1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
|
Internet Engineering Task Force (IETF) M. Thomson
Request for Comments: 9458 Mozilla
Category: Standards Track C. A. Wood
ISSN: 2070-1721 Cloudflare
January 2024
Oblivious HTTP
Abstract
This document describes Oblivious HTTP, a protocol for forwarding
encrypted HTTP messages. Oblivious HTTP allows a client to make
multiple requests to an origin server without that server being able
to link those requests to the client or to identify the requests as
having come from the same client, while placing only limited trust in
the nodes used to forward the messages.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9458.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
2. Overview
2.1. Applicability
2.2. Conventions and Definitions
3. Key Configuration
3.1. Key Configuration Encoding
3.2. Key Configuration Media Type
4. HPKE Encapsulation
4.1. Request Format
4.2. Response Format
4.3. Encapsulation of Requests
4.4. Encapsulation of Responses
4.5. Request and Response Media Types
4.6. Repurposing the Encapsulation Format
5. HTTP Usage
5.1. Informational Responses
5.2. Errors
5.3. Signaling Key Configuration Problems
6. Security Considerations
6.1. Client Responsibilities
6.2. Relay Responsibilities
6.2.1. Differential Treatment
6.2.2. Denial of Service
6.2.3. Traffic Analysis
6.3. Server Responsibilities
6.4. Key Management
6.5. Replay Attacks
6.5.1. Use of Date for Anti-replay
6.5.2. Correcting Clock Differences
6.6. Forward Secrecy
6.7. Post-Compromise Security
6.8. Client Clock Exposure
6.9. Media Type Security
6.10. Separate Gateway and Target
7. Privacy Considerations
8. Operational and Deployment Considerations
8.1. Performance Overhead
8.2. Resource Mappings
8.3. Network Management
9. IANA Considerations
9.1. application/ohttp-keys Media Type
9.2. message/ohttp-req Media Type
9.3. message/ohttp-res Media Type
9.4. Registration of "date" Problem Type
9.5. Registration of "ohttp-key" Problem Type
10. References
10.1. Normative References
10.2. Informative References
Appendix A. Complete Example of a Request and Response
Acknowledgments
Authors' Addresses
1. Introduction
HTTP requests reveal information about client identities to servers.
While the actual content of the request message is under the control
of the client, other information that is more difficult to control
can still be used to identify the client.
Even where an IP address is not directly associated with an
individual, the requests made from it can be correlated over time to
assemble a profile of client behavior. In particular, connection
reuse improves performance but provides servers with the ability to
link requests that share a connection.
In particular, the source IP address of the underlying connection
reveals identifying information that the client has only limited
control over. While client-configured HTTP proxies can provide a
degree of protection against IP address tracking, they present an
unfortunate trade-off: if they are used without TLS, the contents of
communication are revealed to the proxy; if they are used with TLS, a
new connection needs to be used for each request to ensure that the
origin server cannot use the connection as a way to correlate
requests, incurring significant performance overheads.
To overcome these limitations, this document defines Oblivious HTTP,
a protocol for encrypting and sending HTTP messages from a client to
a gateway. This uses a trusted relay service in a manner that
mitigates the use of metadata such as IP address and connection
information for client identification, with reasonable performance
characteristics. This document describes:
1. an algorithm for encapsulating binary HTTP messages [BINARY]
using Hybrid Public Key Encryption (HPKE) [HPKE] to protect their
contents,
2. a method for forwarding Encapsulated Requests between Clients and
an Oblivious Gateway Resource through a trusted Oblivious Relay
Resource using HTTP, and
3. requirements for how the Oblivious Gateway Resource handles
Encapsulated Requests and produces Encapsulated Responses for the
Client.
The combination of encapsulation and relaying ensures that Oblivious
Gateway Resource never sees the Client's IP address and that the
Oblivious Relay Resource never sees plaintext HTTP message content.
Oblivious HTTP allows connection reuse between the Client and
Oblivious Relay Resource, as well as between that relay and the
Oblivious Gateway Resource, so this scheme represents a performance
improvement over using just one request in each connection. With
limited trust placed in the Oblivious Relay Resource (see Section 6),
Clients are assured that requests are not uniquely attributed to them
or linked to other requests.
2. Overview
An Oblivious HTTP Client must initially know the following:
* The identity of an Oblivious Gateway Resource. This might include
some information about what Target Resources the Oblivious Gateway
Resource supports.
* The details of an HPKE public key for the Oblivious Gateway
Resource, including an identifier for that key and the HPKE
algorithms that are used with that key.
* The identity of an Oblivious Relay Resource that will accept relay
requests carrying an Encapsulated Request as its content and
forward the content in these requests to a particular Oblivious
Gateway Resource. Oblivious HTTP uses a one-to-one mapping
between Oblivious Relay and Gateway Resources; see Section 8.2 for
more details.
This information allows the Client to send HTTP requests to the
Oblivious Gateway Resource for forwarding to a Target Resource. The
Oblivious Gateway Resource does not learn the Client's IP address or
any other identifying information that might be revealed from the
Client at the transport layer, nor does the Oblivious Gateway
Resource learn which of the requests it receives are from the same
Client.
.------------------------------.
