IETF Logo Mail Archive

Re: [TLS] TLS ECH, how much can the hint stick out?

Christopher Patton <cpatton@cloudflare.com> Tue, 08 September 2020 18:58 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8BA23A0DEB for <tls@ietfa.amsl.com>; Tue, 8 Sep 2020 11:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2J93cZXpDR9 for <tls@ietfa.amsl.com>; Tue, 8 Sep 2020 11:58:10 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E10AA3A0DFB for <tls@ietf.org>; Tue, 8 Sep 2020 11:58:09 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id c18so26071qtw.5 for <tls@ietf.org>; Tue, 08 Sep 2020 11:58:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JAYz6SFj2tvQAUNW6AOLdr6M318nZAqOn5S7KAAwSGQ=; b=tovAYSP/KJCIdUntwmItivzT9LIFe1BaGk8wFrcCfl0EPQPTvpgtYDthccnZ+7VB3N 4V7dEiDUq1R1gxWGzcvqTncS9f2DBJN1ABvT/lChx7hf5DFWCFDkllJ+EpOtL0D+A2Go 6iUnaIVQjVAahyjLt9UOEcEfZwnPgQLnadHl0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JAYz6SFj2tvQAUNW6AOLdr6M318nZAqOn5S7KAAwSGQ=; b=T1JW9PnMQ9x1VF2CRlAbV5S3A9XoQsy/K0+ygC4JOAo6tcHaQcZlG0nyi7TDRYdHl8 HI2WsCbEtSAJodPjrU/a+dEWwBmYUiLyB0SvGGVMWpliOiXyrxlhBKIvv+4wRGyuhhuF /efAVm0kIUJ/qshalm3eCtfe6akXW6L1wk0ahxOEWuSF8RkWo6Hcd16anNK0BcLhWXz2 Q3G8ucPW2B03xm2sxtEBjCYIwmPEsCBWXfKVylRuBfcbDYSqv8Xdo6ufxNP3+KhCcwoo 2sJurPj+q7J6atfxjUJ7ZTmnmT8Wi3cbj6jcQXpfJuWEwMGIhFSr+gMDu1ipfO/U2Cd2 yl0Q==
X-Gm-Message-State: AOAM533giVJCdUreQ1l84wqLAf+x8L1+GvI1HSfGxvv338Uqbv6cp8v4 1KKVrYVOPcd4huXLp58WoG712k9PLG2QOvTsVSlVp3dbhNHjbBML
X-Google-Smtp-Source: ABdhPJxVPXYcLDEAP8yInM7TiYN2J0ZEKB6gOlQMtfMtImFj/KpCIjYMlvEQ/gbn/FlJkbWM1nmjub4Be+Q7p7yotak=
X-Received: by 2002:ac8:76c7:: with SMTP id q7mr1495784qtr.293.1599591489019; Tue, 08 Sep 2020 11:58:09 -0700 (PDT)
MIME-Version: 1.0
References: <d33c685c-6bf3-1584-4d95-1fe2cf6695e8@huitema.net> <CAG2Zi23NQRPUzHbVKSSSxR_eaNokVF--K9FfCNMagrCKnSHMZQ@mail.gmail.com> <CAHbrMsB-yfKTS-5x4OcyTpZctVcRRj3=bmBoNOhyatQmYb8aeg@mail.gmail.com>
In-Reply-To: <CAHbrMsB-yfKTS-5x4OcyTpZctVcRRj3=bmBoNOhyatQmYb8aeg@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 08 Sep 2020 11:57:57 -0700
Message-ID: <CAG2Zi20D7r8quFfE5=Wm4yEg08grjhqb71cKVpChckpwjSdUBw@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007d553405aed1ea76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mXR7Irxx7zstb9xTPB_0ZiAr7vk>
Subject: Re: [TLS] TLS ECH, how much can the hint stick out?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 18:58:12 -0000

>
> If we can establish how difficult it would be to hash the server keyshare
> into the hint in various implementations, I think we'll have our answer.  I
> suspect it is difficult enough to create a problem for someone, but I'm not
> a TLS implementer.
>

One data point: In the standard Go implementation, the ServerHello.random
is computed well before the "key_shares" extension is serialized [1].
Changing this would be somewhat invasive, but perhaps not prohibitively
so.

Best,
Chris P.

[1]
https://github.com/golang/go/blob/master/src/crypto/tls/handshake_server_tls13.go#L83

v2.23.0 | Report a Bug | By Email