[TLS] SNI and DNS Resolver Privacy
Phillip Hallam-Baker <hallam@gmail.com> Wed, 14 May 2014 14:32 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C5D1A00B8 for <tls@ietfa.amsl.com>; Wed, 14 May 2014 07:32:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZzmnmNYZkX5 for <tls@ietfa.amsl.com>; Wed, 14 May 2014 07:32:29 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) by ietfa.amsl.com (Postfix) with ESMTP id 2D18E1A02B4 for <tls@ietf.org>; Wed, 14 May 2014 07:32:26 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id bs8so2511755wib.0 for <tls@ietf.org>; Wed, 14 May 2014 07:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=oCsBA7kqUvsrbG9vPajByG99jztd5Eo18JliXTmEGJM=; b=G+hgwTAmk2IK3Aex9a2q+SCaZFi7YItOB30VwMNr/fmVQneS6ktT1AKNbqhaxGGHGP RUD1k/F0IZpZOz7ptAbiLtZypY7GvlK3hIsmh+meTwStBHPo+YYfi1YEzF4aZDjd0xos dH0k6AU/cSIGeCFfkFOsa5qnwyLcew4fNOInoBcD9WfrLctSc9M2UPlx5IxJkAVaKfwp MV2D0+5ibieoa+4YK6A5cCFzgKzowYVDdfv3pRqAntlsZNc0aoYIcrrce9W3TTgZiIEH eaf4or+RKax3nLAyQZuml6fXtrM63Xzjg4uhZQ0oTvCrlTEAsVunf2GRZNvPYVbdQ4aX 8nrQ==
MIME-Version: 1.0
X-Received: by 10.180.108.242 with SMTP id hn18mr3842335wib.34.1400077938956; Wed, 14 May 2014 07:32:18 -0700 (PDT)
Received: by 10.194.157.9 with HTTP; Wed, 14 May 2014 07:32:18 -0700 (PDT)
Date: Wed, 14 May 2014 10:32:18 -0400
Message-ID: <CAMm+LwjymUOEFdE47kdi810yLPitTMZamj0NCzUcg-XdBc2RSg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mEILB9P17PRrsYhmiGL1Iv3me5Q
Subject: [TLS] SNI and DNS Resolver Privacy
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 14:32:36 -0000
We have lots of talk about TLS and DNS leaking privacy sensitive information. These are obviously linked in that there is little point in protecting DNS if the subsequent conversation to the endpoint is en-clair. And SNI leakage is likely to undo any DNS security scheme. I have a mechanism that can protect SNI but it is predicated on a DNS privacy solution. So we solve that first and then use the solution to attack the SNI issue. In my approach to DNS privacy I am most concerned about the client-resolver link. My approach can be applied in the resolver-authoritative link but it needs to compliment other approaches such as label minimization etc. Premise 1: The DNS resolver is a trusted service. At minimum the service is trusted to protect the confidentiality of the queries it makes. In most cases the resolver is also trusted to return data to the client if it exists (and this is desirable). The degree of trust may be higher, especially if the DNS resolver is being run by the party relying on it. Premise 2: Since SNI privacy is essentially an extension of the DNS privacy concerns it is logical that a service trustworthy for one is trustworthy for the other. Conclusion: A DNS resolver is an appropriate entity to broker credentials to encrypt the TLS handshake including SNI. My Private DNS approach is built on two main building blocks. The first is a key exchange service. This is currently built on top of TLS http://tools.ietf.org/html/draft-hallambaker-wsconnect-07 The connection protocol itself isn't very important here. The important part is the output of this exchange is: * A shared secret * A set of cryptographic parameters * An opaque secret identifier which may contain the above information plus encrypted account information to allow a kerberos-style stateless server to use the token for encryption. Once we have such a token, Private-DNS is straightforward. The whole draft is only 15 pages, most of which are examples: http://tools.ietf.org/html/draft-hallambaker-privatedns-00 Now let us consider the TLS case and let us further consider a situation in which the Authoritative DNS server for the TLS server supports the Private DNS protocol and the resolver has established a ticket with that server. In this situation we have all the ingredients to deploy a full Kerberos-style solution. We might want to introduce a ticket-granting-ticket type concept but even that isn't essential unless traffic analysis is a big concern. At this point we can use the Kerberos* trust framework established in the tickets for a variety of purposes: 1) Encrypt the TLS handshake 2) Pre-empt some or all of the handshake. 3) Skip TLS entirely and just encrypt and authenticate the transport under the ticket mediated key. Call this protocol UYFM (its probably not the acronym you are thinking of) Note 1: Although we are encrypting the session, the trust context is not end-to end. There are four parties that know secrets that are sufficient to decrypt or spoof the traffic. So this would not be an alternative to TLS for online commerce or banking and it would be a lousy approach to password security. This is not going to be as robust as TLS. It is however going to be vastly superior to raw IP. This approach would be a very good one for an objective of eliminating plaintext traffic. So it would be good for the SNI and handshake part of TLS. Note 2: To apply the protocol in practice we would need to have a management protocol that allows the TLS server and DNS server to communicate. But this is a critical need in any case. Note 3: To enable the introduction of the protocol we would need to either publish the necessary data in the DNS or jack up the level of abstraction a notch as I propose in Omnibroker. * We can use Kerberos tickets but it is not necessary for any party to know the internal structure of a ticket other than the party who created the ticket except in the case of ticket granting tickets. -- Website: http://hallambaker.com/
- [TLS] SNI and DNS Resolver Privacy Phillip Hallam-Baker