS > 1.3" in some suitable format. If such a record exists, then the client > starts the connection with something like "Encrypted Hello" || a*G || IV > || AES-128-GCM(a*B, IV, ClientHello). > > Arguably, the rest of the handshake should be encrypted with the same > key. The only reason I suggested this particular public-key > cryptosystem is because it makes it easy to encrypt the reply. > > There's a weak argument to be made for arranging for the actual > encrypted ClientHello to be indistinguishable from random by anyone who > doesn't know the private key. This ought to be straightforward using > Elligator. Off the top of my head, it sounds cute, but I don't really > see a benefit. > > The TLS version is to prevent this thing from being downgraded away: if > the server tries to claim that it only speaks TLS 1.2, but the DNS > record said that the server supports TLS 1.3, then the client aborts. > > This isn't directly per-IP, but a sensible server deployment should use > the same exact data in DNS for everything it hosts on the same IP. > > This adds no round-trips. It costs a few random bytes, two > multiplications, and an AEAD invocation on the client, and it costs one > multiplication and an AEAD invocation on the server. > > It adds very little protocol complexity: the encrypted ClientHello is > exactly the same thing as a regular ClientHello but with an extra layer > of encryption on top. > > --Andy > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir