IETF Logo Mail Archive

Re: [TLS] Don't Split HelloRetryRequest

Christopher Patton <cpatton@cloudflare.com> Fri, 16 April 2021 00:08 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833533A356A for <tls@ietfa.amsl.com>; Thu, 15 Apr 2021 17:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXTWMI97c69W for <tls@ietfa.amsl.com>; Thu, 15 Apr 2021 17:08:34 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9BCC3A3568 for <tls@ietf.org>; Thu, 15 Apr 2021 17:08:33 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id o5so27246585qkb.0 for <tls@ietf.org>; Thu, 15 Apr 2021 17:08:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vxYgBOd+5hqznupjoq35VT+gleWgM/C1TAX1T27M2Cs=; b=PpXVO8grojsDU2kyxsQ1vaLs89B5zxz95zhOk8PylYsj4dx4D30zTEnCRZmFDRVj/M 9GbmIyS70hjviztmG3oDvBvctGledjHazXmW7sBaF3Dkyj1ssjY8UjcexuJPXAG4vONg XUqpv5idf0nwhBp6QCDqCSBm6SuTk5+oYkKAA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vxYgBOd+5hqznupjoq35VT+gleWgM/C1TAX1T27M2Cs=; b=CsZoyQGVgqR9GQYedeu1I0wHKSUfLK98pLMf+YNgLp5Y8bhAl29InFjkDLOo50Zesy J0TRpVJf6Zjb5dUOUG8hs9vpsmAdbGqMcVWXijuD8FIfLC+i9f4sgNCXSxYknNvDZDwG wKu/oFnkurKSmNPBFGg2nhsBqVpnG+Z1c7G/OPR4KdGRKLAvefaVubgYKX94ReLpwG47 JxiwCz0l176lHezHheP58uLnQ1lbkoqK8kywfip2V2jvYrLc9B0W7Rog+k8vr98adwXJ Tjv3Bc19QfbwejwDshVFPJHYWOSGNpNmh2WScA0xG5TlJOoA4hUjIoi9jJHBcm/rZjsm 34yw==
X-Gm-Message-State: AOAM530SmgHYPYqKBX4Sy1BevY6eOkXO5PFxC8CBzS6+5/P3R//FWibT UzuIDyXru6vcSTg8UDDnrzkFj7shgV/n6QNvuknpAwzxWw0GUA==
X-Google-Smtp-Source: ABdhPJyR9YNRogXgnbUXUqPm16KpaC/IKkEzjuCBBcxpOy5HdJtJPwf17NublMxNrSz4foIfuJjMAY4r7ohde88Iw5U=
X-Received: by 2002:a37:a7c7:: with SMTP id q190mr6076805qke.146.1618531711869; Thu, 15 Apr 2021 17:08:31 -0700 (PDT)
MIME-Version: 1.0
References: <d0758a0a-737b-40ac-8189-1b4168510859@www.fastmail.com> <fa37e844-e7b8-4d97-94ee-f17cc45d95a3@www.fastmail.com>
In-Reply-To: <fa37e844-e7b8-4d97-94ee-f17cc45d95a3@www.fastmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 15 Apr 2021 17:08:20 -0700
Message-ID: <CAG2Zi20VN=nbRH7EU9dH=gncvhWeOk0fWPQy=kZWn=5fhtjk-A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be925005c00bc7af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rY91Mkj7HEXH3DOtJTHJDvFKokc>
Subject: Re: [TLS] Don't Split HelloRetryRequest
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 00:08:39 -0000

HI Martin, all, I added another alternative, so let me summarize for
everyone the possible paths forward, with links to the corresponding PRs.

1. https://github.com/tlswg/draft-ietf-tls-esni/pull/407: HRRInner and
HRROuter (original proposal, deemed too complicated).
2. https://github.com/tlswg/draft-ietf-tls-esni/pull/417: Strengthen
language around HRR-sensitive parameters (might be underspecified).
3. https://github.com/tlswg/draft-ietf-tls-esni/pull/423  Signal ECH
acceptance after HRR (a simpler alternative to #407).