+---------+ +----------+ | +----------+ +----------+ |
| Client | | Relay | | | Gateway | | Target | |
| | | Resource | | | Resource | | Resource | |
+----+----+ +----+-----+ | +-----+----+ +----+-----+ |
| | `-------|--------------|-------'
| Relay | | |
| Request | | |
| [+ Encapsulated | | |
| Request ] | | |
+---------------->| Gateway | |
| | Request | |
| | [+ Encapsulated | |
| | Request ] | |
| +------------------->| Request |
| | +------------->|
| | | |
| | | Response |
| | Gateway |<-------------+
| | Response | |
| | [+ Encapsulated | |
| | Response ] | |
| Relay |<-------------------+ |
| Response | | |
| [+ Encapsulated | | |
| Response ] | | |
|<----------------+ | |
| | | |
Figure 1: Overview of Oblivious HTTP
In order to forward a request for a Target Resource to the Oblivious
Gateway Resource, the following steps occur, as shown in Figure 1:
1. The Client constructs an HTTP request for a Target Resource.
2. The Client encodes the HTTP request in a binary HTTP message and
then encapsulates that message using HPKE and the process from
Section 4.3.
3. The Client sends a POST request to the Oblivious Relay Resource
with the Encapsulated Request as the content of that message.
4. The Oblivious Relay Resource forwards this request to the
Oblivious Gateway Resource.
5. The Oblivious Gateway Resource receives this request and removes
the HPKE protection to obtain an HTTP request.
The Oblivious Gateway Resource then handles the HTTP request. This
typically involves making an HTTP request using the content of the
Encapsulated Request. Once the Oblivious Gateway Resource has an
HTTP response for this request, the following steps occur to return
this response to the Client:
1. The Oblivious Gateway Resource encapsulates the HTTP response
following the process in Section 4.4 and sends this in response
to the request from the Oblivious Relay Resource.
2. The Oblivious Relay Resource forwards this response to the
Client.
3. The Client removes the encapsulation to obtain the response to
the original request.
This interaction provides authentication and confidentiality
protection between the Client and the Oblivious Gateway, but
importantly not between the Client and the Target Resource. While
the Target Resource is a distinct HTTP resource from the Oblivious
Gateway Resource, they are both logically under the control of the
Oblivious Gateway, since the Oblivious Gateway Resource can
unilaterally dictate the responses returned from the Target Resource
to the Client. This arrangement is shown in Figure 1.
2.1. Applicability
Oblivious HTTP has limited applicability. Importantly, it requires
explicit support from a willing Oblivious Relay Resource and
Oblivious Gateway Resource, thereby limiting the use of Oblivious
HTTP for generic applications; see Section 6.3 for more information.
Many uses of HTTP benefit from being able to carry state between
requests, such as with cookies [COOKIES], authentication (Section 11
of [HTTP]), or even alternative services [RFC7838]. Oblivious HTTP
removes linkage at the transport layer, which is only useful for an
application that does not carry state between requests.
Oblivious HTTP is primarily useful where the privacy risks associated
with possible stateful treatment of requests are sufficiently large
that the cost of deploying this protocol can be justified. Oblivious
HTTP is simpler and less costly than more robust systems, like Prio
[PRIO] or Tor [DMS2004], which can provide stronger guarantees at
higher operational costs.
Oblivious HTTP is more costly than a direct connection to a server.
Some costs, like those involved with connection setup, can be
amortized, but there are several ways in which Oblivious HTTP is more
expensive than a direct request:
* Each request requires at least two regular HTTP requests, which
could increase latency.
* Each request is expanded in size with additional HTTP fields,
encryption-related metadata, and Authenticated Encryption with
Associated Data (AEAD) expansion.
* Deriving cryptographic keys and applying them for request and
response protection takes non-negligible computational resources.
Examples of where preventing the linking of requests might justify
these costs include:
DNS queries: DNS queries made to a recursive resolver reveal
information about the requester, particularly if linked to other
queries.
Telemetry submission: Applications that submit reports about their
usage to their developers might use Oblivious HTTP for some types
of moderately sensitive data.
These are examples of requests where there is information in a
request that -- if it were connected to the identity of the user --
might allow a server to learn something about that user even if the
identity of the user were pseudonymous. Other examples include
submitting anonymous surveys, making search queries, or requesting
location-specific content (such as retrieving tiles of a map
display).
In addition to these limitations, Section 6 describes operational
constraints that are necessary to realize the goals of the protocol.
2.2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses terminology from [HTTP] and defines several terms
as follows:
Client:
A Client originates Oblivious HTTP requests. A Client is also an
HTTP client in two ways: for the Target Resource and for the
Oblivious Relay Resource. However, when referring to the HTTP
definition of client (Section 3.3 of [HTTP]), the term "HTTP
client" is used; see Section 5.
Encapsulated Request:
An HTTP request that is encapsulated in an HPKE-encrypted message;
see Section 4.3.
Encapsulated Response:
An HTTP response that is encapsulated in an HPKE-encrypted
message; see Section 4.4.
Oblivious Relay Resource:
An intermediary that forwards Encapsulated Requests and Responses
between Clients and a single Oblivious Gateway Resource. In
context, this can be referred to simply as a "relay".
Oblivious Gateway Resource:
A resource that can receive an Encapsulated Request, extract the
contents of that request, forward it to a Target Resource, receive
a response, encapsulate that response, and then return the
resulting Encapsulated Response. In context, this can be referred
to simply as a "gateway".
Target Resource:
The resource that is the target of an Encapsulated Request. This
resource logically handles only regular HTTP requests and
responses, so it might be ignorant of the use of Oblivious HTTP to
reach it.
