Encrypted SNI - Speaker Deck

Encrypted SNI

by kazuho

Slide 1

Slide 1 text

&ODSZQUFE4/* ,B[VIP0LV +VO

Slide 2

Slide 2 text

• MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT 5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGUMTFTOJ ˡ UIJT – ESBGULB[VIPRVJDBVUIFOUJDBUFEIBOETIBLF 8IPBN*

Slide 3

Slide 3 text

• *&5'5-48(XPSLJOHJUFN • BVUIPST – &SJD3FTDPSMB FLS!SUGNDPN – ,B[VIP0LV LB[VIPPLV!HNBJMDPN – /JDL4VMMJWBO OJDL!DMPVEGMBSFDPN – $ISJTUPQIFS"8PPE DBXPPE!BQQMFDPN ESBGUJFUGUMTFTOJ

Slide 4

Slide 4 text

• 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN • TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

Slide 5

Slide 5 text

8IZFODSZQU4/*

Slide 6

Slide 6 text

• 3'$ – l1FSWBTJWFNPOJUPSJOHJTBUFDIOJDBMBUUBDL UIBUTIPVMECFNJUJHBUFEJOUIFEFTJHOPG *&5'QSPUPDPMT XIFSFQPTTJCMFz • 3'$ – l5IF*"#VSHFTQSPUPDPMEFTJHOFSTUPEFTJHO GPSDPOGJEFOUJBMPQFSBUJPOCZEFGBVMU8F TUSPOHMZFODPVSBHFEFWFMPQFSTUPJODMVEF FODSZQUJPOJOUIFJSJNQMFNFOUBUJPOTBOEUP NBLFUIFNFODSZQUFECZEFGBVMUz 3BUJPOBMF

Slide 7

Slide 7 text

• %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

Slide 8

Slide 8 text

• %/4SFTPMVUJPO %P5%P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF 5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

Slide 9

Slide 9 text

ESBGUJFUGUMTFTOJ

Slide 10

Slide 10 text

• r ESBGULB[VIPQSPUFDUFETOJ • r ESBGUSFTDPSMBUMTFTOJ • r ESBGUJFUGUMTFTOJ • r ESBGUJFUGUMTFTOJ • r ESBGUJFUGUMTFTOJ )JTUPSZ

Slide 11

Slide 11 text

• VTF%/4UPEJTUSJCVUFQVCMJDLFZ • UIBUJTVTFEGPSFODSZQUJOHUIF4/* ,FZJEFB

Slide 12

Slide 12 text

)PXJUXPSLT example.com A? example.com ESNI? example.com A=192.0.2.1 example.com ESNI=pubkey ClientHello {ESNI=encrypt("example.com")} DoH recursor HTTPS server DNS authoritative server

Slide 13

Slide 13 text

TUSVDU\ VJOU WFSTJPO VJOU DIFDLTVN<> PQBRVF QVCMJD@OBNF? QMBJOUFYU4/*WBMVF ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOU QBEEFE@MFOHUI VJOU OPU@CFGPSF VJOU OPU@BGUFS &YUFOTJPO FYUFOTJPOT? ^&4/*,FZT FYBNQFOFU*/&4/*FTOJLFZT JOCJOBSZ &4/*SFDPSE

Slide 14

Slide 14 text

• TPUIBUJUDBOCFTNBMM • EPXOTJEFBUUBDLFSDBOTQPPG – CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1 BEESFTTPGFYBNQMFDPN • BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPSFQISBTF &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL &4/*SFDPSEJTOPUTJHOFE

Slide 15

Slide 15 text

• #PSJOH44- • $MPVEGMBSF • .P[JMMB'JSFGPY • QJDPUMT *NQMFNFOUFECZ

Slide 16

Slide 16 text

3FDFOUMZBEEFEGFBUVSFT

Slide 17

Slide 17 text

• 8IBUIBQQFOTXIFOUIF&4/*LFZ EJTUSJCVUFEVTJOH%/4BOEUIFLFZPO UIFTFSWFSCFDPNFTPVUPGTZOD • 3FDPWFSZJTCFUUFSUIBOIBSEGBJM – MFUUIFTFSWFSSFQMBDFUIF&4/*LFZVTFECZ UIFDMJFOU *NQSPWF&4/*SPCVTUOFTT

Slide 18

Slide 18 text

• )PXJUXPSLT – QVCMJDOBNFBOEQVCMJDLFZJO&4/*3FDPSE – DMJFOUPGGFSTQMBJOUFYU4/* QVCMJDOBNF BOE&4/* FODSZQUFEOBNF – XIFOTFSWFSSFDFJWFTBDPSSVQU&4/* JU • GJOJTIFTUIF5-4IBOETIBLFBTlQVCMJDOBNFz • TFOETBOVQEBUFE&4/*LFZ – DMJFOUSFDPOOFDUTVTJOHUIFVQEBUFE&4/* LFZ *NQSPWF&4/*SPCVTUOFTT

Slide 19

Slide 19 text

• 5IFJTTVF – BXFCTJUFDBOVTFNVMUJQMF$%/T – FWFSZ$%/XJMMIBWFEJGGFSFOU&4/*LFZT – XIBUIBQQFOTJGDMJFOUPCUBJOT"SFDPSEGPS $%/" BOE&4/*SFDPSEGPS$%/# • QVCMJDOBNFDBOOPUGJYUIFJTTVF CFDBVTFQVCMJD OBNFXJMMCFEJGGFSFOUGPSFBDI$%/&4/* SFDPSE l$PNCJOFE3FDPSEzFYUFOTJPO

Slide 20

Slide 20 text

• 4PMVUJPO – DSFBUFBGBUSFDPSE DPOUBJOJOHCPUI&4/* LFZTBOE *1BEESFTTFT l$PNCJOFE3FDPSEzFYUFOTJPO

Slide 21

Slide 21 text

5IF*OUFSOFUJTGPSFOEVTFST

Slide 22

Slide 22 text

• QSJWBDZJTUPQMFWFMQSJPSJUZ • MFTTlJNQMJDJUTJHOBMzFYQPTFEUPOFUXPSL – FODSZQUFE%/4USBGGJD – FODSZQUFE4/* – FODSZQUFEUSBOTQPSU 26*$ • lFYQMJDJUTJHOBMzSFRVJSFTTUBOEBSEJ[BUJPO – 26*$TQJOCJU 5IF*OUFSOFUJTGPSFOEVTFST

Slide 23

Slide 23 text

• 3'$ • 3'$ • ESBGUJFUGUMT • ESBGUOPUUJOHIBNGPSUIFVTFST 3FGFSFODFT