Best,
Chris P.

On Mon, Apr 5, 2021 at 7:29 PM Martin Thomson <mt@lowentropy.net> wrote:

> I've created a few pull requests that make the changes I propose.  I think
> that the whole suite of related issues are closed as a result.
>
> The main one is here:
> https://github.com/tlswg/draft-ietf-tls-esni/pull/417
> There's a bit of rewriting here, but the change is not that large.  I
> would expect most implementations to be compliant already (it's much more
> work not to be).
>
> The whole set:
> https://github.com/tlswg/draft-ietf-tls-esni/pulls/martinthomson
>
> On Thu, Apr 1, 2021, at 12:57, Martin Thomson wrote:
> > I just reviewed the proposal to split HelloRetryRequest into outer and
> > (encrypted) inner.
> >
> > https://github.com/tlswg/draft-ietf-tls-esni/pull/407/files
> >
> > I'm strongly opposed to taking the change.  It complicates the design
> > greatly and unnecessarily.
> >
> > The existing design has some flaws, but they can be fixed more
> > elegantly than this.
> >
> > (Apologies if this seems a little long.  I'm writing down every
> > possible argument I can think of, because I can't guarantee that I will
> > be coherent at the meeting.)
> >
> > # HelloRetryRequest Has a Narrow Purpose
> >
> > Let's first address the key question of what HelloRetryRequest exists
> > to do.  It exists to ensure that the client and server are able to
> > jointly agree on keys to use for the remainder of the handshake.  This
> > is a very narrow scope.
> >
> > Furthermore, the particulars of key agreement are public.  This is
> > important as we can also say that all hidden servers need to use the
> > same configuration as it relates to cipher suites, key exchange, and
> > related parameters, as the results of negotiation are sent in the clear
> > in the ServerHello.
> >
> > My claim here is that there is no value in protecting any parameter
> > that might change in response to HelloRetryRequest.
> >
> > # Don't Seek Complexity
> >
> > It is entirely possible to imagine scenarios where an inner ClientHello
> > has different preferences from an outer ClientHello.  While in theory
> > we can construct a design that would support that (the pull request
> > does this well enough), to do so only serves to increase complexity.
> > It does not address any real use case or problem that I'm aware of.
> >
> > If we allow for the client to provide different values in inner and
> > outer ClientHello messages, then the current design means that the
> > client is faced with some ambiguity about which of the two messages a
> > HelloRetryRequest applies to.  If we try to create an indicator, then
> > that leaks.
> >
> > We could solve the problem by making the protocol more complex.  Or we
> > could avoid it.
> >
> > This problem is entirely avoidable.
> >
> > # Matching Inner and Outer Values
> >
> > When we get right down to it, there are a very small number of things
> > that truly change in response to HelloRetryRequest.  And all of these
> > changes are to values that do not need confidentiality protection.
> >
> > The draft lists three fields that change: ciphersuites, key_share, and
> > version.  From my perspective, changing cipher suites, supported
> > groups, or versions would be a big mistake.  So what changes is even
> > more limited.  Just the shares in key_share.
> >
> > On this basis, a client that offers cipher suites, groups, versions,
> > and key shares that are identical in both inner and outer ClientHello
> > messages will always receive a HelloRetryRequest that applies equally
> > to both messages.
> >
> > The only adjustment that is acceptable with respect to these fields
> > being identical is the addition of TLS 1.2-only options to the outer
> > ClientHello (or the removal of the same from the inner ClientHello if
> > you prefer it that way around).  This is a fine optimization on the
> > basis that accepting ECH represents a commitment to support TLS 1.3 (or
> > higher).  But it is really just an optimization (the draft makes this
> > mandatory, which is silly).  The client can therefore remove options
> > from the inner ClientHello only if it is impossible to select them with
> > TLS 1.3 or higher.
> >
> > For new extensions, if they define a means of adjustment or correction
> > via HelloRetryRequest (there is currently just one: password_salt,
