Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting

Michael StJohns <msj@nthpermutation.com> Sun, 16 March 2014 20:41 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8CC81A01F9 for <tls@ietfa.amsl.com>; Sun, 16 Mar 2014 13:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_46=0.6, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1iR1YW8HGrV for <tls@ietfa.amsl.com>; Sun, 16 Mar 2014 13:41:01 -0700 (PDT)
Received: from mail-ee0-f51.google.com (mail-ee0-f51.google.com [74.125.83.51]) by ietfa.amsl.com (Postfix) with ESMTP id 150B51A0310 for <tls@ietf.org>; Sun, 16 Mar 2014 13:41:00 -0700 (PDT)
Received: by mail-ee0-f51.google.com with SMTP id c13so3417251eek.38 for <tls@ietf.org>; Sun, 16 Mar 2014 13:40:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5DjgRzcXajuBsSnXi4fb3kaA/aJBiW0wAb/lqOTiAK0=; b=ciyOs1ey2ATQTvWyzkEowVVVLq2yhrS+K1/x5jULqmeb+f3MlQemSBjbiiNxx2di1Y kz+EKNYwcrvXyoFESifxj0RC6GACPMRhE3sVsWJhxJVzBO8YAcun/XdXFx7KPZDGnQJF PYE/j3gaOjfkflF0kc8W8ZmuruX+MUI4gN497c7fHUUOL2pPnUosDuin1qXIlE5N1L11 mAfdC27+U2lfCRBcqb9BpY42jscFhcr8rSTtaC7f3caxNstXPHkigWvPUlwWsqGGU44c Xe/DGWYC8SgTkKq2Z6PUsGhPITm20KT6xSn0aOQ5HomfErZ8ZOoBVwWRamkLsV/UALbQ b+ng==
X-Gm-Message-State: ALoCoQmihDj4mJv9CbPB+hi+gYMKiFODiSt8Jz9vnxx5tjE1pnQKDHMObwkyfoO9u9Gmny0TXz1S
X-Received: by 10.14.4.201 with SMTP id 49mr20144963eej.13.1395002452809; Sun, 16 Mar 2014 13:40:52 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id 44sm22312886eek.30.2014.03.16.13.40.51 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 16 Mar 2014 13:40:52 -0700 (PDT)
Message-ID: <53260C51.10407@nthpermutation.com>
Date: Sun, 16 Mar 2014 16:40:49 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <5325DDA0.9030006@nthpermutation.com> <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com>
In-Reply-To: <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/sEQBX4o6ZF2-gqTjXhgl6Q7f7K4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 20:41:04 -0000

On 3/16/2014 2:12 PM, Watson Ladd wrote:
> On Sun, Mar 16, 2014 at 10:21 AM, Michael StJohns
> <msj@nthpermutation.com> wrote:
>> During the TLS meeting EKR talked about encrypting most of the protocol
>> negotiation, and noted that the primary use case for that was the SNI.
>> Someone else noted, that the SNI was often used as routing information by
>> distributor boxes and might be problematic to encrypt.  Further discussion
>> ensued (http://www.ietf.org/proceedings/89/minutes/minutes-89-tls) leading
>> to a hum on protecting the SNI that was pretty much down the center of
>> do/don't.
>>
>> After thinking about it for a bit - how about simply hashing the data in the
>> SNI? Ideally calculated with a prefix of a random value that's also sent
>> along in the SNI so the same hash isn't sent over and over?
> >From time to time, people have a privacy issue like NSEC. Someone
> comes along and says
> "I know! we'll use hashing." and we get NSEC3.
NSEC3 was not a privacy issue item, it was a database walking item.

>
> Do you know how many SHA256 calls per second off-the-shelf commercial
> ASICs can do? It's about 155 million per second per dollar.


Ok - let's inject a little bit of financial analysis.

Two questions:

1) What's the cost of making the first attack (not the delta, but the 
minimum cost to an attacker to build something to do what you're talking 
about, PLUS the cost of actually acquiring the data on the wire)?

2) What's the value of the first piece of data to the specific attacker?


My point is that unless there is specific value to the attacker, and 
that value is greater than the cost to the attacker of making the 
attack, then the attack won't happen.

Two further questions:

3) What, exactly, is the value of the privacy of the query data to the 
querier and how much does that value degrade over time once the query 
has been made?

4)  Just how much can be spent on protection before the protection costs 
exceed the value of the data?

and two further questions.

5) Are the anticipated attacks general (shot gun) or targeted?

6) If targeted, does encryption provide sufficient protection or could 
the data be gotten for similar costs via other attacks?


It was clear from the WG meeting that there wasn't consensus to add 
encryption across the board - whether from a disagreement on need or 
whether the mechanism EKR proposed was the way to go or possibly 
something else.  That said, if this is about trying to protect against 
well funded attackers, encryption in not a panacea.  If this is about a 
casual eavesdropper, then maybe a simpler solution is reasonable.


>
> Do you know how many hostnames there are? Well, theoretically many,
> but most are made human-readable: the entropy is much lower than the
> length and alphabet would suggest.
>
> The attacker can determine which name is being contacted with a few
> weeks of calculation.

Weeks?  Oh - you're worried about a shotgun and national actor approach, 
rather than the typical attacker. OK.

In any event, there are any number of ways to increase an attackers work 
factor substantially without increasing the work factor for someone that 
already knows the small set of answers.  Think of it as a DNS arms race 
and we win if we make them spend more than they get back in value.  You 
used 155m hashes per dollar - so if we increase the work factor to say 
500m hashes to find a name, then it costs $3 per query to resolve to the 
names. How many connections per day are there?

Later, Mike

> Once it has the hostnames,
> figuring out what is going on is quick. This already exists in the
> form of the nsec3walker tool.
>
> Sincerely,
> Watson Ladd
>
>