IETF Logo Mail Archive

Re: [TLS] ESNI PRs #124 and #125: Improving ESNI Robustness and GREASE

David Benjamin <davidben@chromium.org> Thu, 14 February 2019 20:40 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F061311A8 for <tls@ietfa.amsl.com>; Thu, 14 Feb 2019 12:40:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.499
X-Spam-Level:
X-Spam-Status: No, score=-9.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yl6NNzSoTuGX for <tls@ietfa.amsl.com>; Thu, 14 Feb 2019 12:40:37 -0800 (PST)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F3271311BF for <tls@ietf.org>; Thu, 14 Feb 2019 12:40:37 -0800 (PST)
Received: by mail-qt1-x82c.google.com with SMTP id p48so8501424qtk.2 for <tls@ietf.org>; Thu, 14 Feb 2019 12:40:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zv5FOSXIr/5qJG+z85rcm+jzpu+60TLP0taG6r9NKzs=; b=g3cKUZxaM4KeBbfzt4yEwbXHmI/4LLsgM6S3hSKetLYGayjfSPkJkWoS3CO2AHsXqc Lzp6jSBwFrB2tK/ijkL+hPjc2N8x9pJGXmY1BDHKVgPRVOOClmEAk9CxlqYF58B6Hv3Z rWfoipuwWkYtPMaHqAniEZy7W9IgQ/l3h04as=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zv5FOSXIr/5qJG+z85rcm+jzpu+60TLP0taG6r9NKzs=; b=FJAKGc/uzTV2bKT4+ryA+Ha2oNwDW7995cjp/WgXTuLZVaBWTUp1tU9LB1WgiavMbg DwD6I99SB0wTnI3DAFGXvOigFXayn9NgmYlZKRLcLQRKqAarqQ8fgjU7kp/ScaGDati5 vVhqhyxZpuJnW+BpkCjFantMIYgFuXqHrVDA2vj2kpFKVl9BkJA8mNd8ycBDTuxGj6Fp Y7QYcfSRk47eQ1xTSqj1Y5Vvh9SFWixz7FHb04LhL1NEzSpQgKXXtn2wLHf9Jc4sbAqs iwcTbYIkV3gqNI/21JfLKi5w8Nr1/NvjeC+DRZIMNgTxqIDaiu77ZuT9ykQu3nwE0d7X mMDQ==
X-Gm-Message-State: AHQUAuZn75nmMm/Az3OFjdXYZgDCYOlZvXU5RQrfa3QH2ajJvtD6Hilb 7EDJwGB90R3gZrHs/rLpjYqRwObgiNaOqAC3oYEu
X-Google-Smtp-Source: AHgI3IaLtcXKNj7pWN1JD6+SZRtvPegXtA8jWuWC8oTHL5jHK72Nq1dHjIfy44Gutqd5SJ1HmnYygMCA+5rhdnC360g=
X-Received: by 2002:a0c:c584:: with SMTP id a4mr4480791qvj.227.1550176836428; Thu, 14 Feb 2019 12:40:36 -0800 (PST)
MIME-Version: 1.0
References: <714E43FA-3660-485A-8E50-04EE43F8DA2E@gmail.com> <168e9a61d1e.cce5c9ea206228.28832954982140191@nerd.ninja> <CAF8qwaD1qSZWs-14WF3sYo1cKK4jjSoce3JaQzfj7HqmWOTKjA@mail.gmail.com> <168ed8bb0f5.1026877c920218.3245439195642672251@nerd.ninja> <CAF8qwaBdQeZS=bmFC955XzrVyNubB7h0WPiAQp0eZnf__Xov3Q@mail.gmail.com> <168edaf3233.104d73d5e24703.2816492539373755558@nerd.ninja>
In-Reply-To: <168edaf3233.104d73d5e24703.2816492539373755558@nerd.ninja>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 14 Feb 2019 14:40:25 -0600
Message-ID: <CAF8qwaDtvv60HXS9y0-RNq--v2SS_CNsNZasYtr1PxcRkC-u7Q@mail.gmail.com>
To: Roelof DuToit <r@nerd.ninja>
Cc: Christopher Wood <christopherwood07@gmail.com>, TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad181f0581e0ab60"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/j9vaNOZKzgdvraihetiznxph-ZQ>
Subject: Re: [TLS] ESNI PRs #124 and #125: Improving ESNI Robustness and GREASE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 20:40:46 -0000

On Thu, Feb 14, 2019 at 2:25 PM Roelof DuToit <r@nerd.ninja> wrote:

> ---- On Thu, 14 Feb 2019 15:13:11 -0500 *David Benjamin
> <davidben@chromium.org <davidben@chromium.org>>* wrote ----
>
> On Thu, Feb 14, 2019 at 1:46 PM Roelof DuToit <r@nerd.ninja> wrote:
>
>> ---- On Thu, 14 Feb 2019 13:00:16 -0500 *David Benjamin
>> <davidben@chromium.org <davidben@chromium.org>>* wrote ----
>>
>> On Wed, Feb 13, 2019 at 7:37 PM Roelof DuToit <r@nerd.ninja> wrote:
>>
>>>
>>> Questions for PR [1]:
>>>
>>> * Regarding this text:
>>> The client MUST NOT use the server-provided retry keys until the
>>> handshake completes successfully. On success, it MUST NOT overwrite the
>>> DNS-provided keys with the retry keys. It MUST use the retry keys at most
>>> once and continue offering DNS-provided keys for subsequent connections.
>>> This avoids introducing a tracking vector, should a malicious server
>>> present client-specific retry keys.
>>>
>>> .. specifically this part: ".. use the retry keys at most once".
>>> Q1: Are you saying the client should persistently remember which
>>> public_name values triggered retry keys?  For how long?
>>>
>>
>> No, exactly the opposite. You use the retry key for just the retry and
>> then forget about it.
>> https://mailarchive.ietf.org/arch/msg/tls/xBEHe1_CcYEYinZQHxWGq8vjA0Q
>>
>>
>>
>> I understood that part.   Let my clarify my question with an example:
>>
>> A1. Client uses DNS-provided keys, and server returns retry keys
>> A2. Client uses retry keys, and everything works..
>> A3. Client restarts
>> A4. Client uses DNS-provided keys, and server returns the same retry keys
>> as in A1
>> A5. Client violates spec by using those retry keys for a second time?
>>
>> And what about this example:
>>
>> B1. Client uses DNS-provided keys, and server returns retry keys
>> B2. Client uses retry keys, and everything works..
>> B3. Client uses DNS-provided keys, and server returns retry keys
>> B4. Client violates spec by using those retry keys for a second time?
>>
>
> Oh, I see. Yeah, that's just a mistake in the text. A5 and B4 aren't meant
> to be violations, since the client saw the retry keys again. I'll wordsmith
> that too in the next iteration.
>
>
> Could a MITM (the kind that can finish the handshake) set
> esni_retry_request every time it sees an unknown record_digest in the ESNI
> extension, and essentially use the retry mechanism to subvert the intent of
> ESNI?
>

It would need to be able to authenticate as the public name for the client
to pay any attention to this. The public name is the name of the entity
trusted to update the ESNI keys. (Presumably the name of the hosting
provider or so.)

The point is to give a secure retry signal, in hopes of getting both
deployability and security.

David

v2.23.0 | Report a Bug | By Email