Re: [TLS] Secdir last call review of draft-ietf-tls-certificate-compression-07

Benjamin Kaduk <kaduk@mit.edu> Mon, 02 December 2019 00:46 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995B012011B; Sun, 1 Dec 2019 16:46:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHjndzuhHZWh; Sun, 1 Dec 2019 16:46:22 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBCA8120052; Sun, 1 Dec 2019 16:46:21 -0800 (PST)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xB20kEc0032079 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 1 Dec 2019 19:46:17 -0500
Date: Sun, 1 Dec 2019 16:46:14 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Christian Huitema <huitema@huitema.net>
Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-tls-certificate-compression.all@ietf.org, tls@ietf.org
Message-ID: <20191202004614.GB32847@mit.edu>
References: <157498929764.5575.7815291384505057169@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <157498929764.5575.7815291384505057169@ietfa.amsl.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rQGUp_uZQZ_pdZYbPA1wVd3Bu4w>
Subject: Re: [TLS] Secdir last call review of draft-ietf-tls-certificate-compression-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 00:46:24 -0000

Hi Christian,

Thanks for the constant vigilance on the privacy front; it's good to work
through what the differential exposure is, here, both with and without
ESNI.

Authors, please consider how you would like to handle this topic in the
document.

Thanks,

Ben

On Thu, Nov 28, 2019 at 05:01:37PM -0800, Christian Huitema via Datatracker wrote:
> Reviewer: Christian Huitema
> Review result: Has Issues
> 
> I have reviewed draft-ietf-tls-certificate-compression-07 as part of the
> security directorate's ongoing effort to review all IETF documents being
> processed by the IESG. These comments were written primarily for the benefit of
> the security area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
> 
> Draft-ietf-tls-certificate-compression-07 defines two new TLS extensions to
> negotiate and then apply compression of the Certificate message. The draft is
> clear and well written, and the extensions are already widely deployed. I would
> like to say "ready", but I have to say "almost".
> 
> This document is almost ready, except for one nit and one issue.
> 
> First, one nit. The draft references the "Certificate message", but there is no
> formal reference section 4.4.2 of RFC8446. Please add that, maybe at the
> beginning of section 4. It may seem obvious to members of the TLS WG, but
> uninformed readers will appreciate.
> 
> Second, my actual concern. Compression may leak information, because different
> certificate chains will compress differently. The authors mention that an
> attacker will not be able to inject data in the certificate chain, and thus
> that attacks of the CRIME variety are unlikely. That's correct, but that's not
> the entire story.
> 
> TLS 1.3 will encrypt the compressed certificate message but the length of that
> message could be deduced from the length of the server's encrypted message.
> Attackers might be able to derive from that length the identity of the server,
> even if the SNI is encrypted.
> 
> One could say that in the absence of compression the length of the certificate
> chain is also available. Indeed, the problem is flagged in
> draft-ietf-tls-esni-05, which states in section 5.3 that "it (the server)
> SHOULD pad the Certificate message, via padding at the record layer, such that
> its length equals the size of the largest possible Certificate (message)
> covered by the same ESNI key."
> 
> Certificate compression introduces a level of complexity here. If only some
> servers in the anonymity set support compression, attackers can work with a
> smaller anonymity subset. If all attackers support compression, the padding
> should try to match the largest Compressed Certificate.
> 
> It might be good to discuss this issue in the security consideration section.
> 
>