IETF Logo Mail Archive

Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?

David Benjamin <davidben@chromium.org> Tue, 18 December 2018 06:45 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD1801310C9 for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 22:45:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.958
X-Spam-Level:
X-Spam-Status: No, score=-10.958 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4yi4zxMVYUY for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 22:45:35 -0800 (PST)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B4A1310C6 for <tls@ietf.org>; Mon, 17 Dec 2018 22:45:34 -0800 (PST)
Received: by mail-qt1-x82c.google.com with SMTP id r14so17086798qtp.1 for <tls@ietf.org>; Mon, 17 Dec 2018 22:45:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pr3g+yhmhFkIt5p+jZlhrgZstEC/yX129pUvXQleVa8=; b=hRetV4pTpcJVdlSsca2jC6r5ti3f8yw5HpniXDoQN0NdQjw7ybw9ITYaSYYljnkncG C/dI4tLPY9hMb7QZN6pBDZ0o/osS5iAT/fmAhM4VMcrEDHr9vvkBaaPKd5VuumfSbSi0 B2Zowis1kDREzbeHWoOOB241V0Tx2eStNizj0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pr3g+yhmhFkIt5p+jZlhrgZstEC/yX129pUvXQleVa8=; b=Dn+1JZiQqLXZE3yMJQrJjph356ukoFm/Nb2mxPxMRHF5WxNYEpcetdXz55VOzEjZzo vAyaK2BQnL+ixboTg8ayMcgVpINGC8gSPaFUXSgbk+hjsbfOVrtAqZ1mXVDVFRhf5K8o 3/2GNIZtamCYQxRQzBG8eQMing2b4AOgpUTdzHx/zYCuggmniWc1M/Xig7FiaICLDm3g MfAQcP9te2j9iiYQGj6VbKu3TvBO0Mnb6I2g1UA0SCGAIWqg09VCgLVQ//wwaoBevff2 PY1BH/Ww57ZwJzwu4OdaTw+V2F7s55jRSpCFkSZe2nE6shbpF92oXHmnYdhjaH+NwEQf PyGg==
X-Gm-Message-State: AA+aEWb9P4akUpLoIFL2DKbCX7rfqTaYEc7iOJHm6ZYRJI1GCeSPuBPm dxn7vSZhckQRnlCA7OicSNYJFnr+eiXPVL0OzKbXq1StUA==
X-Google-Smtp-Source: AFSGD/XR1noCLkMCi2YPr8o+4AAkc+2KCZSRnKvmBSk/BmVHyecU2Ca4b+jp8383QfWCZNR6ORY6yyY8nEROpn2+/5k=
X-Received: by 2002:a0c:cdd1:: with SMTP id a17mr15526642qvn.152.1545115533865; Mon, 17 Dec 2018 22:45:33 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com> <20181218044251.bk7em26vvvcamq24@bamsoftware.com>
In-Reply-To: <20181218044251.bk7em26vvvcamq24@bamsoftware.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 18 Dec 2018 00:45:22 -0600
Message-ID: <CAF8qwaA0UZrKA_Vn0hLan9Tb498PKq5roXpLEq2+7dU80qjjFg@mail.gmail.com>
To: David Fifield <david@bamsoftware.com>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000891467057d463ebc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xBEHe1_CcYEYinZQHxWGq8vjA0Q>
Subject: Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 06:45:38 -0000

Thanks for the comment! The PR did try to touch on this, but perhaps I did
a poor job of wording it:
https://github.com/tlswg/draft-ietf-tls-esni/pull/124/files#diff-4d2dc9df336bea8e17f5eb4ed7cb1107R511

The intent is you use the retry keys just for that one retry. Subsequent
connection attempts revert to the DNS-provided ones. Then the server could
correlate the initial connection and the immediately-following retry, but
that initial "connection" was discarded. It's like saying the server can
correlate the client's ClientHello and Finished. An earlier iteration even
placed the retry on the same connection, which makes the analog clearer.
(Doing it in the same connection is rather a mess, so we bounce to a new
one.)

Another possibility might be to require clients treat these like session
identifiers w.r.t. scoping and lifetime, reducing to something existing,
but that is more complex, so the simple solution seemed a better starting
point.

Does that address the concern, or have I missed something?

David

On Mon, Dec 17, 2018 at 10:45 PM David Fifield <david@bamsoftware.com>
wrote:

> On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> > We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd
> like the
> > group's thoughts on. The goal is to make ESNI more robust and eliminate
> a bunch
> > of deployment risks. The PRs are linked below:
> >
> > https://github.com/tlswg/draft-ietf-tls-esni/pull/124
>
> Under this design, the ESNIKeys structure in DNS gains a public_name
> field, which is the name against which the client is supposed to verify
> handshake, in the event that the server cannot descript the ESNI and
> returns a esni_retry_request response. The esni_retry_request structure
> contains alternative ESNIKeys for the client to use in its next
> connection attempt.
>
> I started to think: what if the alternative ESNIKeys were a standard TLS
> extension on their own? The server could tell the client, on each
> connection, what ESNIKeys to use for its next connection. The client
> would not have to consult the DNS for ESNIKeys for any connection but
> the first, as long as the connections were frequent enough that the
> ESNIKeys didn't expire.
>
> But then I reflected: this would enable precise tracking of clients. The
> server could give different keys to every client--effectively a
> cookie--and thereby link past and future connections.
>
> I think similar tracking concerns apply to the public_name design. A TLS
> server could publish one global ESNIKeys in DNS. This one, because it is
> used by all clients, would not help tracking (within the anonymity set
> of ESNI-using clients). But the server could, whenever it receives an
> encrypted_server_name extension encrypted with the global ESNIKeys,
> pretend that it is unable to decrypt and reply with esni_retry_request
> and a unique "cookie" ESNIKeys, which that client, and no other, would
> use for future connections.
>
> A unique ESNIKeys per client may not be feasible, if the server has to
> do trial decryption using the private component of all the ESNIKeys
> cookies it has handed out. There may be a more clever way to do it than
> trial description. But anyway a server could define some budget, say,
> 256 trial decryptions per connection, and instead of a unique ESNIKeys
> per client, choose one randomly from a pool of 256. Clients would then
> be partitioned into 256 buckets for the lifetime of the ESNIKeys--which
> other tracking technique could of course refine further.
>
> I suppose something like this is possible even in the current draft as
> written, if the TLS server and DNS server collude. The DNS server could
> give different ESNIKeys to different clients, enabling not only the
> linking of a DNS request and TLS connection, but the linking of several
> TLS connections together.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email