IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Andy Lutomirski <luto@amacapital.net> Wed, 16 April 2014 19:09 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62741A020D for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 12:09:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9c1_1g1_QVVP for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 12:09:49 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id CDA161A02E9 for <tls@ietf.org>; Wed, 16 Apr 2014 12:09:48 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id c11so8461521lbj.17 for <tls@ietf.org>; Wed, 16 Apr 2014 12:09:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=mf94TuDERfP7X3mniAP2kN+Eg4ZAROqGUlRScSL3zYg=; b=RPqRiPPNXCCpIeDvWCedzZATbicbQf39S0AaUsONg8npEKbIfpMabYt/qTwR/YJ5zy qHcqExYIUIHh0oC2Y2eg22oNjzQxfVVGdQ3OgRxDCu0mseZGgxeb8ortIOT4uS0C6oCA ThBfTRTcHck+rHMtRL0SPApd0x9ds/SxNsaX913yDS0d9fqP6hk46mRXtOV5PczsSdGD 4QfcU7vhf6Fa+yRJAOlgMiiWwj6HHS37nJsPBKfElgf8ykTuh0t5ckibeAxiEv+QELWB kqYHpdfz2JIQbHf9Y/Y/JKdMPL8UjtZ2XR5SuyLb21F98jTfrUZV3u6BFJlsaMA5aNa2 2adA==
X-Gm-Message-State: ALoCoQkFV7CcS0m8sKYkwNjVlOPJBwSfcnG/ODG9zT5p4+ConZI/dKy07Ko3Wkvy/VMOBMce3Vnp
X-Received: by 10.112.163.69 with SMTP id yg5mr3902528lbb.14.1397675384899; Wed, 16 Apr 2014 12:09:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.21.7 with HTTP; Wed, 16 Apr 2014 12:09:24 -0700 (PDT)
In-Reply-To: <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <m2k3apmjk2.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com> <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 16 Apr 2014 12:09:24 -0700
Message-ID: <CALCETrWY_-N+nM9N0_gbeffkX5Jo8vn7XKeFCezGiwq2A74Wjw@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pPPF8Zf6bxNMil1EAYCk-qfdAqA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 19:09:54 -0000

On Wed, Apr 16, 2014 at 11:56 AM, Erik Nygren <erik+ietf@nygren.org> wrote:
> If we do anything with DNS, we need to be very conscious that individual
> records change asynchronously from other records.  For example, we can't
> assume that an A/AAAA record and a DANE record refer to the same operator
> (webserver, hosting provider, CDN, etc).   In order for anything along these
> lines to be deployable, it must be possible for everything associated with a
> particular name->service binding to change together.  In addition, browser
> vendors are extremely wary of doing extra DNS lookups synchronous to a
> request which is one reason that SRV records aren't in-use today for
> HTTP(S).

You can hack around this by temporarily turning off hello encryption
when switching providers.  This is unfortunate, though.

>
> After thinking about this some, if we are looking towards a future world
> where additional DNS security and privacy has been added, a new "service
> binding" record type (I'll call it a "B-record") might help partially
> address a number of these issues and raise the bar a little about SNI
> privacy.  The B-record would glue together information needed for
> establishing a connection (and provide a client with a number of options to
> choose from).  For example:
>
>      _https._b.www.example.com B  "AAAA=2001::abcd, port=443, alpn=h2s,
> handshake_ecdhe_key=68sgjbjfsd8fyjgbsgd7863, handshake_token=5sdfkj335,
> pri=5, dane_cert_name=version83.ca.example.com"
>      _https._b.www.example.com B  "A=1.2.3.4, port=443, alpn=h2s,
> handshake_ecdhe_key=68sgjbjfsd8fyjgbsgd7863, handshake_token=5sdfkj335,
> pri=5,  dane_cert_name=version83.ca.example.com"
>      _https._b.www.example.com B  "A=1.2.3.5, port=443, alpn=h1s,
> handshake_ecdhe_key=438nkgj8utjs89we0t8tjer, handshake_token=asdjhk887,
> pri=3,  dane_cert_name=version82.ca.example.com"
>
> Defines a set of HTTPS service bindings for a few sets of IP addresses with
> different ALPN settings.
>
> In the above, the handshake_ecdhe_key is the public part of the server key
> to encrypt the handshake (including SNI to and the handshake_token is the
> "opaque" value from ekr's flows proposal.  Clients could select between
> which of them they'd use based on their ALPN support.
>
> At least for HTTP(S), something like this might be more deployable than
> current options.
>
> Note that the handshake_token (sent in the clear in the TLS handshake like
> the "opaque" value) will leak information to passive attackers who are
> building up correlation tables.

I'm not sure exactly what you mean by handshake_token.  Do you mean
the anti-replay token?

The handshake token as a way of identifying the service binding in use
seems problematic to me.  Wouldn't it be better to just leave it out
entirely?  As long as each IP only accepts one or two handshake keys,
then figuring out which one is in use by trial decryption should be
fine.  I think that something is wrong if you have an IP with lots of
handshake keys.

Realistically, you may need up to four handshake keys: old FIPS, new
FIPS, old non-FIPS, new non-FIPS.

>
> Also if the key is used *only* for the handshake, it's not clear that this
> is any worse against active attackers even if DNSSEC is not used than the
> "new flows" proposal.  (In both cases a MitM can provide an alternate
> handshake key or build up a table of ids to SNIs.)  Clearly DNSSEC would
> need to be used for *every* step before DANE could be used, however.
>
>
> I think the question from above arises of whether it is worth doing all of
> the engineering work here if there's still no fundamental way to guard
> against active attackers or resourceful passive attackers.  Some of this
> will come down to trade-offs.

I think my approach is actually secure against active attack, so long
as the client is willing to fail if DNSSEC validation fails.  Your
idea of B records could be as the DNS component.

--Andy

P.S. As a side note, here's a tweak to mine: the DNS-encoded key
should include the length of the maximum overhead that any handshake
cipher suite imposes to make the padding calculation easier.  That
adds one byte or so.

v2.23.0 | Report a Bug | By Email