This document includes pseudocode that uses the functions and
conventions defined in [HPKE].
Encoding an integer to a sequence of bytes in network byte order is
described using the function encode(n, v), where n is the number of
bytes and v is the integer value. ASCII [ASCII] encoding of a string
s is indicated using the function encode_str(s).
Formats are described using notation from Section 1.3 of [QUIC]. An
extension to that notation expresses the number of bits in a field
using a simple mathematical function.
3. Key Configuration
A Client needs to acquire information about the key configuration of
the Oblivious Gateway Resource in order to send Encapsulated
Requests. In order to ensure that Clients do not encapsulate
messages that other entities can intercept, the key configuration
MUST be authenticated and have integrity protection.
This document does not define how that acquisition occurs. However,
in order to help facilitate interoperability, it does specify a
format for the keys. This ensures that different Client
implementations can be configured in the same way and also enables
advertising key configurations in a consistent format. This format
might be used, for example, with HTTPS, as part of a system for
configuring or discovering key configurations. However, note that
such a system needs to consider the potential for key configuration
to be used to compromise Client privacy; see Section 7.
A Client might have multiple key configurations to select from when
encapsulating a request. Clients are responsible for selecting a
preferred key configuration from those it supports. Clients need to
consider both the Key Encapsulation Method (KEM) and the combinations
of the Key Derivation Function (KDF) and AEAD in this decision.
3.1. Key Configuration Encoding
A single key configuration consists of a key identifier, a public
key, an identifier for the KEM that the public key uses, and a set of
HPKE symmetric algorithms. Each symmetric algorithm consists of an
identifier for a KDF and an identifier for an AEAD.
Figure 2 shows a single key configuration.
HPKE Symmetric Algorithms {
HPKE KDF ID (16),
HPKE AEAD ID (16),
}
Key Config {
Key Identifier (8),
HPKE KEM ID (16),
HPKE Public Key (Npk * 8),
HPKE Symmetric Algorithms Length (16) = 4..65532,
HPKE Symmetric Algorithms (32) ...,
}
Figure 2: A Single Key Configuration
That is, a key configuration consists of the following fields:
Key Identifier:
An 8-bit value that identifies the key used by the Oblivious
Gateway Resource.
HPKE KEM ID:
A 16-bit value that identifies the KEM used for the identified key
as defined in Section 7.1 of [HPKE] or the "HPKE KEM Identifiers"
registry <https://www.iana.org/assignments/hpke>.
HPKE Public Key:
The public key used by the gateway. The length of the public key
is Npk, which is determined by the choice of HPKE KEM as defined
in Section 4 of [HPKE].
HPKE Symmetric Algorithms Length:
A 16-bit integer in network byte order that encodes the length, in
bytes, of the HPKE Symmetric Algorithms field that follows.
HPKE Symmetric Algorithms:
One or more pairs of identifiers for the different combinations of
HPKE KDF and AEAD that the Oblivious Gateway Resource supports:
HPKE KDF ID:
A 16-bit HPKE KDF identifier as defined in Section 7.2 of
[HPKE] or the "HPKE KDF Identifiers" registry
<https://www.iana.org/assignments/hpke>.
HPKE AEAD ID:
A 16-bit HPKE AEAD identifier as defined in Section 7.3 of
[HPKE] or the "HPKE AEAD Identifiers" registry
<https://www.iana.org/assignments/hpke>.
3.2. Key Configuration Media Type
The "application/ohttp-keys" format is a media type that identifies a
serialized collection of key configurations. The content of this
media type comprises one or more key configuration encodings (see
Section 3.1). Each encoded configuration is prefixed with a 2-byte
integer in network byte order that indicates the length of the key
configuration in bytes. The length-prefixed encodings are
concatenated to form a list. See Section 9.1 for a definition of the
media type.
Evolution of the key configuration format is supported through the
definition of new formats that are identified by new media types.
A Client that receives an "application/ohttp-keys" object with
encoding errors might be able to recover one or more key
configurations. Differences in how key configurations are recovered
might be exploited to segregate Clients, so Clients MUST discard
incorrectly encoded key configuration collections.
4. HPKE Encapsulation
This document defines how a binary-encoded HTTP message [BINARY] is
encapsulated using HPKE [HPKE]. Separate media types are defined to
distinguish request and response messages:
* An Encapsulated Request format defined in Section 4.1 is
identified by the "message/ohttp-req" media type (Section 9.2).
* An Encapsulated Response format defined in Section 4.2 is
identified by the "message/ohttp-res" media type (Section 9.3).
Alternative encapsulations or message formats are indicated using the
media type; see Sections 4.5 and 4.6.
4.1. Request Format
A message in "message/ohttp-req" format protects a binary HTTP
request message; see Figure 3.
Request {
Binary HTTP Message (..),
}
Figure 3: Plaintext Request Structure
This plaintext Request structure is encapsulated into a message in
"message/ohttp-req" form by generating an Encapsulated Request. An
Encapsulated Request comprises a key identifier; HPKE parameters for
the chosen KEM, KDF, and AEAD; the encapsulated KEM shared secret (or
enc); and an HPKE-protected binary HTTP request message.
An Encapsulated Request is shown in Figure 4. Section 4.3 describes
the process for constructing and processing an Encapsulated Request.
