IETF Logo Mail Archive

[TLS] Some comments on draft-rescorla-tls-esni-00

John Mattsson <john.mattsson@ericsson.com> Fri, 20 July 2018 19:52 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA23130EE6 for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 12:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=dXSQxlBP; dkim=pass (1024-bit key) header.d=ericsson.com header.b=LCZDtgoF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kjya4K8PEhmV for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 12:52:25 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6DD7130E8A for <TLS@ietf.org>; Fri, 20 Jul 2018 12:52:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1532116342; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=l/OI8Fsb0HsHFun0mGAg4P4ug/6f1YNmdQdw85WNHz4=; b=dXSQxlBPRvq6PxAjhAn2WylFNs7p2kXrAxz08dWLLkp5c4hmNGX9wwVwAxfvEuK5 JYRRba1LermSXsLbcMsLIZLcnoOCdk1YKI18F4GSLFDvw1z2uyDQEYLhztj1FqSS qiSzgNga1vzfxgR2Q4nCJZ2RgNZzxaJQdo6WHTUczI8=;
X-AuditID: c1b4fb2d-5ecb19c0000055ff-c7-5b523d76ff71
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 0F.E0.22015.67D325B5; Fri, 20 Jul 2018 21:52:22 +0200 (CEST)
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 20 Jul 2018 21:52:01 +0200
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Fri, 20 Jul 2018 21:52:01 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l/OI8Fsb0HsHFun0mGAg4P4ug/6f1YNmdQdw85WNHz4=; b=LCZDtgoF+urgm8/otGvjn7n/GSgOpjV3v6/Yt+tHsuPFh3wqII8fMkPPwtT1qPyH5ZShkQv1IdSia/YMJc6nbj65miSiuwxjcsHmKcVcq9ldLQZuJREWEebkvTtP2dMkF+Futw1Ypx82E5OUqwAddOMo5+0Csn/XnEv7U50wZtc=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3131.eurprd07.prod.outlook.com (10.170.245.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.14; Fri, 20 Jul 2018 19:52:00 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1dcb:c44d:b7f5:6c20]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1dcb:c44d:b7f5:6c20%5]) with mapi id 15.20.0973.018; Fri, 20 Jul 2018 19:52:00 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: Some comments on draft-rescorla-tls-esni-00
Thread-Index: AQHUIGMfC9xWmUZX1kuZ7bjM4QETjQ==
Date: Fri, 20 Jul 2018 19:52:00 +0000
Message-ID: <D9DA5A34-8B1D-4C45-89F2-8668CBC7F229@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.f.0.180709
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [70.83.160.89]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB3131; 6:fgoLSOLu+tSQJGYDQTX1OrwW3oxQZOkPN3f4nsQspXvK4cfUlQXu9/VzZpFBA6/By7hAC3iSuiZP0AlwPgZmCYOwKSwPat6il3mSK+GP/+16Gm3jyD2K5DDP4Gjx1JJpt30+D3s4Uwcz96JLGNgICvhqNFDV2moU0yE1bvmNSVhb6SqrilXaCTJahZYK58dhaLW8H/XOsh89XiE9U7zEa8Nt0F7eIuQNZkovuUqUlvdOK1zUXbWSj+ZRysWj8wchi0M88JA0mFSlc+qwZXrClrJTh8yVSQ+Eie43A6ROIzHtIR0UV4v+GXOuIwbFUqL6B4fBE3/+J0Mc5+8kicsk2l4FB/S4I3XisELePD68lxk9sCvnmKm5Uc+zmnTw7AC3o7cTbPSqrOlSNLjXybnDvTvRVWPkmLLvr2XkCrDpi/4Ag6ORcfIg8dBBiAN3e4zwEoAs4SkgPznGBHR5QlOGHw==; 5:yPcuTJquhGdYVCX8cj9Z2pcoPNm5d58t7PWMMcb7FSSpQOWj0clhhlLBRwJgK4Nrzm/PTuwZvfklCkO89gInn18093O8c6ayXccsxVsPCtb+QZ0qQAEUu9mpVGfxqopISU4age8u79Ev8lHTbyyawO004KcPkk4A995k++qiTuw=; 7:neScTW9WpyZa9+iRGpzHdhVbDoL8/12c1zZ2I/8Syl/+XGYayKlvo2DWame4GO5hls7K/K5E+v00EbqcSbatqOqXzDnq7utcGbDjwaMJttM3Ew/tkHUiMjIBmZE3WI706d4w5TzaR4voCLkiM2j4cjaGaYQHI/ysBfKZySjIkJEVe3ZZC4SGteo2YqOD2hlWd/Fj0hH59Df+VRYUgwXOpPKLUQ6D+UWmrgj47ZAP7yVmZz2ewFUy/0cIfBtQbUqK
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 641f910a-1f76-42f0-bd2f-08d5ee7a4223
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600053)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3131;
x-ms-traffictypediagnostic: HE1PR07MB3131:
x-microsoft-antispam-prvs: <HE1PR07MB3131D8DCDCDF432E33EDFDFD89510@HE1PR07MB3131.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:HE1PR07MB3131; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB3131;
x-forefront-prvs: 073966E86B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(136003)(366004)(396003)(376002)(199004)(189003)(5660300001)(83716003)(44832011)(486006)(305945005)(476003)(3846002)(8676002)(6116002)(8936002)(2616005)(86362001)(14444005)(36756003)(58126008)(33656002)(256004)(99286004)(5250100002)(26005)(186003)(2501003)(6506007)(102836004)(81156014)(316002)(81166006)(7736002)(478600001)(2351001)(2900100001)(53936002)(82746002)(6916009)(53376002)(68736007)(25786009)(105586002)(97736004)(966005)(2906002)(66066001)(14454004)(6512007)(6306002)(106356001)(6486002)(5640700003)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3131; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: RbQ93jHCxt6yM9FnKBcM0jndsxKb3HvpKObcC8vjjaB4fQu0dMymohpCUx/3RSMrbqfxHzTHcglIqJ6lqrEf/xJEWF0PIoiviiRGXqVdLkEKl+7aRcFRhMbMrf7n6AspgKL6Es9V8VfQD3xuuqvER5zRzhO8Q7CKyrN/gbnk7MDTYYUDVIpMyBa28WTPfTXtZSqp40NA5DIT9NdSinlKt4/YqW6aEVNglQBvQm2wPDP1dRYQUFI6stm3bRv9GivcukfV0jvrKO4Ev6/N0YiyqAlEC/f+WXIypwkdPTtRATL5Le6DPOrV5R9v0cJqc3Y1iOQmgjPEE2/Ju9s5TlOjkOdyTb6ZfBxsFZsm8a/rKLY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <5205C89D4A118E40BD1CFEBDB96EAC5F@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 641f910a-1f76-42f0-bd2f-08d5ee7a4223
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2018 19:52:00.5462 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3131
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42KZGbG9TLfMNijaYMZadYtP57sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV0bWph7FgFn/F2+uT2RsYX/B1MXJySAiYSHyfeocFxBYSOMoo 8eJzaBcjF5D9jVHi9KvdzBDOEiaJuc8/sII4LAITmCWOPzrOBtEyiUni73MeCPsRo8TjTkkQ m03AQGLungagGg4OEQFFiU+fs0HCwkDbpk++ywpiiwhYSnx++5UJwtaT+POyiR3EZhFQldjw YCkziM0rYC/Rc6yHEcRmFBCT+H5qDVg9s4C4xK0n85kgPhCQWLLnPDOELSrx8vE/sPmiQDOn zn7EBNEbK9HaOp0VokZB4tjfJqh6WYlL87sZQf6SENjHLjG5+zAjREJX4sPUqVBFvhLn/k9j hii6wChxrGU/G0RCS2LWzKMsEHa2xPWbj6Hi1hIvz+2G2iYnsar3IQvUBmaJqX1X2UGhIiEg I/GslW0Co8EsJA/NAsowC2hKrN+lD2F6SEyZ7w1RoSgxpfsh+yxwsAhKnJz5hGUBI+sqRtHi 1OLi3HQjY73Uoszk4uL8PL281JJNjMCkcXDLb90djKtfOx5iFOBgVOLhrTcJihZiTSwrrsw9 xCjBwawkwjvhbUC0EG9KYmVValF+fFFpTmrxIUZpDhYlcV69VXuihATSE0tSs1NTC1KLYLJM HJxSDYy6sSt3/q3WMz3+ruLiycWPucMr9XnKmt5XPVgt5n1L2/jJinPzP2481mfC4NFU08Gy SeP8/dpmIX2tvE+XLrSpTJt0+4xP65Fjll8Xf7jdt/ShI29/6r4FZUcq7EuMCtu21G3+Ir7Y Q/XT/XkfraZt2ONztN1F/lCQ10U5wz3+Eo6/PyucsilVYinOSDTUYi4qTgQAAirs2xYDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rc_tgkgVIeB4yeNCgPcyPzRnrBI>
Subject: [TLS] Some comments on draft-rescorla-tls-esni-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 19:52:32 -0000

Hi,

I looked through the draft, mainly focusing on the crypto parts. This is more or less ECIES, but with a more modern style of key derivation that most existing standards. This solution is very similar to the standardized 3GPP identity encryption (SUCI) with the difference that the static public keys are distributed through DNS instead of UICCs (aka SIM cards).

The current construction looks very good.

- One thing that could be discussed is integrity protection of the client’s ephemeral public key. The current construction 

encrypted_sni = AEAD-Encrypt(key, iv, "", PaddedServerNameList)

does not achieve IND-CCA security (but only suffers from benign malleability [1][2]). An addition of the client’s key share would make the SNI encryption IND-CCA secure:

encrypted_sni = AEAD-Encrypt(key, iv, KeyShareClientHello, PaddedServerNameList)

Unless it causes problems of some kind, I would recommend doing that.

- The hash algorithm used in “Hash(ClientHello.Random)” does not seem to be stated. I assume that it is the hash function associated with "suite". Also, is hashing the random value needed?

- A mistake ECIES implementations has done in the past is to let the integrity key depend on the plaintext which breaks the security proof of ECIES, but this is not the case here.

Cheers,
John

[1] http://www.secg.org/sec1-v2.pdf
[2] http://shoup.net/papers/iso-2_1.pdf

v2.23.0 | Report a Bug | By Email