IETF Logo Mail Archive

Re: [TLS] ECH Padding

David Benjamin <davidben@chromium.org> Tue, 22 June 2021 21:59 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9A63A1BBD for <tls@ietfa.amsl.com>; Tue, 22 Jun 2021 14:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.448
X-Spam-Level:
X-Spam-Status: No, score=-9.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ws1nWeqGq7P1 for <tls@ietfa.amsl.com>; Tue, 22 Jun 2021 14:59:22 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9853F3A1BC1 for <tls@ietf.org>; Tue, 22 Jun 2021 14:59:22 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id s17-20020a17090a8811b029016e89654f93so2562606pjn.1 for <tls@ietf.org>; Tue, 22 Jun 2021 14:59:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4PS3zgdrD5RowbQuHCD8x/kTSfPHTZgdzct+YogN0oc=; b=gpQ4MmcfJfnmZLWXROBFEkFw/t6OmaKGjCCrmuEk05GsGFL7XEYxlKpydWrVtX+iDy uGg6HEyx49prg/EIlrpFj7Agusgmd7/cxQzpPu0gg8ljej8CI/DxFQtSm0t+Up/YuJLr g+YwdKv1szhZFpTXQTNmaugGg1osH+1XtL4+E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4PS3zgdrD5RowbQuHCD8x/kTSfPHTZgdzct+YogN0oc=; b=Vb4a5GIxlHkjyK5OrXcD0DobkjkkHVX081NhyJNU+Q9VXqAMHHyuhd1pT1lXJpBYFg BrJid7oxBbe8Z//uhQeoxUfciEYLFWu3ZTfdNaFpZ/eFY6KIWNoJrzOhuNZnJ1kV+6b3 0z3t1AfE5z36v8WvfHzpyelmAvx1Bx7GXFiEdoT+cImyA0FkW/TfRWZG4nCeCV/vLnv4 WmbuBEd8xcLYLn20PkY4mbOG9Cc+tr+UXOESlE+tRhPZ+mUK1Kdg7J9yybcspEXQLzM9 qrZ+IqNeS2nDoKJ0nyEpZliZCY3n2p6snXa6Sanu+YB5whnPwvkPQZ/qS4AutUCrRrOR Dcyg==
X-Gm-Message-State: AOAM533jwrxOsW2rI0AXCV1r2nIJKRd1w2Md0raNqV8jkbfrsHVbzPkE cg4oT042iq8lEnMybERu3Zw6ONEFC5PcMewHo1djVgaS81/A
X-Google-Smtp-Source: ABdhPJw2xeXBMqhq5LhQlo7yDaHz4/VFGtJw4D4iSrC5596Al7vHo29ayOLELk30USWlV/XqEQahBdvBy5y7Ef5aWj0=
X-Received: by 2002:a17:90b:3646:: with SMTP id nh6mr5889059pjb.73.1624399159940; Tue, 22 Jun 2021 14:59:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi21oLUmoNLXVD7QuOOLre4XZtxJxt=2SH_ELkigdUT9m6g@mail.gmail.com> <8f249b27-7ea9-d044-fb87-e2af6b26175b@cs.tcd.ie>
In-Reply-To: <8f249b27-7ea9-d044-fb87-e2af6b26175b@cs.tcd.ie>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 22 Jun 2021 17:59:03 -0400
Message-ID: <CAF8qwaCeW3yKFpzPeWp5WWSp+kjyNthp2mbu4DnnovFL=dW4dw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e778dd05c561e656"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wHBtF1hV58x8Bs6ghZa0dj6fPPA>
Subject: Re: [TLS] ECH Padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2021 21:59:27 -0000

I think there might be some confusion here. It probably doesn't help that
(1) and [1] are different things. :-)

(1) is a standalone change, unrelated to QUIC, [1], (2), or (3). It's about
changing how we pad the *ClientHelloInner*, which is carried in the ECH
encrypted payload. We currently use the ClientHello padding extension
(RFC7685). The PR moves it to the EncodedClientHelloInner structure. This
removes the need to carefully integrate your padding computation with the
rest of your ClientHelloInner computation, which makes whole-message
padding strategies easier but doesn't particularly help or harm QUIC.