Encapsulated Request {
Key Identifier (8),
HPKE KEM ID (16),
HPKE KDF ID (16),
HPKE AEAD ID (16),
Encapsulated KEM Shared Secret (8 * Nenc),
HPKE-Protected Request (..),
}
Figure 4: Encapsulated Request
That is, an Encapsulated Request comprises a Key Identifier, an HPKE
KEM ID, an HPKE KDF ID, an HPKE AEAD ID, an Encapsulated KEM Shared
Secret, and an HPKE-Protected Request. The Key Identifier, HPKE KEM
ID, HPKE KDF ID, and HPKE AEAD ID fields are defined in Section 3.1.
The Encapsulated KEM Shared Secret is the output of the Encap()
function for the KEM, which is Nenc bytes in length, as defined in
Section 4 of [HPKE].
4.2. Response Format
A message in "message/ohttp-res" format protects a binary HTTP
response message; see Figure 5.
Response {
Binary HTTP Message (..),
}
Figure 5: Plaintext Response Structure
This plaintext Response structure is encapsulated into a message in
"message/ohttp-res" form by generating an Encapsulated Response. An
Encapsulated Response comprises a nonce and the AEAD-protected binary
HTTP response message.
An Encapsulated Response is shown in Figure 6. Section 4.4 describes
the process for constructing and processing an Encapsulated Response.
Encapsulated Response {
Nonce (8 * max(Nn, Nk)),
AEAD-Protected Response (..),
}
Figure 6: Encapsulated Response
That is, an Encapsulated Response contains a Nonce and an AEAD-
Protected Response. The Nonce field is either Nn or Nk bytes long,
whichever is larger. The Nn and Nk values correspond to parameters
of the AEAD used in HPKE, which is defined in Section 7.3 of [HPKE]
or the "HPKE AEAD Identifiers" IANA registry
<https://www.iana.org/assignments/hpke>. Nn and Nk refer to the size
of the AEAD nonce and key, respectively, in bytes.
4.3. Encapsulation of Requests
Clients encapsulate a request, identified as request, using values
from a key configuration:
* the key identifier from the configuration (key_id) with the
corresponding KEM identified by kem_id,
* the public key from the configuration (pkR), and
* a combination of KDF (identified by kdf_id) and AEAD (identified
by aead_id) that the Client selects from those in the key
configuration.
The Client then constructs an Encapsulated Request, enc_request, from
a binary-encoded HTTP request [BINARY] (request) as follows:
1. Construct a message header (hdr) by concatenating the values of
key_id, kem_id, kdf_id, and aead_id as one 8-bit integer and
three 16-bit integers, respectively, each in network byte order.
2. Build a sequence of bytes (info) by concatenating the ASCII-
encoded string "message/bhttp request", a zero byte, and the
header. Note: Section 4.6 discusses how alternative message
formats might use a different info value.
3. Create a sending HPKE context by invoking SetupBaseS()
(Section 5.1.1 of [HPKE]) with the public key of the receiver pkR
and info. This yields the context sctxt and an encapsulation key
enc.
4. Encrypt request by invoking the Seal() method on sctxt
(Section 5.2 of [HPKE]) with empty associated data aad, yielding
ciphertext ct.
5. Concatenate the values of hdr, enc, and ct. This yields an
Encapsulated Request (enc_request).
Note that enc is of fixed length, so there is no ambiguity in parsing
this structure.
In pseudocode, this procedure is as follows:
hdr = concat(encode(1, key_id),
encode(2, kem_id),
encode(2, kdf_id),
encode(2, aead_id))
info = concat(encode_str("message/bhttp request"),
encode(1, 0),
hdr)
enc, sctxt = SetupBaseS(pkR, info)
ct = sctxt.Seal("", request)
enc_request = concat(hdr, enc, ct)
An Oblivious Gateway Resource decrypts an Encapsulated Request by
reversing this process. To decapsulate an Encapsulated Request,
enc_request:
1. Parse enc_request into key_id, kem_id, kdf_id, aead_id, enc, and
ct (indicated using the function parse() in pseudocode). The
Oblivious Gateway Resource is then able to find the HPKE private
key, skR, corresponding to key_id.
a. If key_id does not identify a key matching the type of
kem_id, the Oblivious Gateway Resource returns an error.
b. If kdf_id and aead_id identify a combination of KDF and AEAD
that the Oblivious Gateway Resource is unwilling to use with
skR, the Oblivious Gateway Resource returns an error.
2. Build a sequence of bytes (info) by concatenating the ASCII-
encoded string "message/bhttp request"; a zero byte; key_id as an
8-bit integer; plus kem_id, kdf_id, and aead_id as three 16-bit
integers.
3. Create a receiving HPKE context, rctxt, by invoking SetupBaseR()
(Section 5.1.1 of [HPKE]) with skR, enc, and info.
4. Decrypt ct by invoking the Open() method on rctxt (Section 5.2 of
[HPKE]), with an empty associated data aad, yielding request or
an error on failure. If decryption fails, the Oblivious Gateway
Resource returns an error.
In pseudocode, this procedure is as follows:
key_id, kem_id, kdf_id, aead_id, enc, ct = parse(enc_request)
info = concat(encode_str("message/bhttp request"),
encode(1, 0),
encode(1, key_id),
encode(2, kem_id),
encode(2, kdf_id),
encode(2, aead_id))
rctxt = SetupBaseR(enc, skR, info)
request, error = rctxt.Open("", ct)
The Oblivious Gateway Resource retains the HPKE context, rctxt, so
that it can encapsulate a response.
