On 10/22/2019 10:49 AM, Stephen Farrell wrote: > > On 22/10/2019 17:44, Salz, Rich wrote: >> I think varying padding to some fixed multiple is a good trade-off. > Me too. I'd go for multiples of 32 octets, with a SHOULD > to add an extra block or two randomly, but anything of > that kind should work.
Stephen, do you have some statistical analysis to back your "should work" assertion? I say that because DKG performed that analysis for the padding of DNS messages (https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf). The results were non trivial. In particular, the analysis showed that random padding was not a good way to achieve privacy. If there is only little randomness, the attacker that observes multiple transactions transactions can see through the randomness. If there is a lot of randomness, then the padding policy causes a lot of overhead, which made that policy less efficient than padding to fixed size blocks. That study was the basis for the recommended encrypted DNS padding strategy in RFC 8467. I do not claim that statistics on the DNS directly inform ESNI padding strategies, but I would say that in the absence of better analysis we should heed DKG's recommendations for now -- and the recommendation of padding to 260 does that. I would of course be happy to change my opinion once we have an ESNI specific study. -- Christian Huitema
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