(2) and (3) are two possible solutions for [1] and mutually exclusive,
which is about padding the *other messages*, notably the server Certificate
message, which are carried in normal TLS records. We currently use TLS 1.3
record-level padding. However, the observation in [1] is that, since QUIC
replaces the record layer, this does not work very well. I suspect DTLS,
having an unreliable transport, will also find the record-level padding
tricky. The proposed fix is to embed the padding into the handshake
somewhere. (2) and (3) are different possible spellings for this, either
using the EncryptedExtensions message (2), or by introducing a new Padding
message into the handshake flight (3).

Regarding dropping extensibility, whether or not we go with (2), we
*definitely* cannot drop the server EncryptedExtensions message! That one
is used throughout TLS! Just look for "EE" in the registry. :-P


Between (2), (3), and nothing, I would prefer (3). Doing nothing would be
problematic for QUIC deployments, and we shouldn't force servers to pick
between ECH and QUIC. (They won't pick ECH.) Either (2) or (3) would be
invisible to the record layer, so QUIC and DTLS will work without any
effort. However, unlike (2), (3) comes after the messages we would like to
pad, so you don't need to predictively size things, or generate messages in
the wrong order. In particular, ECDSA signatures are variable-length, so if
you aim to pad different key types together, (2) won't even work. (Though
doing so is an anonymity set size vs. bandwidth tradeoff, since part of the
point of ECDSA is the smaller signatures.) It also more naturally extends
to the client certificate. Finally, I think part of the original thinking
with (2) was that we'd reuse the RFC7685 mechanism, but between (1) and
compat issues on the PR, (2) cannot actually achieve that anyway.

David

On Tue, Jun 22, 2021 at 5:40 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> (1) aka #443 is the way to go here I think. (Such an aptly
> numbered PR has to be accepted I'd say:-) I'm only convinced
> of that because of QUIC, but that seems like enough or a
> rationale.
>
> I'm against (3) - it'd break too much and cost too much.
>
> WRT (2) I'd prefer to drop that extensibility rather than
> try use it because it's there.
>
> Cheers,
> S.
>
> On 22/06/2021 22:27, Christopher Patton wrote:
> > Hi all,
> >
> > One of the last design questions for Encrypted ClientHello (ECH) is to
> > decide how to pad encrypted handshake messages so that their length does
> > not leak privacy-sensitive handshake-parameters. The current approach is
> to
> > insert padding into the record layer as needed. However, the consensus
> > reached in [1] is that computing record-layer padding based on the
> contents
> > of handshake messages entails implementation complexity that is
> untenable,
> > particularly for QUIC and DTLS. The alternative that most folks are happy
> > with is to insert padding into the handshake messages themselves, as this
> > prevents details of the handshake logic from bleeding into the record
> layer
> > code.
> >
> > There are a few PRs for adding handshake-level padding that we could use
> > feedback on.
> >
> >      (1) https://github.com/tlswg/draft-ietf-tls-esni/pull/443 Adds
> padding
> > to EncodedClientHelloInner, the message that is encrypted and stuck into
> > the ECH extension of the ClientHelloOuter. This prevents leakage of
> > sensitive parameters in ClientHelloInner.
> >
> >      (2) https://github.com/tlswg/draft-ietf-tls-esni/pull/313 Defines
> a new
> > extension, which the client sends in ClientHelloInner in order to
> solicit a
> > response in the backend server's EncryptedExtensions message. The
> server''s
> > response contains padding it can use to prevent leakage of sensitive
> > parameters in its first flight of handshake messages.
> >
> >      (3) https://github.com/tlswg/draft-ietf-tls-esni/pull/457
> (alternative
> > to (2)) Defines a new handshake message, Padding, which the client and
> > backend server always send just before Finished in case of ECH
> acceptance.
> > One advantage of this approach over (2) is that the length of the padding
> > can be evaluated after the Certificate/CertificateVerify messages have
> been
> > chosen, making it possible to account for sensitive parameters in these
> > messages without needing to buffer the whole flight of messages. The
> > downside is that it may add complexity to the state machine of TLS 1.3
> > implementations.
> >
> > There are some open questions regarding how to compute the padding
> length,
> > but these should be orthogonal to deciding the mechanism.
> >
> > Thanks on behalf of (some of) the contributors,
> >
> > Chris P.
> > ____
> > [1] "Handshake-level vs record-level padding."
> > https://github.com/tlswg/draft-ietf-tls-esni/issues/264
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email