4.4. Encapsulation of Responses
Oblivious Gateway Resources generate an Encapsulated Response
(enc_response) from a binary-encoded HTTP response [BINARY]
(response). The Oblivious Gateway Resource uses the HPKE receiver
context (rctxt) as the HPKE context (context) as follows:
1. Export a secret (secret) from context, using the string "message/
bhttp response" as the exporter_context parameter to
context.Export; see Section 5.3 of [HPKE]. The length of this
secret is max(Nn, Nk), where Nn and Nk are the length of the AEAD
key and nonce that are associated with context. Note:
Section 4.6 discusses how alternative message formats might use a
different context value.
2. Generate a random value of length max(Nn, Nk) bytes, called
response_nonce.
3. Extract a pseudorandom key (prk) using the Extract function
provided by the KDF algorithm associated with context. The ikm
input to this function is secret; the salt input is the
concatenation of enc (from enc_request) and response_nonce.
4. Use the Expand function provided by the same KDF to create an
AEAD key, key, of length Nk -- the length of the keys used by the
AEAD associated with context. Generating aead_key uses a label
of "key".
5. Use the same Expand function to create a nonce, nonce, of length
Nn -- the length of the nonce used by the AEAD. Generating
aead_nonce uses a label of "nonce".
6. Encrypt response, passing the AEAD function Seal the values of
aead_key, aead_nonce, an empty aad, and a pt input of response.
This yields ct.
7. Concatenate response_nonce and ct, yielding an Encapsulated
Response, enc_response. Note that response_nonce is of fixed
length, so there is no ambiguity in parsing either response_nonce
or ct.
In pseudocode, this procedure is as follows:
secret = context.Export("message/bhttp response", max(Nn, Nk))
response_nonce = random(max(Nn, Nk))
salt = concat(enc, response_nonce)
prk = Extract(salt, secret)
aead_key = Expand(prk, "key", Nk)
aead_nonce = Expand(prk, "nonce", Nn)
ct = Seal(aead_key, aead_nonce, "", response)
enc_response = concat(response_nonce, ct)
Clients decrypt an Encapsulated Response by reversing this process.
That is, Clients first parse enc_response into response_nonce and ct.
Then, they follow the same process to derive values for aead_key and
aead_nonce, using their sending HPKE context, sctxt, as the HPKE
context, context.
The Client uses these values to decrypt ct using the AEAD function
Open. Decrypting might produce an error, as follows:
response, error = Open(aead_key, aead_nonce, "", ct)
4.5. Request and Response Media Types
Media types are used to identify Encapsulated Requests and Responses;
see Sections 9.2 and 9.3 for definitions of these media types.
Evolution of the format of Encapsulated Requests and Responses is
supported through the definition of new formats that are identified
by new media types. New media types might be defined to use a
similar encapsulation with a different HTTP message format than in
[BINARY]; see Section 4.6 for guidance on reusing this encapsulation
method. Alternatively, a new encapsulation method might be defined.
4.6. Repurposing the Encapsulation Format
The encrypted payload of an Oblivious HTTP request and response is a
binary HTTP message [BINARY]. The Client and Oblivious Gateway
Resource agree on this encrypted payload type by specifying the media
type "message/bhttp" in the HPKE info string and HPKE export context
string for request and response encryption, respectively.
Future specifications may repurpose the encapsulation mechanism
described in this document. This requires that the specification
define a new media type. The encapsulation process for that content
type can follow the same process, using new constant strings for the
HPKE info and exporter context inputs.
For example, a future specification might encapsulate DNS messages,
which use the "application/dns-message" media type [RFC8484]. In
creating a new, encrypted media types, specifications might define
the use of string "application/dns-message request" (plus a zero byte
and the header for the full value) for request encryption and the
string "application/dns-message response" for response encryption.
5. HTTP Usage
A Client interacts with the Oblivious Relay Resource by constructing
an Encapsulated Request. This Encapsulated Request is included as
the content of a POST request to the Oblivious Relay Resource. This
request only needs those fields necessary to carry the Encapsulated
Request: a method of POST, a target URI of the Oblivious Relay
Resource, a header field containing the content type (see
Section 9.2), and the Encapsulated Request as the request content.
In the request to the Oblivious Relay Resource, Clients MAY include
additional fields. However, additional fields MUST be independent of
the Encapsulated Request and MUST be fields that the Oblivious Relay
Resource will remove before forwarding the Encapsulated Request
towards the target, such as the Connection or Proxy-Authorization
header fields [HTTP].
The Client role in this protocol acts as an HTTP client both with
respect to the Oblivious Relay Resource and the Target Resource. The
request, which the Client makes to the Target Resource, diverges from
typical HTTP assumptions about the use of a connection (see
Section 3.3 of [HTTP]) in that the request and response are encrypted
rather than sent over a connection. The Oblivious Relay Resource and
the Oblivious Gateway Resource also act as HTTP clients toward the
Oblivious Gateway Resource and Target Resource, respectively.
In order to achieve the privacy and security goals of the protocol, a
Client also needs to observe the guidance in Section 6.1.
The Oblivious Relay Resource interacts with the Oblivious Gateway
Resource as an HTTP client by constructing a request using the same
restrictions as the Client request, except that the target URI is the
Oblivious Gateway Resource. The content of this request is copied
from the Client. An Oblivious Relay Resource MAY reject requests
that are obviously invalid, such as a request with no content. The
Oblivious Relay Resource MUST NOT add information to the request
without the Client being aware of the type of information that might
be added; see Section 6.2 for more information on relay
responsibilities.
