Re: [TLS] New Version Notification for draft-ietf-tls-esni-15.txt

Sat, 07 Jan 2023 07:46:49 -0800 

Hi,

- I cannot find anything in RFC 8446 or draft-ietf-tls-esni-15 on reuse of key 
shares but my understanding from earlier discussions in the TLS WG is that this 
is allowed as summarized in draft-ietf-tls-hybrid-design: "TLS 1.3 does not 
require that ephemeral public keys be used only in a single key exchange 
session; some implementations may reuse them"

Server reuse of key shares seem very problematic with ECH and seems to leak the 
server identity to an passive or active attacker.

  Client                         Attacker                   Server

      ClientHello
      + ech         ------>
                                                       ServerHello
                                                       + key_share
                                                   <-------
                                 (intercept)

                                ...

                                 ClientHello      ------->
                                                       ServerHello
                                                       + key_share
                                                  <-------
                                 (compare key shares)

  Figure X: Active attacker identifying server resuing key share


  Client1      Client2           Attacker                   Server

      ClientHello
      + ech         ------>
                                                       ServerHello
                                                       + key_share
                                 (intercept)

                                ...

                 ClientHello
                    ------>      (intercept SNI)
                                                       ServerHello
                                                       + key_share
                                 (compare key shares)

  Figure Y: Passive attacker identifying server resuing key share

My current understanding is that draft-ietf-tls-esni should require that the 
server MUST NOT reuse a key shares. Unless I miss something I suggest adding 
that and one or two of the above figures to the draft. An alternative solution 
would be to extend the ECH encryption to also cover ServerHello. If I 
understand ECH correctly, the ServerHello is still unencrypted.

- As a main goal of ECH is to hide the server name, I think the draft should 
explicitly mention padding of the server certificate message. Some web servers 
are using very large certificate messages. If padding is not used, they can be 
identified with a quite high probability just by looking at the size.

Cheers,
John

From: TLS <tls-boun...@ietf.org> on behalf of Christopher Wood 
<c...@heapingbits.net>
Date: Monday, 3 October 2022 at 16:12
To: TLS@ietf.org <TLS@ietf.org>
Subject: Re: [TLS] New Version Notification for draft-ietf-tls-esni-15.txt
This is mainly a keep-alive update, with some additional details summarizing 
the results from an upcoming paper to appear at ACM CCS 2022.

Best,
Chris, for the editors

On Mon, Oct 3, 2022, at 7:56 AM, internet-dra...@ietf.org wrote:
> A new version of I-D, draft-ietf-tls-esni-15.txt
> has been successfully submitted by Christopher Wood and posted to the
> IETF repository.
>
> Name:         draft-ietf-tls-esni
> Revision:     15
> Title:                TLS Encrypted Client Hello
> Document date:        2022-10-03
> Group:                tls
> Pages:                48
> URL:            
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-43f8a48e256f1fa7&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-tls-esni-15.txt
> Status:         
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-d964cabe684fd6b8&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-tls-esni%2F
> Html:           
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-bd77e6206604f594&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-tls-esni-15.html
> Htmlized:       
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-9a2e632545b77f65&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-tls-esni
> Diff:           
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-cb651e94574b6bd5&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-tls-esni-15
>
> Abstract:
>    This document describes a mechanism in Transport Layer Security (TLS)
>    for encrypting a ClientHello message under a server public key.
>
> Discussion Venues
>
>    This note is to be removed before publishing as an RFC.
>
>    Source for this draft and an issue tracker can be found at
>    
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-e32d7d92817bd444&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fgithub.com%2Ftlswg%2Fdraft-ietf-tls-esni
>    
> (https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-e32d7d92817bd444&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fgithub.com%2Ftlswg%2Fdraft-ietf-tls-esni).
>
>
>
>
> The IETF Secretariat

_______________________________________________
TLS mailing list
TLS@ietf.org
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a9447d1f55e76fd1&q=1&e=665b2e5c-6b5e-43fa-8eaa-4cdc64ce6ae3&u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to