IETF Logo Mail Archive

Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?

David Fifield <david@bamsoftware.com> Tue, 18 December 2018 04:45 UTC

Return-Path: <david@bamsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C6913107F for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 20:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bamsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPStS1Ygbixx for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 20:45:07 -0800 (PST)
Received: from melchior.bamsoftware.com (melchior.bamsoftware.com [69.164.193.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF59513107B for <tls@ietf.org>; Mon, 17 Dec 2018 20:45:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cZAHP3fkJSp2ZwzjwEYrO3YE3PcKmhHj6KV6yTQh72w=; b=otBeF4DG8m57/1IR9eGL8uc5K8 TVhV/xzDQIJP4VmuQsSVFvN72I0M33WYmF0Ft644EBfGFaU98MeDIeLTnJTr/ZclAZR4EAQrPGi2+ SHuRZbzDzGDuFyegieq3h7XnfLlvVE0Sx0xIRxTc2QMTu8JEbXRdZTQMn+SFDPFfrAGE=;
Date: Mon, 17 Dec 2018 21:42:51 -0700
From: David Fifield <david@bamsoftware.com>
To: tls@ietf.org
Message-ID: <20181218044251.bk7em26vvvcamq24@bamsoftware.com>
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gUy8kzxeEC5lpKMZnzzQdPyR03Q>
Subject: Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 04:45:10 -0000

On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like the
> group's thoughts on. The goal is to make ESNI more robust and eliminate a bunch
> of deployment risks. The PRs are linked below:
> 
> https://github.com/tlswg/draft-ietf-tls-esni/pull/124

Under this design, the ESNIKeys structure in DNS gains a public_name
field, which is the name against which the client is supposed to verify
handshake, in the event that the server cannot descript the ESNI and
returns a esni_retry_request response. The esni_retry_request structure
contains alternative ESNIKeys for the client to use in its next
connection attempt.

I started to think: what if the alternative ESNIKeys were a standard TLS
extension on their own? The server could tell the client, on each
connection, what ESNIKeys to use for its next connection. The client
would not have to consult the DNS for ESNIKeys for any connection but
the first, as long as the connections were frequent enough that the
ESNIKeys didn't expire.

But then I reflected: this would enable precise tracking of clients. The
server could give different keys to every client--effectively a
cookie--and thereby link past and future connections.

I think similar tracking concerns apply to the public_name design. A TLS
server could publish one global ESNIKeys in DNS. This one, because it is
used by all clients, would not help tracking (within the anonymity set
of ESNI-using clients). But the server could, whenever it receives an
encrypted_server_name extension encrypted with the global ESNIKeys,
pretend that it is unable to decrypt and reply with esni_retry_request
and a unique "cookie" ESNIKeys, which that client, and no other, would
use for future connections.

A unique ESNIKeys per client may not be feasible, if the server has to
do trial decryption using the private component of all the ESNIKeys
cookies it has handed out. There may be a more clever way to do it than
trial description. But anyway a server could define some budget, say,
256 trial decryptions per connection, and instead of a unique ESNIKeys
per client, choose one randomly from a pool of 256. Clients would then
be partitioned into 256 buckets for the lifetime of the ESNIKeys--which
other tracking technique could of course refine further.

I suppose something like this is possible even in the current draft as
written, if the TLS server and DNS server collude. The DNS server could
give different ESNIKeys to different clients, enabling not only the
linking of a DNS request and TLS connection, but the linking of several
TLS connections together.

v2.23.0 | Report a Bug | By Email