Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting

Eric Rescorla <ekr@rtfm.com> Mon, 17 March 2014 15:34 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5D621A0423 for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 08:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMaxMb4aqav7 for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 08:33:59 -0700 (PDT)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED531A02FD for <tls@ietf.org>; Mon, 17 Mar 2014 08:33:58 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id p61so4760893wes.13 for <tls@ietf.org>; Mon, 17 Mar 2014 08:33:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=F7QdJdQhgvS9A8kCZTPOsQE9hwUor12GSgZ6YZ5AulU=; b=gDSMNB9vQ3O9GrKBTA5AUSTU2cIMXsegjAqEgnxpNwmRgr+61k/LyD9fPek9padr3Y uV37ugpOT2R5ci858xYeRAe23+pvBFhHiG9uicwCDH/xS6Qk/wzQggP30ix3zl8p3pcA 4hWnR4q5++quyo554lAp6qBeNYpqE3kr6B0cQSuHFa5CN1Np8IwUmui4FQk/Ic1rcgcp sOvkmwmQN0HJiziP69+i22l02n09r2oOzI4suz1w/vbBeQ6Ly/6YuEpQbh1rISJ413Ve EjqK0GQvIzlT+H+Kgl5L8Oc1LcNT8hoMvLuPg3se/Nfuh3AZcESy5nmV4aBd2D2E8OLp iyWg==
X-Gm-Message-State: ALoCoQlnF52EWAY1ZgNyoudoA3HntTl9ESt7ODMHSAFPDetR+D1fM2L2ETh8zpWJZV5cMOqARDdd
X-Received: by 10.180.164.174 with SMTP id yr14mr10091909wib.18.1395070430634; Mon, 17 Mar 2014 08:33:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Mon, 17 Mar 2014 08:33:10 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <53271007.8050902@nthpermutation.com>
References: <5325DDA0.9030006@nthpermutation.com> <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com> <53260C51.10407@nthpermutation.com> <CACsn0cnKFQdiq8kx3w4SViN20-9UTxA_1riq-A5XJyaqLUQuFA@mail.gmail.com> <53271007.8050902@nthpermutation.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 17 Mar 2014 08:33:10 -0700
Message-ID: <CABcZeBNPqrt4garvk=UmgMgEtQQS4ENY2Vk+OyCmMYCJsW4Fxw@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: multipart/alternative; boundary="00248c0d791474816104f4cf2548"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hAMzztETMS0JmdyHIRmZi7K6Hm0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 15:34:02 -0000

On Mon, Mar 17, 2014 at 8:08 AM, Michael StJohns <msj@nthpermutation.com>wrote:

> On 3/17/2014 12:23 AM, Watson Ladd wrote:
>
>> Dear Mr. StJohns,
>>
>> Suppose you work at the Chinese Ministry of Truth, in the department
>> of web truthmaking, domain forgetting division.
>>
>> Right now, if you want to ensure HTTP content is in conformance with
>> the truth you simply scan for the Host header and check against a
>> list.
>>
>> For HTTPS life could get nasty. But luckily we decided to put SNI
>> information on the outside, so you can see if that connection needs to
>> go down the memory hole.
>>
>
> Or the CMT just blocks all access to the device because its a known SNI
> encryption box.    If you get to assign super powers to an entity to make
> your point, then so do I.
>
>
>
>> Now you hear about this TLS 1.3 coming along, and how it obfuscates
>> SNI. So you present the following design to your boss:
>> 1: Each device on the filtering maintains a global IP->[Hosts] mapping.
>> 2: When an obfuscated SNI comes along, you check against all hosts in
>> the mapping
>> 3: If it is marked as untruthful block
>> 4: If unknown, transmit it to a dedicated cracking machine.
>>
>> Within a week the cracking machine is likely to figure out what the
>> hostname is, at which point it can be added to the list. If the agents
>> watching the spreading of untruth see a domain, we can just add it.
>> The computational cost will never exceed that of the hosting device.
>>
>> Your proposal doesn't stop censorship or even make it more expensive.
>> It doesn't hide visits to websites effectively if the attacker is
>> interested in checking against a big list. It doesn't accomplish any
>> of the goals we need it to.
>>
>
> And unfortunately, I don't think EKRs proposal does it either.
>
> There are a few things you need to do symmetric encryption - a mutual key
> and an agreed upon cipher suite.  EKR proposes retaining the keys and suite
> from a previous connection and using them to encrypt the negotiation for
> the next connection.  To do this, both client and server cache the previous
> keys.   If you have no previous connection, or you or the server have timed
> out the cached keys, EKR has you fall back to doing an unencrypted
> negotiation followed by an encrypted negotiation.  Unfortunately, as I
> understand how this works, the SNI needs to be in the first negotiation so
> that the director can steer the packets to the appropriate server.
>

Just for clarity, this is not quite what I was proposing. Rather, I was
proposing that if the cached keys expired, you did an anonymous
DH exchange, so you get protection for the target server against
passive attack but not active attack. I agree that you can mount
an active attack as suggested below, though it cannot be done
totally transparently.


This gets worse when the virtual server director isn't actually on the same
> server as the actual server, as the director will need copies of the keys
> in the same timely fashion as the servers.  And that makes the director a
> big juicy target.  (Seriously a single box with all the session keys for
> 1000s of sessions with 100s of servers? Let me at it)


Note that this situation is a fairly standard configuration for SSL
acceleration
devices in any case. What's different here is primarily that the load
balancer
is not generally required to be trusted.




>  The threat could be partly mitigated by deriving a separate set of keys
> for "next session encryption negotiation", but that would change the
> current key expansion stages a bit.  And still begs the question of how
> keys get from the virtual server to the director so this can be done.
>
> Another approach might be for the client (only) to retain the public key
> of the specific destination server, or a special use public key handed to
> the client by the server as part of another negotiation (and which related
> private key is shared with the director - said key being very long lived).
>  Use that to encrypt the SNI (either RSA encryption, or something like
> ECIES for elliptic curve).     And even use that as the encryption over the
> negotiation.


Without digging too much into the details just yet, it seems to me
that the key element if you want to have protection against active
attack is that the client must be able to directly verify that a given
key is owned by the server in a way that cannot be substituted by
the attacker. The challenge, of course, is that the information
that the server uses to authenticate that key inherently reveals
the server's identity. I see two basic options [0]:

- Have the client acquire the server's key over some untrusted channel
and accept that it can be monitored the first time.

- Have the server provide a large set of keys (like all the ones that
it supports) to the client and then the client can choose one.

Note that in either case, this represents a commitment by the server to
use that key through it's expiry window. i.e., it's hard state rather
than soft state, which people have been so far reluctant to do with
HPKP. Both of these have obvious drawbacks, so it's a
compromise.

-Ekr

[0] I'm assuming we restrict ourselves entirely to the TLS channel.
If we are willing to have data in, for instance, the DNS, there are other
options for disseminating the initial key data.