> > which I haven't examined), then they too need to follow this
> > restriction.   It's not an onerous one.
> >
> > Follow this simple constraint and HelloRetryRequest will always apply
> > equally to both inner and outer ClientHello and everything works.
> > Conveniently, this is more or less exactly what the current draft says.
> >  Almost.
> >
> > The draft currently allows inner and outer ClientHello to have
> > different types of key share.  The way it handles this is terrible: it
> > recommends breaking the transcript.  To me, that seems like it would
> > only serve to open the protocol up to downgrade attack.
> >
> > Incidentally, I don't see a problem with having a different key share
> > *value* in inner and outer ClientHello.  There's no point in doing that
> > unless you believe that these values leak information (they really
> > shouldn't), but it wouldn't break this model if a client decided to do
> > that.
> >
> > https://github.com/tlswg/draft-ietf-tls-esni/issues/333 appears to be
> > concerned about the cookie only applying to one or other ClientHello.
> > I don't see how is the case, so I'm just going to say that this is
> > fixed by having HelloRetryRequest apply to both inner and outer
> > ClientHello messages.  If the client receives HelloRetryRequest that
> > applies to just one of the two, then the problem is that the client is
> > faulty.  That would be treated as a programming error as normal (crash,
> > open a bug report, send an internal_error alert, etc...).
> >
> > Then there are the things that more or less have to change in response
> > to HelloRetryRequest, but really only because the ClientHello changes:
> > padding, pre_shared_key, and ECH itself.  For those, we need to address
> > a minor inconsistency problem at the level of the core protocol itself.
> >
> > # Addressing Minor HelloRetryRequest Problems
> >
> > We do need to fix RFC 8446 rules regarding HelloRetryRequest.  David
> > already suggested some minute adjustments for that problem in
> > https://github.com/tlswg/draft-ietf-tls-esni/issues/358 .  The short
> > version is that extensions can define their own rules for how they
> > change after HelloRetryRequest.  This is a good amendment, especially
> > as it relates to extensions that are not known to the server.
> >
> > That tweak does have deployment issues, because the original rules have
> > been interpreted too literally in some cases, but that should not
> > affect ECH specifically.  Servers that have this bug won't be able to
> > deploy ECH without fixing the bug and that's OK.  Other servers will
> > only see grease.
> >
> > The draft currently mandates that greasing values not change after
> > HelloRetryRequest, which will avoid this compatibility bug, but also
> > reveal the fraud.  I can tolerate that small amount of leakage.
> >
> > # Avoiding HelloRetryRequest
> >
> > I think that Nick's suggestion for helping avoid HelloRetryRequest by
> > placing hints about key shares in DNS SVCB/HTTPS records is a fine one.
> >
> > I see the arguments about this being about the configuration needing to
> > speak for backend servers when the record relates to frontend servers.
> > But my perspective here is that you already need to ensure that backend
> > servers have a consistent cryptographic support profile; adding a small
> > number of frontend servers to the set that need to be made consistent
> > isn't that difficult.  If this consistency is not possible in some
> > deployments, that's understandable, but then it is an optional
> > enhancement that won't be available to those deployments, that's all.
> >
> > Of course, this is an extension that we can pursue separately.
> >
> > # Conclusion
> >
> > I'm firmly opposed to splitting HelloRetryRequest.  I would like to
> > deploy ECH and this doesn't really help with that.
> >
> > I don't agree that there is a problem that needs to be fixed with the
> > current draft.
> >
> > On the other hand, I can guarantee that this change will delay Firefox
> > deployment significantly (that is, for an indefinite period).  It would
> > require rearchitecting a piece of code that is rarely used already
> > (despite being a source of significant complexity) and replacing it
> > with code that is even more complex and would include paths that are
> > even more lightly used.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email