IETF Logo Mail Archive

Re: [TLS] ECH/ESNI - is accept confirmation calculation brittle in the face of errors?

Christian Huitema <huitema@huitema.net> Fri, 19 March 2021 23:59 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F8E3A1472 for <tls@ietfa.amsl.com>; Fri, 19 Mar 2021 16:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-ASsqbUVp9G for <tls@ietfa.amsl.com>; Fri, 19 Mar 2021 16:59:54 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01FB63A147E for <tls@ietf.org>; Fri, 19 Mar 2021 16:59:51 -0700 (PDT)
Received: from xse452.mail2web.com ([66.113.197.198] helo=xse.mail2web.com) by mx134.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lNP1s-000ElL-Cs for tls@ietf.org; Sat, 20 Mar 2021 00:59:47 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4F2LV40BRSzx2t for <tls@ietf.org>; Fri, 19 Mar 2021 16:59:40 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lNP1n-0003H0-SB for tls@ietf.org; Fri, 19 Mar 2021 16:59:39 -0700
Received: (qmail 10507 invoked from network); 19 Mar 2021 23:59:39 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.146]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 19 Mar 2021 23:59:39 -0000
To: David Benjamin <davidben@chromium.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
References: <6f6918e1-5aae-1d3c-7fd5-2a17cda2e1bd@cs.tcd.ie> <CAF8qwaACwudz3=LYBxGEuwdx-nJaHc9gQELJEK18TF1YQyU+EQ@mail.gmail.com> <CAG2Zi21Ab+899e-URDe3ePDsUCaRVbXb+090=PkdR4dz0ZfToA@mail.gmail.com> <734bb026-d438-9a96-4008-da6c681c439c@huitema.net> <17ac7ac3-a8ff-bb9e-4746-01caec8e49f1@cs.tcd.ie> <5afbdacb-e137-d036-bbdf-cfa021498861@huitema.net> <CAF8qwaAwHaWAvBFzaZ-sTx6LqP-mRbvw6nP=gjb1wGWk1Sy_ug@mail.gmail.com> <19e3cdaf-451c-e03a-6d4e-a8dd46d4e8b5@cs.tcd.ie> <CAF8qwaAcv=KbNJ-W6QY_w756HApE7ehjc1bFx21gMNrchqkZBg@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <1e710a50-e403-b1f5-e258-6fce9d72d6e7@huitema.net>
Date: Fri, 19 Mar 2021 16:59:38 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <CAF8qwaAcv=KbNJ-W6QY_w756HApE7ehjc1bFx21gMNrchqkZBg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DB696AC1B655A984E4F3AFE7"
Content-Language: en-US
X-Originating-IP: 66.113.197.198
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5y+TdELUc3IPXxOn6N6uGoCj3CSdYahsEhiizd3WfZtES9c Gc+Vajsww859JYT+DyPlYLLlWSy3OGfGBNeqx2anHyJxjDLo4/ugN15VVJm4KWrxEaaKeSxe0Wrx 6M4G5/Wm4Zd53xWOh54QqC5fJ2uRceS6rgJD4/uhubykQ1dWvFxh7hoyMoWHMkqYfQEaAmuJy6X4 RHGTlC379JhcfPNRpbt3W3gfNnuKkqGP09ZKLP25Cgscc2Nqd9azmDa4ZbYxn04qRLKGrOrEzQDq o2Fe5e0H1p2YD3fIDgqE3F/hSENKwnAR2oVisY+bnEqWCKi5klmK1va3wJScg92pg//jdNpXP/ul EV6DIUDLc0Yd6iTlYE+Zcn8p1rPpG64P1y7nVrUQfxkYoV3jt7fqlPgR0kaOEXLuWd+6zLg4wp8u X1nsyWu8Q0HDoORE+fy5gr3LgKffTIgl7nuGO/IJU1342OUMeHyTpNN0eXybX/w7/4a+Zyc1sUYl ckMDbruAhxfaTSRjFdfhbaOt3LLrhebQRRLiMmFEwVhLkOBp+oUwSrnT2IsUWa6iXT29KHi5L7na JewO6Fr9DdQzani5nA42EnFzsC48bTEFY06/YbB87Ww8G0LoS8V3Mt1pta8qAcLtCB3G1CwpaI3Z 4ESkMWDVJEenxBoIht3V0nekAoxXAixTYSU7bOY3VNMQgkFetgWyuLfHqAnAj7rgKH7+eCmmbUBg TOA7yorOs4QDhL1161ShcA6Xvva2QAVEjpqzANbJ1UfXmet2cbFKoyT/OdZLqp4uguTKrw9OnXp5 OkTiG20AuXq0T17woJo3avKeADIsy647Mn0zwmGzAi3Zn+YdthRNgs7Ig4l/XErpYn3glZTKFuaT l19W3ISq9+1KiLsESGU+y+fjdgjudZxiTPi+MG1QP35nsYfP84c+RFK3KiZuZ5OAUoGBziSYFLZu u6zX3xxsmqT8l9ARlsTalAaf
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kzPbtWMXejRoylqGmhYpNCYIlQY>
Subject: Re: [TLS] ECH/ESNI - is accept confirmation calculation brittle in the face of errors?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 23:59:56 -0000

