Re: [TLS] draft-ietf-tls-esni feedback

Rob Sayre <sayrer@gmail.com> Wed, 23 October 2019 02:54 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767D312006D for <tls@ietfa.amsl.com>; Tue, 22 Oct 2019 19:54:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HasEl5XIUnvA for <tls@ietfa.amsl.com>; Tue, 22 Oct 2019 19:54:37 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9072E12004C for <tls@ietf.org>; Tue, 22 Oct 2019 19:54:37 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id i12so6957110ils.6 for <tls@ietf.org>; Tue, 22 Oct 2019 19:54:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SAaVNsljEuMV2o/Kj+vND8XrsD/3ijlHFN+G/NM3/JY=; b=ktAOZkYIGJoJFu5OR+6p7Ln4ZaaylYxyqQuGnb4dYK0RfnMx2a0xDfkVCeXvzV1Wv1 Gc2lQh94n4TcsRbH/I1axZMWnvZMbHvHq5UbFuhDCYIyfE1kbI8KPbtrwEUjJbxU/s/R Cuwpruf1lhGm+QX6uSTiot+rwI7uaLOXZBMpw+ZtNrKb3B3ONBKAEZoTEvP53654YAlm s6kU5WaEEM3ZKk6czfTObX4qlvlBDP2mUkb6KPvBBkYdXYwmIrAdwzRaH33hZ6eNYwE4 2QsU6TzTwf8mkPexC/tUQHSZSqqN8D6q99FVKwktvVukV+ZY/JSorsqabpEs/8sM0qol C4Tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SAaVNsljEuMV2o/Kj+vND8XrsD/3ijlHFN+G/NM3/JY=; b=pdKJydnlEFy+1y01V8/LO+1WMKw02kb5+qa59M3s4lX2F9zEoFwEGUNDiDpIIwXrNS bpQkrC3h+7RT7NPNdytPGnNz1uGUHHbUHHpWKc1+qeV9D17htoPr5VCbpKBNeFVFtcpA IkoAwoFSkAF4tFzkJ5ife77BK4vNTIN0m/GIT/v5CfcQMcA1CEMH7MO0pYpIgaH6//Di /z8pRz4P2PLcbZHOHNYjq0y+ZHTUqatxpjO07jqGA/kA0KE+e4pLD3oTPI4/gwP43ZDX /x4js8WXuptrlAy9zGhFmAcn4TaLoGu07WldSgd5fB34Yunz1/tvlhmlrAP1CGyx/ZtS 6LYQ==
X-Gm-Message-State: APjAAAWqUsuUyBK3KoM/K6vw5Vp4qrpo/Ugi92tSbEOjFCv+wMQfnc7F KwD69Vlm2zbUoF7yKMbKOkX8v6LBoZdOVPea/2s=
X-Google-Smtp-Source: APXvYqx873ue1kiViaDtzTiWDco9i9CSRKbtwIDQlHIBKXb54RJUMTxG3wBL8P7x/RgciL8UqCu/8R5G1J0apBP+qJ0=
X-Received: by 2002:a92:db0c:: with SMTP id b12mr8053294iln.49.1571799276625; Tue, 22 Oct 2019 19:54:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sw3f7du3JYxfcWSZje1zjDzsRBQyDjob-AvzjWeZzKW7g@mail.gmail.com> <CABcZeBOnE+gyNu7GarAfO0bptoPfzQQ=VKeWLdpJBDM=E4yhzg@mail.gmail.com> <CAChr6SxWE66jPRbnBRtwNSn3L+uNFkoFBbYNOBAkKDN05qotoA@mail.gmail.com> <CABcZeBOy8ogJrmFajxX1pqjqgnE61gE=c3CWz+pp34NWHmGKbw@mail.gmail.com> <03e15760-dfce-cd7b-baea-56ac70d92192@cs.tcd.ie> <CAChr6SzmpSn3Q8tBi+Pdc+Bq7stiukbufbh-jDt+AEtrkV8XGg@mail.gmail.com> <f87c2916-d03d-2715-7b36-7b70fead8df4@cs.tcd.ie> <CAChr6SxfT0ed5J89siGX23A0G77BJQWxFRDoJ1w0v7=5O0KERw@mail.gmail.com> <8063bb12-8462-53fa-fa62-1e5abb1a652e@cs.tcd.ie> <CAHbrMsBPJqzaUSa42gGq45MfsTvCVW7t95q3feWEiSYeSN9ocw@mail.gmail.com> <333fde42-76f9-1af3-0f0f-c70914b0222e@cs.tcd.ie> <CAHbrMsA0PFwvu3hvZgXMbe2Buzq9dQHgNJJLOqtyMUzb-qpc0A@mail.gmail.com> <04a5a50a-3268-d9fb-de16-abb9224409ed@cs.tcd.ie> <CAChr6SySVXsH1J7KGDJjjB=wdxhdaCe207pLn2fGFMmDb1q82w@mail.gmail.com> <BE5E7283-6EF4-4113-ADBA-7790A5DFACD8@akamai.com> <e20daa2c-b239-11e0-87e7-beaebb80aebf@cs.tcd.ie> <975963dc-f311-b806-6860-8768f4ec1a76@cs.tcd.ie> <CAChr6SyU_ArsKi16Bj47eZWVRMJ8wekFKAzFLENkUB31fSgPKw@mail.gmail.com> <CCF5D107-76AD-4311-A931-F0FB4D393147@akamai.com>
In-Reply-To: <CCF5D107-76AD-4311-A931-F0FB4D393147@akamai.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 22 Oct 2019 19:54:25 -0700
Message-ID: <CAChr6SwM0cAH4ShJdw6WpV3rwLUPoaqB+imvv61XohLaLiS7jA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008aa3cb05958b09d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u2_JI1URf7UW2RURIP6UVAHnNPI>
Subject: Re: [TLS] draft-ietf-tls-esni feedback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 02:54:39 -0000

On Tue, Oct 22, 2019 at 7:29 PM Salz, Rich <rsalz@akamai.com>; wrote:

>
>
>    - Low numbers might encounter all sorts of well-known cryptographic
>    problems, and varying the padding of the domain name with any granularity
>    would tend to narrow the search space for an attacker.
>
>
>
> What well-known cryptographic problems?  Varying the padding can also *
> *add** security because foo.secret.example.com could show up with two
> different sizes.
>

Hi Rich,

To be clear, I am in favor of varying padding. I want the "zeros" field to
have a prefix and I want my client to do whatever it wants with that
buffer, within the boundaries of an unsigned 16 bit integer.

I was concerned about a couple of different issues. The first is that the
search space for the plain text is actually quite restricted. For example, "
foo.example.com" might only vary by three characters vs other "example.com"
domains. So, 16-character padding boundaries might be an issue.

The other is that I worried that an attacker could use brute force to
replicate traffic, and thus determine what was requested. I couldn't come
up with a way to do this easily, but I did worry that a small search space
in the SNI text would make it easier.

And, as I wrote, I am not an expert in these matters. From what I do know,
I think padding the buffer to the maximum likely size seems like a good
idea.

thanks,
Rob