IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Erik Nygren <erik+ietf@nygren.org> Thu, 17 April 2014 23:05 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C121A0235 for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 16:05:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fY3M2PPMG_x8 for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 16:05:39 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 0FFB81A01DB for <tls@ietf.org>; Thu, 17 Apr 2014 16:05:38 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id t59so967785yho.1 for <tls@ietf.org>; Thu, 17 Apr 2014 16:05:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=rFFDNfeksEUYwzG59UDY0KAPWJRtiAqBAYE6b3JKZHQ=; b=A6k8Z0lXkotzhDvSznL6los7FpfzfloYKlTLVeUkTAAdsocdUTghPRCesriI3T0iJ3 CGcaywhXfe2HFDR/z/PJtHVz4jwwUgK31iAJu9PgJYdOLTnKU5bCIfpsFAo/3wiYPRHZ maC1Fyq/StXwPXVd8F23mLemDTF0nvfQ3sg9SXRo1RSW0qkshkHOOs5jnnLTXyvUmsZn WDzgFdqu/QPQ6QcRrfmVJtcnNWuN/liLTp8hoHLEXyOkRos86ZaK6SDQeG9h+/4tuNrQ a7oTnD0R8PY2cJw9xQaRpdBPlO0uGiwN1Xszd3GSpteht8PmH7qmBeToSGkZjb2OMQf8 O2aA==
MIME-Version: 1.0
X-Received: by 10.236.30.230 with SMTP id k66mr26128942yha.57.1397775935250; Thu, 17 Apr 2014 16:05:35 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.170.126.207 with HTTP; Thu, 17 Apr 2014 16:05:34 -0700 (PDT)
In-Reply-To: <CABkgnnWDrDKED43Enw3etidmbEUvk2dROf9-q__5T8j5sqN5Xg@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <m2k3apmjk2.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com> <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com> <CALCETrWY_-N+nM9N0_gbeffkX5Jo8vn7XKeFCezGiwq2A74Wjw@mail.gmail.com> <CAKC-DJg6kRLezM+Q60VLY=dBU9C_Q9hb_0u7WD-HHWVJ5Y6tRQ@mail.gmail.com> <CALCETrX7Dv9_+uM7VqotHGurS+k6K5wKzeXEj7zuekd8+0qOJQ@mail.gmail.com> <566E6D8E-ACD5-4B21-9586-84C149F6A1B9@akamai.com> <CALCETrUi+fc9LW1iqx0bFuAsgygmeorR9AnzLN+abGx08y152A@mail.gmail.com> <CAKC-DJgqxVsW1jhGvq=04025j_7RLh2m7-CdYRYkTdi0kCvKgQ@mail.gmail.com> <CABkgnnWDrDKED43Enw3etidmbEUvk2dROf9-q__5T8j5sqN5Xg@mail.gmail.com>
Date: Thu, 17 Apr 2014 19:05:34 -0400
X-Google-Sender-Auth: hURTU1_mdzT0vhcTZF75aQ84a9I
Message-ID: <CAKC-DJj1-TiU25UQ1Yisy5_xG6F0XMA32UwS-qRVUfqM4=8S5w@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="089e0163407418c28b04f745120d"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ktcSGSUCbsLOWGa5NB6yng1hWuY
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 23:05:43 -0000

On Thu, Apr 17, 2014 at 1:00 PM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 17 April 2014 08:05, Erik Nygren <erik+ietf@nygren.org> wrote:
> > 4) Send a long byte-string key label which allows the server to pack in
> > enough information to allow it to be time-variant (eg, a timestamp plus
> an
> > encrypted version of the timestamp and more detailed routing information)
>
> Isn't that what draft-ekr-tls-new-flows effectively proposes?
>

Exactly, hence my proposal to include that in a DNS Service Binding
record.
The concern raised was that this could be used by a passive attacker
to further identify the hostname the client was connecting to.
By preference would be to take this approach but provide some guidance
on a way to help raise the bar.  For example, constructing this label with
something like:

    { timestamp, label_key_vers , AES(label_key, timestamp ||
SNI_routing_identifier || handshake_keyversion ) }

would reduce some of these attacks over just having a static value in the
label (which might
degenerate down to something with a static 1:1 identifier with the SNI
which would some of the
point of encrypting the SNI in the first place).

          Erik

v2.23.0 | Report a Bug | By Email