[TLS] SNI and DNS Resolver Privacy

Phillip Hallam-Baker <hallam@gmail.com> Wed, 14 May 2014 14:32 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 38C5D1A00B8 for <tls@ietfa.amsl.com>; Wed, 14 May 2014 07:32:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id zZzmnmNYZkX5 for <tls@ietfa.amsl.com>; Wed, 14 May 2014 07:32:29 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) by ietfa.amsl.com (Postfix) with ESMTP id 2D18E1A02B4 for <tls@ietf.org>; Wed, 14 May 2014 07:32:26 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id bs8so2511755wib.0 for <tls@ietf.org>; Wed, 14 May 2014 07:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=oCsBA7kqUvsrbG9vPajByG99jztd5Eo18JliXTmEGJM=; b=G+hgwTAmk2IK3Aex9a2q+SCaZFi7YItOB30VwMNr/fmVQneS6ktT1AKNbqhaxGGHGP RUD1k/F0IZpZOz7ptAbiLtZypY7GvlK3hIsmh+meTwStBHPo+YYfi1YEzF4aZDjd0xos dH0k6AU/cSIGeCFfkFOsa5qnwyLcew4fNOInoBcD9WfrLctSc9M2UPlx5IxJkAVaKfwp MV2D0+5ibieoa+4YK6A5cCFzgKzowYVDdfv3pRqAntlsZNc0aoYIcrrce9W3TTgZiIEH eaf4or+RKax3nLAyQZuml6fXtrM63Xzjg4uhZQ0oTvCrlTEAsVunf2GRZNvPYVbdQ4aX 8nrQ==
MIME-Version: 1.0
X-Received: by with SMTP id hn18mr3842335wib.34.1400077938956; Wed, 14 May 2014 07:32:18 -0700 (PDT)
Received: by with HTTP; Wed, 14 May 2014 07:32:18 -0700 (PDT)
Date: Wed, 14 May 2014 10:32:18 -0400
Message-ID: <CAMm+LwjymUOEFdE47kdi810yLPitTMZamj0NCzUcg-XdBc2RSg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mEILB9P17PRrsYhmiGL1Iv3me5Q
Subject: [TLS] SNI and DNS Resolver Privacy
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 14:32:36 -0000

We have lots of talk about TLS and DNS leaking privacy sensitive information.

These are obviously linked in that there is little point in protecting
DNS if the subsequent conversation to the endpoint is en-clair. And
SNI leakage is likely to undo any DNS security scheme.

I have a mechanism that can protect SNI but it is predicated on a DNS
privacy solution. So we solve that first and then use the solution to
attack the SNI issue.

In my approach to DNS privacy I am most concerned about the
client-resolver link. My approach can be applied in the
resolver-authoritative link but it needs to compliment other
approaches such as label minimization etc.

Premise 1: The DNS resolver is a trusted service. At minimum the
service is trusted to protect the confidentiality of the queries it
makes. In most cases the resolver is also trusted to return data to
the client if it exists (and this is desirable). The degree of trust
may be higher, especially if the DNS resolver is being run by the
party relying on it.

Premise 2: Since SNI privacy is essentially an extension of the DNS
privacy concerns it is logical that a service trustworthy for one is
trustworthy for the other.

Conclusion: A DNS resolver is an appropriate entity to broker
credentials to encrypt the TLS handshake including SNI.

My Private DNS approach is built on two main building blocks. The
first is a key exchange service. This is currently built on top of TLS


The connection protocol itself isn't very important here. The
important part is the output of this exchange is:

* A shared secret
* A set of cryptographic parameters
* An opaque secret identifier which may contain the above information
plus encrypted account information to allow a kerberos-style stateless
server to use the token for encryption.

Once we have such a token, Private-DNS is straightforward. The whole
draft is only 15 pages, most of which are examples:


Now let us consider the TLS case and let us further consider a
situation in which the Authoritative DNS server for the TLS server
supports the Private DNS protocol and the resolver has established a
ticket with that server.

In this situation we have all the ingredients to deploy a full
Kerberos-style solution. We might want to introduce a
ticket-granting-ticket type concept but even that isn't essential
unless traffic analysis is a big concern.

At this point we can use the Kerberos* trust framework established in
the tickets for a variety of purposes:

1) Encrypt the TLS handshake

2) Pre-empt some or all of the handshake.

3) Skip TLS entirely and just encrypt and authenticate the transport
under the ticket mediated key. Call this protocol UYFM (its probably
not the acronym you are thinking of)

Note 1: Although we are encrypting the session, the trust context is
not end-to end. There are four parties that know secrets that are
sufficient to decrypt or spoof the traffic.

So this would not be an alternative to TLS for online commerce or
banking and it would be a lousy approach to password security. This is
not going to be as robust as TLS. It is however going to be vastly
superior to raw IP.

This approach would be a very good one for an objective of eliminating
plaintext traffic. So it would be good for the SNI and handshake part
of TLS.

Note 2: To apply the protocol in practice we would need to have a
management protocol that allows the TLS server and DNS server to
communicate. But this is a critical need in any case.

Note 3: To enable the introduction of the protocol we would need to
either publish the necessary data in the DNS or jack up the level of
abstraction a notch as I propose in Omnibroker.

* We can use Kerberos tickets but it is not necessary for any party to
know the internal structure of a ticket other than the party who
created the ticket except in the case of ticket granting tickets.

Website: http://hallambaker.com/