On 3/19/2021 2:58 PM, David Benjamin wrote:
> On Thu, Mar 18, 2021 at 4:07 PM Stephen Farrell<stephen.farrell@cs.tcd.ie>
> wrote:
>
>> Hiya,
>>
>> On 18/03/2021 19:17, David Benjamin wrote:
>>> I don't think I'd agree that*most*  of the work is in the secret
>>   > computation per se. Actually doing trial decryption with
>>   > the secret requires reaching down into the record layer.
>>   > This is especially onerous for QUIC, where the record layer
>>   > is offloaded to another protocol (often outside the TLS
>>   > library).
>>
>> Ah, fair point - I've not looked at QUIC at all. But how
>> are encrypted extensions and tickets handled in such cases?
>> If those are handled in the original library then a trial
>> decryption should be possible too maybe?
>>
> QUIC replaces the record layer and keeps the TLS handshake. So as the TLS
> handshake progresses, it hands keys (handshake traffic keys, etc.), to
> QUIC to install. When TLS needs to write an EncryptedExtensions or so, it
> hands QUIC cleartext to encrypt. When QUIC decrypts a record and sees a
> CRYPTO frame, it hands the results to TLS to process as handshake messages.
> The draft is here:
> https://datatracker.ietf.org/doc/draft-ietf-quic-tls/
>
> In all the stacks I'm aware of, there are QUIC-specific APIs to install a
> custom record layer of sorts. And thus the nuisance with trial decryption
> and friends. Every new feature we push down to the record layer changes
> that record layer interface. This means more coordination between QUIC and
> TLS. Something like trial decryption would require TLS hand QUIC both sets
> of handshake keys. Then QUIC would need to do the trial decryption and
> report back to TLS which set of keys won.
>
> (If you're working on an OpenSSL ECH implementation, you probably won't see
> this because OpenSSL doesn't have APIs for QUIC yet.)

That, or try race two connection contexts corresponding to the two 
trials, and keep the first that succeeds. Which would indeed require TLS 
to tell QUIC that "the key might be K1 or K2". That's also very 
complicated. For the QUIC client, the current text is much better.

Let's come back to the original discussion. If I look back at the 
discussion of issue 274 
(https://github.com/tlswg/draft-ietf-tls-esni/issues/274), we ended up 
at some point with a set of alternatives, including these two:

     * accept_confirmation = PRF(ClientHelloInner.random, 
ServerHello.random[0:24])
     * accept_confirmation = PRF(ClientHelloInner.random, 
ServerHello.KeyShare)

The issue was closed by PR #287 
(https://github.com/tlswg/draft-ietf-tls-esni/pull/287/files) which 
selected the first of these two options. But this was later updated by 
PR #353 (https://github.com/tlswg/draft-ietf-tls-esni/pull/353), which 
changed that to the second option, the one including the server key 
share. The correction allows mitigating an attack in which the 
interceptor copies the server hello but substitutes its own key share, 
and thus can test whether ECH was used.

Look at the comment, "This change is definitely more invasive than the 
existing signal, but not all that hard to implement. (E.g., 
cloudflare/go#38 <https://github.com/cloudflare/go/pull/38>.)" later in 
the thread.

We do have new information that this is somewhat costly to implement 
because it requires computing two handshake secrets on the client. On 
the other hand, it seems that the cost is only there if the client 
starts by testing the wrong hypothesis. If the client is fairly certain 
that the server supports ECH, the CPU overhead ought to be minimal -- 
cases in which the client is using the wrong ECH key, or when an 
interceptor interfered with the exchange.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email