On 22 Mar 2020, at 16:10, Martin Thomson wrote:
On Mon, Mar 23, 2020, at 03:54, Christopher Wood wrote:
I propose we remove this requirement and add an explicit signal in SH
that says whether or not ECHO was negotiated.
Here's a spitball signaling option that might not stick out:
Client sends (in the ECHO) a random value, N, with 32(?) < |N| << 128.
And N != either of the values we reserve for signaling downgrade.
Server sends that value in the ServerHello.random, in the same place
we signal downgrade.
If the client sees that value, then it proceeds with the trial
encryption with an expectation that it will work.
We’ve discussed variants of this in the past. It’d work as a signal.
However, CH modification attacks to figure out whether a connection uses
ECHO exist. One of them, pointed out offline by David Benjamin, is to
remove all ciphersuites from the outer CH and see what happens with the
connection. Preventing this would likely require us to revisit the
binder approach, which was always complex enough to beg the question: is
the juice worth the squeeze?
Like Stephen suggests, I think working on a stealthy variant of this
later on is probably the best path forward. (I think we’re close
enough to the Tor and Pluggable Transports orbit as is.)
(This will require us to revisit GREASE.)
I'm not following how this relates, sorry.
Sorry, it’s not the specific SH extension signal that would require
this. It’s the general question of whether or not we should drop (or
relax) this “do not stick out” requirement. As Ben pointed out,
knowledge of valid record_digest values, which we should assume is known
to the adversary given that these are public, makes this difficult with
GREASE.
Best,
Chris
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
