Re: [TLS] ESNI and padding
Eric Rescorla <ekr@rtfm.com> Thu, 20 June 2019 01:17 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65021201D8 for <tls@ietfa.amsl.com>; Wed, 19 Jun 2019 18:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9uSCd0miXlx for <tls@ietfa.amsl.com>; Wed, 19 Jun 2019 18:17:46 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD30C120052 for <tls@ietf.org>; Wed, 19 Jun 2019 18:17:45 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id m23so994379lje.12 for <tls@ietf.org>; Wed, 19 Jun 2019 18:17:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NEgZtrpffSQvDHP6jd4KM7tGCklxVMrB9MV4ZCGGGfA=; b=zKWswXAz09syep4XTt1jscdn41TIU4WBoUsbSyjWiLwM2GDI503Swm1u8EWOkubiWW DvRB/NKdBA9i2IGuFGGPNJf4sjpb6jpamf5BWP7eFhoV9hgK/OUdbUiq3HxEjyl0rb6r VyCZfk2X9kf6UeWVh6e3yEhFfBJ5pwiWNK8z0IJ9Y3KbCR88Mgjx1HLXN3U9hGQaHTJn T9JiuocoVygXM+xp4rrlwrBbU1pjQWKLm8uUFEZrIsp1tukLoo0iZNdDCtdfRGdoATQ+ PRAlP0BeLzAR315w/ElhX6Hjz6I8Z4fzNYIGk2GY+qp8DX9E6KuBU7Ipl9pSncQVwlkQ RbzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NEgZtrpffSQvDHP6jd4KM7tGCklxVMrB9MV4ZCGGGfA=; b=VgIi1v3HWUnvLZ5CrGdNBIuuwBXogBuii7mNCugnqdyDx4Jm5EUUfHVu7wqiEOuaCD 4Svoa1dgB623RyTRFCoYXe94xPcmh22A8UaDuXU3V45B5AOKREupvkgR5gGyFqedloPu yLSJRYM/Nu4OC9A7M3MNQLg+Hkk1IjQovTBpfiLlNKLrb6tnLI41jkbRVxJg8qpVrw1O 0HpQeipu2RIBQLywg9/6e8diJ1YxGHXUmznQzVVX7vngiICacFkx0sr7uvNMuYBxxxcS IPax86a/FTcLLngESzqWzE06A9fA8BG4nEH3zCkzWqBu4X9oRi4WpUtqayn3mag5of5P du/Q==
X-Gm-Message-State: APjAAAXrKTvS9bSacseVU1WrXVH8sTdVl1tMgNSkwubB9iL8MXTybkbo YllaiAOJnXAORLT0RnQPVezeg1TAi1NHp6/NZeFcug==
X-Google-Smtp-Source: APXvYqyqlM/JDeXVv9oF0HS0CgLmS2OPTn1fR/qE3RhNidwP15QRWUPlzV4vnR0rTjNZRUcK5MYPVJrFW5Xd6oLzilE=
X-Received: by 2002:a2e:9cd4:: with SMTP id g20mr16465981ljj.205.1560993463918; Wed, 19 Jun 2019 18:17:43 -0700 (PDT)
MIME-Version: 1.0
References: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie>
In-Reply-To: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 19 Jun 2019 18:17:05 -0700
Message-ID: <CABcZeBO5-kaczJab7ryeURX21OQ_AkR5pKuf+1R2YF+=z4g9cA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9f860058bb71cdc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/m_7d-81nnut6S778tNGtV28Gm0I>
Subject: Re: [TLS] ESNI and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 01:17:49 -0000
On Wed, Jun 19, 2019 at 3:34 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > TL;DR: I think we ought remove the ESNIKeys.padded_length field, > define a purely algorithmic padding scheme with no configuration > needed and RECOMMEND that people using ESNI don't use names that > are exceptionally long. > > In the web, ESNI is hides the web site to which a browser is > connecting but there are a few ways in which the lengths of > handshake fields could give the game away. So the current > draft provides mechanisms to avoid those issues in the > handshake. But I think we can do better with less. > > (As a side-note - the ESNI spec is not trying, and shouldn't try, > to define how to pad TLS application traffic. While that is something > that will need to be figured out, it's out of scope for ESNI, which > rightly only deals with the handshake IMO.) > > My main problem with the current approach is that a server might not > (easily) know the longest name or certificate that they will serve > for the duration for which one ESNIKeys value is current. I've come > across openssl related code and mails that indicate that server code > accesses the server cert and private key via a DB lookup. That DB > might not be readily searchable for whomever generates the ESNIKeys. > The current draft calls for fixing the padded_length in the ESNIKeys > structure published in the DNS to cover the longest needed. It > could easily be problematic to ensure those don't get out of whack, > leading to avoidable error cases. The current approach also links > the cadence with which one updates the DNS with how often new TLS > server certificates appear, which seems like an undesirable and > unnecessary linkage. And of course, while the length of the > server name is under local control, the length of certificates > is not. > > Separately, I think the current approach will lead to deployments > over-estimating the padding needed "just in case", e.g. CF's > deployment calls for padding to 260 octets (and I've copied > that in mine so far:-) I would assume CF picked that number > for that not-great "just in case" reason but don't know. In any > case, 260 seems wasteful to me and if it ended up widespread > could cause an issue later if the ClientHello gets bigger for > other reasons, and/or if someone started to depend on it for > some weird reason. > > What I'd suggest instead: > > - delete the padded_length field from ESNIKeys, so nobody needs > to configure anything for padding > - clients MUST pad to a multiple of N octets where N is in the > spec (I'd suggest N=32, but any number that's longer than > nearly all real TLS server names would be good) > - we RECOMMEND clients randomly add an additional N octets of > padding with probability X%, perhaps with X=10 (btw - am I > right in thinking that if X% is greater than the percentage > of real names that are longer than N, then we're good?) > - we STRONGLY RECOMMEND that servers choose names shorter than > N octets for hidden web sites > I am not in favor of these changes. They reduce protocol flexibility for servers which know what they are doing and largely can be implemented in the protocol by servers which do know what they are doing. - servers pad Certificate to a multiple of M octets (M=2000 maybe) > Again, this has a huge negative impact on performance and the server can do much better if it's smart. and CertificateVerify to a multiple of O octets (with O=500 maybe) > In addition to the comments above, your number for O is way too large if the server has effectively any information about which algorithms it is using. Even if you know that you only use RSA-2048 (by far the dominant size) then you can do far better than 500. Similarly, if you have the same set of algorithms for all your domains, this does not leak any information. -Ekr > I'd be fine with any minor changes to the above as well > or with another scheme that allows us to get rid of the > ESNIKeys.padded_length field. > > Cheers, > S. > > PS: There was a little discussion of this on github, [1] but > I figure this is really one the WG ought deal with. > > [1] https://github.com/tlswg/draft-ietf-tls-esni/pull/122 > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Christopher Wood