Re: [TLS] ESNI robustness and GREASE PRs
David Benjamin <davidben@chromium.org> Tue, 18 December 2018 21:39 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D45130934 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:39:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.563
X-Spam-Level:
X-Spam-Status: No, score=-9.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7iMR44wMsld for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:39:27 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 219DF130F19 for <tls@ietf.org>; Tue, 18 Dec 2018 13:39:27 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id o125so10455713qkf.3 for <tls@ietf.org>; Tue, 18 Dec 2018 13:39:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rLgs0ewa0ScEkbCRIPE2fGUk8MKd1fX3FgJNXsIoElk=; b=m1/neNut7sB/7hcUG7ST4dEKQUHYK/nSZd49mnG2ncjQwAQYuuLiF6lj1PRgkRoWk4 FD1TzIr1pyL/Lp5jYeUC5+5ws7C79N0B6SZ0eQWye/oW+vouwTEcKcKnwVcEa16TxKgs 1grkrOG5VvO2rrQ9s9mz89MOGXRcqveAqLu3Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rLgs0ewa0ScEkbCRIPE2fGUk8MKd1fX3FgJNXsIoElk=; b=Cn5gc/ELCT1fZiyghvNs1YY07HsME8Bx0f9zRQL1QLwnRoTC1GC5obSUI75+eSY4Qt Cl2nsfV06ucq3UOZx8u31+OjgigjhrT3eUIcQKTMpfBHS/KW4ebBYANoPblWmmPii2dv zw50X/O6wVMaPxlcp8XMq87HifRXfxR1XnjRl9CbyERHXbQdc3dLQB0qi+/VpRmsD6xW 3eErZP12QToe7LVwIj/GabLPdvkex2Y+wGXwUTkhhRlt3VBXnje2JcTjjaYE1h6h05Nt cEXO7d2Uf0HRbdUXV4EZO9XJPbjnLYvUfVh5bDB038r6kCrfyTJPUtY/vrjghdYc0ULO SnvQ==
X-Gm-Message-State: AA+aEWY+Wyh1tFJiipTA2PHXwR6TgQIPHZUCZh17ejDLo80O1IcXePUj HotmMjP2TtaIX+JLBnAe14oXRS9cOjwCmqyPRTKJnmoe5A==
X-Google-Smtp-Source: AFSGD/VpHYzcRAkjYEkLaGSYDO+uXkLH3DzzhjoXXyCl7y/vUI0OLVAiX8M24eDiXkjPfO4fAjHtcFIAI7dCW9K8c9I=
X-Received: by 2002:a37:7442:: with SMTP id p63mr17728057qkc.320.1545169166109; Tue, 18 Dec 2018 13:39:26 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com> <20181218090031.GA28550@LK-Perkele-VII> <CAF8qwaDyVswWZ67bwW16KaKLkWvVx57nShNQ40zW-r+o1_iL6w@mail.gmail.com> <20181218210607.GA592@LK-Perkele-VII> <CAF8qwaB93HfM-xxJU60dTYGPok1foB+hgxg-uFjUbFnsCZsvag@mail.gmail.com>
In-Reply-To: <CAF8qwaB93HfM-xxJU60dTYGPok1foB+hgxg-uFjUbFnsCZsvag@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 18 Dec 2018 15:39:15 -0600
Message-ID: <CAF8qwaDsTZAeRQyFTU3Y054+zASq_pfP22Wk9YM=5PjJr1sszA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000441b56057d52bb06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/saTxnPEGpO2T2skgLUijpsKRrPI>
Subject: Re: [TLS] ESNI robustness and GREASE PRs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 21:39:30 -0000
(Hit send too early) On Tue, Dec 18, 2018 at 3:32 PM David Benjamin <davidben@chromium.org> wrote: > On Tue, Dec 18, 2018 at 3:06 PM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > >> On Tue, Dec 18, 2018 at 02:27:10PM -0600, David Benjamin wrote: >> > On Tue, Dec 18, 2018 at 3:00 AM Ilari Liusvaara < >> ilariliusvaara@welho.com> >> > wrote: >> > >> > > On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote: >> > > > Hi folks, >> > > > >> > > > We[*] wrote up some proposed changes for draft-ietf-tls-esni that >> we'd >> > > like >> > > > the group's thoughts on. The goal is to make ESNI more robust and >> > > eliminate >> > > > a bunch of deployment risks. The PRs are linked below: >> > > > >> > > > https://github.com/tlswg/draft-ietf-tls-esni/pull/124 >> > > > https://github.com/tlswg/draft-ietf-tls-esni/pull/125 >> > > > >> > > > The second recommends clients to send GREASE ESNI extensions when >> they do >> > > > not have cached ESNIKeys available. This better meets the "Do not >> stick >> > > > out" goal. The server behavior in the first PR gives us this for >> free. >> > > >> > > It seems to me that if server thinks it has ESNI enabled, but >> > > the client does not get ESNI keys for it, then all handshakes fall >> > > back to full handshake and session resumption will not work (as >> > > the server is required to reject the resumption)? >> > > >> > >> > It's possible I didn't word this correctly. If the client did not get >> ESNI >> > keys for the server, the client is presumably offering a non-ESNI >> session, >> > which has no resumption restrictions. The case we want to avoid is an >> ESNI >> > session being resumed at anything other than esni_accept. That's to cut >> out >> > the resumption case in {{verify-public-name}}. In particular, if we >> want to >> > tolerate partial rollouts where some servers don't support ESNI at all >> > while others don't at all, this scenario is a concern: >> >> "The server MUST NOT resume any sessions offered by the client that >> were established without ESNI.". This holds even if client sent a >> dummy ESNI value. >> > Oops, yes, that was a typo. It should have said: The server MUST NOT resume any sessions offered by the client that were established with ESNI. I'll fix that. Thanks for catching that! > > Without this case (and GREASE---see remark), we could just say servers >> MUST >> > NOT resume if they send esni_retry_request. >> >> This case the server should at least know if it has ESNI keys or not. >> >> > > Also, randomly generating the ESNI key handle does stick out, as >> > > normally the ESNI key is releatively static (DNS caching!) across >> whole >> > > group of domains and servers. >> > > >> > >> > This is true. I don't see a clear way around that one, short of taking >> the >> > record_digest parameter out and requiring the server do a public-key >> > trial-decrypt for each unexpired ESNI key. (Perhaps with key mismatch >> > tolerance, it's no longer necessary for servers to be quite so paranoid >> > about keeping all their old keys around, but the trial-decrypt still >> seems >> > poor.) >> >> Especially with asymmetric cryptography, as even the fastest ops are >> about 100kcyc at least (outside some very rare pieces of laptop >> hardware). >> >> > I think this is still worth doing, especially as it's basically free if >> you >> > want to support rollbacks. (Making GREASE work and tolerating >> ESNI-clueless >> > servers are very strongly related. GREASE requires that servers >> > more-or-less ignore ESNI on key mismatch.) You also need to either >> observe >> > multiple connections or know something about the server to do this. >> >> And then there might be fun with timing attacks. This is whole >> asymmetric operation, so timing signal should be rather large. >> > > Sorry, that was really confusing. By "this" I meant GREASE, not trial > decryption schemes. :-) >
- [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Stephen Farrell
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs Kazuho Oku
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs - client… Viktor Dukhovni
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… Ilari Liusvaara