When a response is received from the Oblivious Gateway Resource, the
Oblivious Relay Resource forwards the response according to the rules
of an HTTP proxy; see Section 7.6 of [HTTP]. In case of timeout or
error, the Oblivious Relay Resource can generate a response with an
appropriate status code.
In order to achieve the privacy and security goals of the protocol,
an Oblivious Relay Resource also needs to observe the guidance in
Section 6.2.
An Oblivious Gateway Resource acts as a gateway for requests to the
Target Resource (see Section 7.6 of [HTTP]). The one exception is
that any information it might forward in a response MUST be
encapsulated, unless it is responding to errors that do not relate to
processing the contents of the Encapsulated Request; see Section 5.2.
An Oblivious Gateway Resource, if it receives any response from the
Target Resource, sends a single 200 response containing the
Encapsulated Response. Like the request from the Client, this
response MUST only contain those fields necessary to carry the
Encapsulated Response: a 200 status code, a header field indicating
the content type, and the Encapsulated Response as the response
content. As with requests, additional fields MAY be used to convey
information that does not reveal information about the Encapsulated
Response.
An Oblivious Gateway Resource that does not receive a response can
itself generate a response with an appropriate error status code
(such as 504 (Gateway Timeout); see Section 15.6.5 of [HTTP]), which
is then encapsulated in the same way as a successful response.
In order to achieve the privacy and security goals of the protocol,
an Oblivious Gateway Resource also needs to observe the guidance in
Section 6.3.
5.1. Informational Responses
This encapsulation does not permit progressive processing of
responses. Though the binary HTTP response format does support the
inclusion of informational (1xx) status codes, the AEAD encapsulation
cannot be removed until the entire message is received.
In particular, the Expect header field with 100-continue (see
Section 10.1.1 of [HTTP]) cannot be used. Clients MUST NOT construct
a request that includes a 100-continue expectation; the Oblivious
Gateway Resource MUST generate an error if a 100-continue expectation
is received.
5.2. Errors
A server that receives an invalid message for any reason MUST
generate an HTTP response with a 4xx status code.
Errors detected by the Oblivious Relay Resource and errors detected
by the Oblivious Gateway Resource before removing protection
(including being unable to remove encapsulation for any reason)
result in the status code being sent without protection in response
to the POST request made to that resource.
Errors detected by the Oblivious Gateway Resource after successfully
removing encapsulation and errors detected by the Target Resource
MUST be sent in an Encapsulated Response. This might be because the
Encapsulated Request is malformed or the Target Resource does not
produce a response. In either case, the Oblivious Gateway Resource
can generate a response with an appropriate error status code (such
as 400 (Bad Request) or 504 (Gateway Timeout); see Sections 15.5.1
and 15.6.5 of [HTTP], respectively). This response is encapsulated
in the same way as a successful response.
Errors in the encapsulation of requests mean that responses cannot be
encapsulated. This includes cases where the key configuration is
incorrect or outdated. The Oblivious Gateway Resource can generate
and send a response with a 4xx status code to the Oblivious Relay
Resource. This response MAY be forwarded to the Client or treated by
the Oblivious Relay Resource as a failure. If a Client receives a
response that is not an Encapsulated Response, this could indicate
that the Client configuration used to construct the request is
incorrect or out of date.
5.3. Signaling Key Configuration Problems
The problem type [PROBLEM] of "https://iana.org/assignments/http-
problem-types#ohttp-key" is defined in this section. An Oblivious
Gateway Resource MAY use this problem type in a response to indicate
that an Encapsulated Request used an outdated or incorrect key
configuration.
Figure 7 shows an example response in HTTP/1.1 format.
HTTP/1.1 400 Bad Request
Date: Mon, 07 Feb 2022 00:28:05 GMT
Content-Type: application/problem+json
Content-Length: 106
{"type":"https://iana.org/assignments/http-problem-types#ohttp-key",
"title": "key identifier unknown"}
Figure 7: Example Rejection of Key Configuration
As this response cannot be encrypted, it might not reach the Client.
A Client cannot rely on the Oblivious Gateway Resource using this
problem type. A Client might also be configured to disregard
responses that are not encapsulated on the basis that they might be
subject to observation or modification by an Oblivious Relay
Resource. A Client might manage the risk of an outdated key
configuration using a heuristic approach whereby it periodically
refreshes its key configuration if it receives a response with an
error status code that has not been encapsulated.
6. Security Considerations
In this design, a Client wishes to make a request to an Oblivious
Gateway Resource that is forwarded to a Target Resource. The Client
wishes to make this request without linking that request with either
of the following:
* The identity at the network and transport layer of the Client
(that is, the Client IP address and TCP or UDP port number the
Client uses to create a connection).
* Any other request the Client might have made in the past or might
make in the future.
In order to ensure this, the Client selects a relay (that serves the
Oblivious Relay Resource) that it trusts will protect this
information by forwarding the Encapsulated Request and Response
without passing it to the server (that serves the Oblivious Gateway
Resource).
In this section, a deployment where there are three entities is
considered:
* A Client makes requests and receives responses.
* A relay operates the Oblivious Relay Resource.
* A server operates both the Oblivious Gateway Resource and the
Target Resource.
Section 6.10 discusses the security implications for a case where
different servers operate the Oblivious Gateway Resource and Target
Resource.
