Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
David Fifield <david@bamsoftware.com> Tue, 18 December 2018 04:45 UTC
Return-Path: <david@bamsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C6913107F for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 20:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bamsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPStS1Ygbixx for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 20:45:07 -0800 (PST)
Received: from melchior.bamsoftware.com (melchior.bamsoftware.com [69.164.193.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF59513107B for <tls@ietf.org>; Mon, 17 Dec 2018 20:45:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cZAHP3fkJSp2ZwzjwEYrO3YE3PcKmhHj6KV6yTQh72w=; b=otBeF4DG8m57/1IR9eGL8uc5K8 TVhV/xzDQIJP4VmuQsSVFvN72I0M33WYmF0Ft644EBfGFaU98MeDIeLTnJTr/ZclAZR4EAQrPGi2+ SHuRZbzDzGDuFyegieq3h7XnfLlvVE0Sx0xIRxTc2QMTu8JEbXRdZTQMn+SFDPFfrAGE=;
Date: Mon, 17 Dec 2018 21:42:51 -0700
From: David Fifield <david@bamsoftware.com>
To: tls@ietf.org
Message-ID: <20181218044251.bk7em26vvvcamq24@bamsoftware.com>
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gUy8kzxeEC5lpKMZnzzQdPyR03Q>
Subject: Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 04:45:10 -0000
On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote: > We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like the > group's thoughts on. The goal is to make ESNI more robust and eliminate a bunch > of deployment risks. The PRs are linked below: > > https://github.com/tlswg/draft-ietf-tls-esni/pull/124 Under this design, the ESNIKeys structure in DNS gains a public_name field, which is the name against which the client is supposed to verify handshake, in the event that the server cannot descript the ESNI and returns a esni_retry_request response. The esni_retry_request structure contains alternative ESNIKeys for the client to use in its next connection attempt. I started to think: what if the alternative ESNIKeys were a standard TLS extension on their own? The server could tell the client, on each connection, what ESNIKeys to use for its next connection. The client would not have to consult the DNS for ESNIKeys for any connection but the first, as long as the connections were frequent enough that the ESNIKeys didn't expire. But then I reflected: this would enable precise tracking of clients. The server could give different keys to every client--effectively a cookie--and thereby link past and future connections. I think similar tracking concerns apply to the public_name design. A TLS server could publish one global ESNIKeys in DNS. This one, because it is used by all clients, would not help tracking (within the anonymity set of ESNI-using clients). But the server could, whenever it receives an encrypted_server_name extension encrypted with the global ESNIKeys, pretend that it is unable to decrypt and reply with esni_retry_request and a unique "cookie" ESNIKeys, which that client, and no other, would use for future connections. A unique ESNIKeys per client may not be feasible, if the server has to do trial decryption using the private component of all the ESNIKeys cookies it has handed out. There may be a more clever way to do it than trial description. But anyway a server could define some budget, say, 256 trial decryptions per connection, and instead of a unique ESNIKeys per client, choose one randomly from a pool of 256. Clients would then be partitioned into 256 buckets for the lifetime of the ESNIKeys--which other tracking technique could of course refine further. I suppose something like this is possible even in the current draft as written, if the TLS server and DNS server collude. The DNS server could give different ESNIKeys to different clients, enabling not only the linking of a DNS request and TLS connection, but the linking of several TLS connections together.
- [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Stephen Farrell
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs Kazuho Oku
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs - client… Viktor Dukhovni
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… Ilari Liusvaara