Re: [TLS] Certificate compression draft
Eric Rescorla <ekr@rtfm.com> Wed, 05 April 2017 17:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A683129407 for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 10:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXvkXM6kyoZa for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 10:47:12 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A05128DF6 for <tls@ietf.org>; Wed, 5 Apr 2017 10:47:11 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id i203so9607027ywc.3 for <tls@ietf.org>; Wed, 05 Apr 2017 10:47:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tCwlXkmZegbf84Xen7/eLTRptv0MEWA78JBNGFc8f5M=; b=dg8xHnbvj4r8hV1T7rh6Ja2fTLRFQJDj19T18rjuICsY7poRnuVy2gsPKXC/9NZXvl cJLxwMRCzf1P2IzdOfpK0Ew68tfSq31J34du3grZgiZmbiCUrEzQx+ZSs3wzjtYvg7Eb rCLairq2jjOV6o9JKb9nKSOMrTKodeJGY0ky/Xn3WlJa8XGVhfW2Oj04aICtXQSDXxpb YSx/eS2cezYnKJKGkQiGcLVvAiOuVR1Ecn6Bgaxw2dKrvefgGBAXPBb9I2l7dzEeYWsw POiqKjxiu5eIqBxyqJVSlqn4v7zFpmZf0OPROboRgBvoPwGS3nDeygsDPtQfNMewxiB5 KMeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tCwlXkmZegbf84Xen7/eLTRptv0MEWA78JBNGFc8f5M=; b=E9eA2rJ09XrmMoFJ8qLhiZUmeNKduw6VEsCRrq9rJ0dr9pvChCMsfxqHMNt1y2uqaQ /B+Uo41NbTjWacyFdKWBO8/3xLVhga64YBTQCxK1V1MUJXt2JHfuaZdeB2twbjqERc9C fyrUpdEbvY2EntwQbYYjiiqs/+yusCVRRIBd0y2KHl5XbpwNVF/9ycZ6SgexZ4aB7/3B BbwsWWENP2ylwVhGm2jPewO/CyxROT3rLp5Wlr8jpFOqqzgfilEujERFXVfDE29Dq6qk 5Ou6oCEgXWiJHy5xVt6wqU04IlN83EXujVjO2vTWezdsSlzf1QIaFSPI6cdmmxXqNcqg skZQ==
X-Gm-Message-State: AFeK/H1Rsn+4XyQai0vj5vW4NJeIrlqWC8bCJsLp+cDN1NT3ntE/BBEp5TF1zS9hR52uZWpl35AH3UMseodlDA==
X-Received: by 10.129.172.23 with SMTP id k23mr20278348ywh.337.1491414430179; Wed, 05 Apr 2017 10:47:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Wed, 5 Apr 2017 10:46:29 -0700 (PDT)
In-Reply-To: <CABcZeBP73rQsaWsMTX+n76ZAZJWh2Hq152h44wDO6pgXw30j2A@mail.gmail.com>
References: <1417765250.1980.1491370546230.JavaMail.open-xchange@webmail.cdac.in> <CAErg=HFM_QDXSQHir8+eViT9+H7t5G2_pLbFhGspzZ+vH6Q-Fg@mail.gmail.com> <CABcZeBMQ5wwkW2u7BToo+o86H9omL5wH7+595LXz+fjtYLa8NQ@mail.gmail.com> <b21286ab-02ae-745a-fcae-8e86d6f484e0@akamai.com> <CAF8qwaBJj1vw6aLoNCrKq_sB5NXJnmRD2bvWj1MLZD1pTRBdyA@mail.gmail.com> <CABcZeBP73rQsaWsMTX+n76ZAZJWh2Hq152h44wDO6pgXw30j2A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 05 Apr 2017 10:46:29 -0700
Message-ID: <CABcZeBOQ+yca+74y6DA3sx+T9z9M_oBLDeVmhLs9GKdTT3bFUA@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Benjamin Kaduk <bkaduk@akamai.com>, Ryan Sleevi <ryan-ietftls@sleevi.com>, R Balaji <balaji@cdac.in>, Sankalp Bagaria <sankalp@cdac.in>, "Bagaria, Sankalp" <sankalp.nitt@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1bae0053076b054c6efbc3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WGxhUKZotL2VgwqYcKTL6jvCIg8>
Subject: Re: [TLS] Certificate compression draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 17:47:15 -0000
On Wed, Apr 5, 2017 at 10:45 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Wed, Apr 5, 2017 at 10:15 AM, David Benjamin <davidben@chromium.org> > wrote: > >> On Wed, Apr 5, 2017 at 12:14 PM Benjamin Kaduk <bkaduk@akamai.com> wrote: >> >>> On 04/05/2017 09:21 AM, Eric Rescorla wrote: >>> >>> On Wed, Apr 5, 2017 at 7:12 AM, Ryan Sleevi <ryan-ietftls@sleevi.com> >>> wrote: >>> >>> Does cached-info not represent a privacy info-leak by disclosing past >>> sessions prior to authenticating the new session? Versus compression, which >>> limits it to the session and thus reveals no new/additional information. >>> That was certainly true for TLS1.2 >>> >>> >>> This will also be true in TLS 1.3, even with encrypted certificates >>> because (hopefully) they >>> will be a lot smaller. Though you could of course pad out to the same >>> size :) >>> >>> >>> The elephant in the room being that an attacker watching the network can >>> replay the observed ClientHello but using its own KeyShare and read the >>> resulting encrypted certificate reply. (h/t davidben) >>> >> >> (Supposing that the server is a traditional server that accepts multiple >> requests and does not select the certificate based on external factors in >> the transport or elsewhere, which means you're selecting by things not >> covered by TLS's transcript.) >> >> Also, while one could compressed pad up to uncompressed length and make >> compression useless, hiding whether your certificate was compressed is not >> a plausible goal. More plausible is hiding which certificate was selected. >> >> Without compression, your certificates still have different lengths, so >> you would need to pad up to max(certificate_message(cert) for cert in >> certs) anyway, where certs is all identities your particular server wishes >> to make indistinguishable. Maybe chunk up to a boundary beyond that if you >> want. >> >> With compression, you pad up to max(compress(certificate_message(cert) >> for cert in certs). Maybe chunk up to a boundary beyond that if you want. >> (Packet boundary for the QUIC use case?) This means you're now bound by >> your worst cert rather than your selected cert, but one could still expect >> a size win. >> >> This is, of course, all assuming your server setup is somehow such that >> the above pachyderm doesn't apply. >> > > Sorry, yes, I should have mentioned this, especially as I just made the > same point to someone > else the other day. > > I think there are two threat models here: > > 1. Active attacker > 2. Passive attacker. > > As you indicate the active attacker can elicit the server's certificate by > replaying CH > with his own KeyShare (this is part of what makes SNI encryption so hard). > Or of course, if we had an SNI encryption mechanism that tied to KeyShare. -Ekr > > For a passive attacker, as David suggests, you can hide which cert was > selected > by padding up to the largest cert (whether the cert was compressed or > not). That > may or may not be valuable depending on the scenario [for instance in > WebRTC]. > As you say, I don't think you can hide the cache hit even from a passive > attacker > because then you would need to pad up to an unreasonable amount. > > -Ekr > >
- [TLS] Certificate compression draft Victor Vasiliev
- Re: [TLS] Certificate compression draft Martin Thomson
- Re: [TLS] Certificate compression draft Victor Vasiliev
- Re: [TLS] Certificate compression draft Viktor Dukhovni
- Re: [TLS] Certificate compression draft Vlad Krasnov
- Re: [TLS] Certificate compression draft Victor Vasiliev
- Re: [TLS] Certificate compression draft Victor Vasiliev
- Re: [TLS] Certificate compression draft Martin Thomson
- Re: [TLS] Certificate compression draft Vlad Krasnov
- Re: [TLS] Certificate compression draft Ryan Sleevi
- Re: [TLS] Certificate compression draft Viktor Dukhovni
- Re: [TLS] Certificate compression draft Martin Thomson
- Re: [TLS] Certificate compression draft Hannes Tschofenig
- Re: [TLS] Certificate compression draft Rob Stradling
- Re: [TLS] Certificate compression draft Eric Rescorla
- Re: [TLS] Certificate compression draft Victor Vasiliev
- Re: [TLS] Certificate compression draft Sankalp Bagaria
- Re: [TLS] Certificate compression draft Ryan Sleevi
- Re: [TLS] Certificate compression draft Eric Rescorla
- Re: [TLS] Certificate compression draft Benjamin Kaduk
- Re: [TLS] Certificate compression draft David Benjamin
- Re: [TLS] Certificate compression draft Eric Rescorla
- Re: [TLS] Certificate compression draft Eric Rescorla
- Re: [TLS] Certificate compression draft Sankalp Bagaria