Requests from the Client to Oblivious Relay Resource and from
Oblivious Relay Resource to Oblivious Gateway Resource MUST use HTTPS
in order to provide unlinkability in the presence of a network
observer.
To achieve the stated privacy goals, the Oblivious Relay Resource
cannot be operated by the same entity as the Oblivious Gateway
Resource. However, colocation of the Oblivious Gateway Resource and
Target Resource simplifies the interactions between those resources
without affecting Client privacy.
As a consequence of this configuration, Oblivious HTTP prevents
linkability described above. Informally, this means:
1. Requests and responses are known only to Clients and Oblivious
Gateway Resources. In particular, the Oblivious Relay Resource
knows the origin and destination of an Encapsulated Request and
Response, yet it does not know the decrypted contents. Likewise,
Oblivious Gateway Resources learn only the Oblivious Relay
Resource and the decrypted request. No entity other than the
Client can see the plaintext request and response and can
attribute them to the Client.
2. Oblivious Gateway Resources, and therefore Target Resources,
cannot link requests from the same Client in the absence of
unique per-Client keys.
Traffic analysis that might affect these properties is outside the
scope of this document; see Section 6.2.3.
A formal analysis of Oblivious HTTP is in [OHTTP-ANALYSIS].
6.1. Client Responsibilities
Because Clients do not authenticate the Target Resource when using
Oblivious HTTP, Clients MUST have some mechanism to authorize an
Oblivious Gateway Resource for use with a Target Resource. One
possible means of authorization is an allowlist. This ensures that
Oblivious Gateway Resources are not misused to forward traffic to
arbitrary Target Resources. Section 6.3 describes similar
responsibilities that apply to Oblivious Gateway Resources.
Clients MUST ensure that the key configuration they select for
generating Encapsulated Requests is integrity protected and
authenticated so that it can be attributed to the Oblivious Gateway
Resource; see Section 3.
Since Clients connect directly to the Oblivious Relay Resource
instead of the Target Resource, application configurations wherein
Clients make policy decisions about target connections, e.g., to
apply certificate pinning, are incompatible with Oblivious HTTP. In
such cases, alternative technologies such as HTTP CONNECT
(Section 9.3.6 of [HTTP]) can be used. Applications could implement
related policies on key configurations and relay connections, though
these might not provide the same properties as policies enforced
directly on target connections. Instead, when this difference is
relevant, applications can connect directly to the target at the cost
of either privacy or performance.
Clients cannot carry connection-level state between requests as they
only establish direct connections to the relay responsible for the
Oblivious Relay Resource. However, the content of requests might be
used by a server to correlate requests. Cookies [COOKIES] are the
most obvious feature that might be used to correlate requests, but
any identity information and authentication credentials might have
the same effect. Clients also need to treat information learned from
responses with similar care when constructing subsequent requests,
which includes the identity of resources.
Clients MUST generate a new HPKE context for every request, using a
good source of entropy [RANDOM] for generating keys. Key reuse not
only risks requests being linked but also could expose request and
response contents to the relay.
The request the Client sends to the Oblivious Relay Resource only
requires minimal information; see Section 5. The request that
carries the Encapsulated Request and that is sent to the Oblivious
Relay Resource MUST NOT include identifying information unless the
Client can trust that this information is removed by the relay. A
Client MAY include information only for the Oblivious Relay Resource
in header fields identified by the Connection header field if it
trusts the relay to remove these, as required by Section 7.6.1 of
[HTTP]. The Client needs to trust that the relay does not replicate
the source addressing information in the request it forwards.
Clients rely on the Oblivious Relay Resource to forward Encapsulated
Requests and Responses. However, the relay can only refuse to
forward messages; it cannot inspect or modify the contents of
Encapsulated Requests or Responses.
6.2. Relay Responsibilities
The relay that serves the Oblivious Relay Resource has a very simple
function to perform. For each request it receives, it makes a
request of the Oblivious Gateway Resource that includes the same
content. When it receives a response, it sends a response to the
Client that includes the content of the response from the Oblivious
Gateway Resource.
When forwarding a request, the relay MUST follow the forwarding rules
in Section 7.6 of [HTTP]. A generic HTTP intermediary implementation
is suitable for the purposes of serving an Oblivious Relay Resource,
but additional care is needed to ensure that Client privacy is
maintained.
Firstly, a generic implementation will forward unknown fields. For
Oblivious HTTP, an Oblivious Relay Resource SHOULD NOT forward
unknown fields. Though Clients are not expected to include fields
that might contain identifying information, removing unknown fields
removes this privacy risk.
Secondly, generic implementations are often configured to augment
requests with information about the Client, such as the Via field or
the Forwarded field [FORWARDED]. A relay MUST NOT add information
when forwarding requests that might be used to identify Clients,
except for information that a Client is aware of; see Section 6.2.1.
Finally, a relay can also generate responses, though it is assumed to
not be able to examine the content of a request (other than to
observe the choice of key identifier, KDF, and AEAD); therefore, it
is also assumed that it cannot generate an Encapsulated Response.
6.2.1. Differential Treatment
A relay MAY add information to requests if the Client is aware of the
nature of the information that could be added. Any addition MUST NOT
include information that uniquely and permanently identifies the
Client, including any pseudonymous identifier. Information added by
the relay -- beyond what is already revealed through Encapsulated
Requests from Clients -- can reduce the size of the anonymity set of
Clients at a gateway.
A Client does not need to be aware of the exact value added for each
request but needs to know the range of possible values the relay
might use. How a Client might learn about added information is not
defined in this document.
