Derive accept confirmation from the handshake secret #353

cjpatton · 2020-11-02T21:46:35Z

Originally suggested by Karthik Bhargavan, this change mitigates an active "don't stick out" attack pointed out by Christian Huitema. The attack is as follows.

Client                       Attacker             Server
CH
 +encrypted_client_hello
 +key_share (g^x)        --> CH -->               SH
                                                   +key_share (g^y)
                             SH'              <-- EE
                              +key_share (g^a)
                         <-- EE'

The attacker intercepts the client's first flow (CH) and forwards it to the
server.
The attacker intercepts the server's first flow and transforms SH and EE into
SH' and EE' respectively, as follows. SH' is just like SH except that the
key share g^y is replaced with key share g^a, where a is known to the
attacker. EE' is a malformed handshake message encrypted using a key derived
from g^xa. Finally, it sends SH'..EE' to the client.
If the client aborts with a "bad_record_mac" alert, then the attacker guesses
that real-ECH was used. Otherwise, it guesses that grease-ECH was used.

draft-ietf-tls-esni.md

ekr · 2020-11-03T20:31:42Z

I have really mixed feelings about this. On the one hand, it's kind of annoying extra complexity. OTOH, given how hard a time we have had by reasoning about the security of ECH, I think better safe than sorry.

chris-wood · 2020-11-04T01:11:41Z

@cjpatton can you please rebase this PR?

draft-ietf-tls-esni.md

chris-wood · 2020-11-04T13:38:15Z

@cjpatton this is nice -- thanks! I think the new type name for the special SH is fine, though if someone has an idea for a better name, let's consider it.

draft-ietf-tls-esni.md

This mitigates a large class of "don't stick out" attackers. It was originally suggested by Karthik Bhargavan on the mailing list. Co-authored-by: Christopher Wood <caw@heapingbits.net>

cjpatton · 2020-11-11T00:18:37Z

@ekr: I have really mixed feelings about this. On the one hand, it's kind of annoying extra complexity. OTOH, given how hard a time we have had by reasoning about the security of ECH, I think better safe than sorry.

This change is definitely more invasive than the existing signal, but not all that hard to implement. (E.g., cloudflare/go#38.)

cc/ @dmcardle, @davidben

chris-wood · 2020-11-11T01:00:57Z

Thanks, @cjpatton! @dmcardle and @kjacobs-moz, if you can also comment on the implementation difficulty, we can try and land this soon.

kjacobs-moz · 2020-11-11T19:23:51Z

This seems pretty straightforward. I don't think it would be too difficult to do in NSS.

ekr · 2020-11-17T06:39:06Z

I think on balance we should do this.

cjpatton commented Nov 3, 2020

View reviewed changes