IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-belyavskiy-fakesni-00.txt

David Fifield <david@bamsoftware.com> Tue, 26 March 2019 18:57 UTC

Return-Path: <david@bamsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61579120918 for <tls@ietfa.amsl.com>; Tue, 26 Mar 2019 11:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.541
X-Spam-Level:
X-Spam-Status: No, score=-0.541 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=0.793, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bamsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A83oH1CVlF36 for <tls@ietfa.amsl.com>; Tue, 26 Mar 2019 11:57:12 -0700 (PDT)
Received: from melchior.bamsoftware.com (unknown [IPv6:2600:3c00::f03c:91ff:fe96:a467]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0D26120907 for <tls@ietf.org>; Tue, 26 Mar 2019 11:57:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=aM1cOPrep7ibNczsK8NeFXdgv5XkFPo4uIolab8RbDA=; b=a8VxWdlKipqNMA4PHUUreZEbKS GPPHiEkBB3s/lw/pwQtUU3c7qj+wQQyf1oigX+hVfMVQneyn0JHiGK1WCs3V7Ub1MkuxPFG2D0ygt iMBcz4aHA3/JNjsvJAEZ49TYlGTOISCagH1jeNWDNOtTRHl0h1ZGfRQ3YhtKV6CHeAVs=;
Date: Tue, 26 Mar 2019 12:57:02 -0600
From: David Fifield <david@bamsoftware.com>
To: tls@ietf.org
Message-ID: <20190326185702.pbdkheag3w3boy5o@bamsoftware.com>
Mail-Followup-To: tls@ietf.org
References: <155060540091.20709.12797700493315209480.idtracker@ietfa.amsl.com> <CADqLbzLt3sJhisojiEDA93zOymBE0QjVxT2T+NAZjYSGm2Nzmg@mail.gmail.com> <1550634231892.18369@cs.auckland.ac.nz> <CADqLbz+zYNTwCidJhrR9DFaj3NqJszdx4bg=qkzwptMY9mYXrg@mail.gmail.com> <1550647276159.53158@cs.auckland.ac.nz> <CADqLbzKppD9MjQ9fX=gbXNFXgKkFE5jeLVnWcyoAt8ZZHAPX4w@mail.gmail.com> <CADqLbzL6epMoAs4Pe0XYB8XjrTJ52zLY_TGdpq0yMAs2Ax9_ug@mail.gmail.com> <0e9b3999-0e0a-d3e0-e9e3-a6c691fa37d1@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0e9b3999-0e0a-d3e0-e9e3-a6c691fa37d1@huitema.net>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qsGbFX_EJyUlL_0aCzrVGMsfKRw>
Subject: Re: [TLS] Fwd: New Version Notification for draft-belyavskiy-fakesni-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 18:57:20 -0000

On Wed, Feb 20, 2019 at 03:48:18PM -0800, Christian Huitema wrote:
> Out of all the requirements listed in the encryption requirements draft, the
> requirement to "not stand out" is probably the hardest to comply with. The
> current ESNI draft works but usage of ESNI can still be detected. As Dmitri
> points out, there are locales where standing out will enable censorship. So,
> what to do? Well, if we want to not stand out yet carry some information,
> that's pretty much the definition of a hidden channel.
> 
> Would it be possible to engineer a hidden channel in the TLS 1.3 Hello? I bet
> that's quite doable. I am sure that fields like "opaque Random[32]" or "opaque
> legacy_session_id<0..32>" could be used creatively, and there are other fields
> in common extensions that could also be of service. Of course, "could be done"
> does not mean that the IETF will want to standardize it.

There's prior research on embedding covert signaling into TLS as a means
of preventing blocking by middleboxes. The work I'm familiar with is in
the field of decoy routing or refraction networking. There's a list of
papers at https://refraction.network/ and there's a good survey in
Section 2 of https://censorbib.nymity.ch/#Manfredi2018a.

Telex (https://censorbib.nymity.ch/#Wustrow2011a) is a good
representative example. Omitting some details: A router has a private
key r. On a new connection, the client generates a temporary private
key s. The client sets the Random field in its Client Hello to
g^s || H(g^(rs)) for some hash function H. The server, knowing r, can
distinguish this value from random, but other observers cannot. (There
are additional tricks to make g^s uniformly distributed.)

Lately the research has been less about the specific means of covert
signaling, and more about improving security and deployability, for
instance by working of asymmetric routes, or requiring only injection
and not flow blocking. There's been an ISP-scale deployment of one of
the designs, called TapDance: https://censorbib.nymity.ch/#Frolov2017a.

v2.23.0 | Report a Bug | By Email