Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Encrypted SNI

Encrypted SNI

kazuho

June 11, 2019
Tweet

More Decks by kazuho

Other Decks in Technology

Transcript

  1.  • MFBEEFWFMPQFSPG – )0 )551   – QJDPUMT

    5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGUMTFTOJ ˡ UIJT – ESBGULB[VIPRVJDBVUIFOUJDBUFEIBOETIBLF 8IPBN*
  2.  • *&5'5-48(XPSLJOHJUFN • BVUIPST – &SJD3FTDPSMB FLS!SUGNDPN – ,B[VIP0LV

    LB[VIPPLV!HNBJMDPN – /JDL4VMMJWBO OJDL!DMPVEGMBSFDPN – $ISJTUPQIFS"8PPE DBXPPE!BQQMFDPN ESBGUJFUGUMTFTOJ
  3.  • 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN •

    TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
  4.  • 3'$ – l1FSWBTJWFNPOJUPSJOHJTBUFDIOJDBMBUUBDL UIBUTIPVMECFNJUJHBUFEJOUIFEFTJHOPG *&5'QSPUPDPMT XIFSFQPTTJCMFz • 3'$

    – l5IF*"#VSHFTQSPUPDPMEFTJHOFSTUPEFTJHO GPSDPOGJEFOUJBMPQFSBUJPOCZEFGBVMU8F TUSPOHMZFODPVSBHFEFWFMPQFSTUPJODMVEF FODSZQUJPOJOUIFJSJNQMFNFOUBUJPOTBOEUP NBLFUIFNFODSZQUFECZEFGBVMUz 3BUJPOBMF
  5.  • %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT •

    USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
  6.  • %/4SFTPMVUJPO %P5%P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF

    5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
  7.  • r ESBGULB[VIPQSPUFDUFETOJ • r ESBGUSFTDPSMBUMTFTOJ • r ESBGUJFUGUMTFTOJ

     • r ESBGUJFUGUMTFTOJ • r ESBGUJFUGUMTFTOJ )JTUPSZ
  8.  )PXJUXPSLT example.com A? example.com ESNI? example.com A=192.0.2.1 example.com ESNI=pubkey

    ClientHello {ESNI=encrypt("example.com")} DoH recursor HTTPS server DNS authoritative server
  9.  TUSVDU\ VJOU WFSTJPO VJOU DIFDLTVN<> PQBRVF QVCMJD@OBNF? QMBJOUFYU4/*WBMVF ,FZ4IBSF&OUSZ

    LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOU QBEEFE@MFOHUI VJOU OPU@CFGPSF VJOU OPU@BGUFS &YUFOTJPO FYUFOTJPOT? ^&4/*,FZT FYBNQFOFU*/&4/*FTOJLFZT JOCJOBSZ &4/*SFDPSE
  10.  • TPUIBUJUDBOCFTNBMM • EPXOTJEFBUUBDLFSDBOTQPPG – CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1 BEESFTTPGFYBNQMFDPN • BDDFTTUPUIFBEESFTTSFWFBMTUIF4/*

    • UPSFQISBTF &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL &4/*SFDPSEJTOPUTJHOFE
  11.  • )PXJUXPSLT – QVCMJDOBNFBOEQVCMJDLFZJO&4/*3FDPSE – DMJFOUPGGFSTQMBJOUFYU4/* QVCMJDOBNF  BOE&4/*

    FODSZQUFEOBNF – XIFOTFSWFSSFDFJWFTBDPSSVQU&4/* JU • GJOJTIFTUIF5-4IBOETIBLFBTlQVCMJDOBNFz • TFOETBOVQEBUFE&4/*LFZ – DMJFOUSFDPOOFDUTVTJOHUIFVQEBUFE&4/* LFZ *NQSPWF&4/*SPCVTUOFTT
  12.  • 5IFJTTVF – BXFCTJUFDBOVTFNVMUJQMF$%/T – FWFSZ$%/XJMMIBWFEJGGFSFOU&4/*LFZT – XIBUIBQQFOTJGDMJFOUPCUBJOT"SFDPSEGPS $%/"

    BOE&4/*SFDPSEGPS$%/# • QVCMJDOBNFDBOOPUGJYUIFJTTVF CFDBVTFQVCMJD OBNFXJMMCFEJGGFSFOUGPSFBDI$%/&4/* SFDPSE l$PNCJOFE3FDPSEzFYUFOTJPO
  13.  • QSJWBDZJTUPQMFWFMQSJPSJUZ • MFTTlJNQMJDJUTJHOBMzFYQPTFEUPOFUXPSL – FODSZQUFE%/4USBGGJD – FODSZQUFE4/* –

    FODSZQUFEUSBOTQPSU 26*$ • lFYQMJDJUTJHOBMzSFRVJSFTTUBOEBSEJ[BUJPO – 26*$TQJOCJU 5IF*OUFSOFUJTGPSFOEVTFST