Moreover, relays MAY apply differential treatment to Clients that
engage in abusive behavior, e.g., by sending too many requests in
comparison to other Clients, or as a response to rate limits signaled
from the gateway. Any such differential treatment can reveal
information to the gateway that would not be revealed otherwise and
therefore reduce the size of the anonymity set of Clients using a
gateway. For example, if a relay chooses to rate limit or block an
abusive Client, this means that any Client requests that are not
treated this way are known to be non-abusive by the gateway. Clients
need to consider the likelihood of such differential treatment and
the privacy risks when using a relay.
Some patterns of abuse cannot be detected without access to the
request that is made to the target. This means that only the gateway
or the target is in a position to identify abuse. A gateway MAY send
signals toward the relay to provide feedback about specific requests.
For example, a gateway could respond differently to requests it
cannot decapsulate, as mentioned in Section 5.2. A relay that acts
on this feedback could -- either inadvertently or by design -- lead
to Client deanonymization.
6.2.2. Denial of Service
As there are privacy benefits from having a large rate of requests
forwarded by the same relay (see Section 6.2.3), servers that operate
the Oblivious Gateway Resource might need an arrangement with
Oblivious Relay Resources. This arrangement might be necessary to
prevent having the large volume of requests being classified as an
attack by the server.
If a server accepts a larger volume of requests from a relay, it
needs to trust that the relay does not allow abusive levels of
request volumes from Clients. That is, if a server allows requests
from the relay to be exempt from rate limits, the server might want
to ensure that the relay applies a rate-limiting policy that is
acceptable to the server.
Servers that enter into an agreement with a relay that enables a
higher request rate might choose to authenticate the relay to enable
the higher rate.
6.2.3. Traffic Analysis
Using HTTPS protects information about which resources are the
subject of request and prevents a network observer from being able to
trivially correlate messages on either side of a relay. However,
using HTTPS does not prevent traffic analysis by such network
observers.
The time at which Encapsulated Request or Response messages are sent
can reveal information to a network observer. Though messages
exchanged between the Oblivious Relay Resource and the Oblivious
Gateway Resource might be sent in a single connection, traffic
analysis could be used to match messages that are forwarded by the
relay.
A relay could, as part of its function, delay requests before
forwarding them. Delays might increase the anonymity set into which
each request is attributed. Any delay also increases the time that a
Client waits for a response, so delays SHOULD only be added with the
consent -- or at least awareness -- of Clients.
A relay that forwards large volumes of exchanges can provide better
privacy by providing larger sets of messages that need to be matched.
Traffic analysis is not restricted to network observers. A malicious
Oblivious Relay Resource could use traffic analysis to learn
information about otherwise encrypted requests and responses relayed
between Clients and gateways. An Oblivious Relay Resource terminates
TLS connections from Clients, so they see message boundaries. This
privileged position allows for richer feature extraction from
encrypted data, which might improve traffic analysis.
Clients and Oblivious Gateway Resources can use padding to reduce the
effectiveness of traffic analysis. Padding is a capability provided
by binary HTTP messages; see Section 3.8 of [BINARY]. If the
encapsulation method described in this document is used to protect a
different message type (see Section 4.6), that message format might
need to include padding support. Oblivious Relay Resources can also
use padding for the same reason but need to operate at the HTTP layer
since they cannot manipulate binary HTTP messages; for example, see
Section 10.7 of [HTTP/2] or Section 10.7 of [HTTP/3]).
6.3. Server Responsibilities
The Oblivious Gateway Resource can be operated by a different entity
than the Target Resource. However, this means that the Client needs
to trust the Oblivious Gateway Resource not to modify requests or
responses. This analysis concerns itself with a deployment scenario
where a single server provides both the Oblivious Gateway Resource
and Target Resource.
A server that operates both Oblivious Gateway and Target Resources is
responsible for removing request encryption, generating a response to
the Encapsulated Request, and encrypting the response.
Servers should account for traffic analysis based on response size or
generation time. Techniques such as padding or timing delays can
help protect against such attacks; see Section 6.2.3.
If separate entities provide the Oblivious Gateway Resource and
Target Resource, these entities might need an arrangement similar to
that between server and relay for managing denial of service; see
Section 6.2.2. Moreover, the Oblivious Gateway Resource SHOULD have
some mechanism to ensure that the Oblivious Gateway Resource is not
misused as a relay for HTTP messages to an arbitrary Target Resource,
such as an allowlist.
Non-secure requests -- such as those with the "http" scheme as
opposed to the "https" scheme -- SHOULD NOT be used if the Oblivious
Gateway and Target Resources are not on the same origin. If messages
are forwarded between these resources without the protections
afforded by HTTPS, they could be inspected or modified by a network
attacker. Note that a request could be forwarded without protection
if the two resources share an origin.
6.4. Key Management
An Oblivious Gateway Resource needs to have a plan for replacing
keys. This might include regular replacement of keys, which can be
assigned new key identifiers. If an Oblivious Gateway Resource
receives a request that contains a key identifier that it does not
understand or that corresponds to a key that has been replaced, the
server can respond with an HTTP 422 (Unprocessable Content) status
code.
A server can also use a 422 status code if the server has a key that
corresponds to the key identifier, but the Encapsulated Request
cannot be successfully decrypted using the key.
A server MUST ensure that the HPKE keys it uses are not valid for any
other protocol that uses HPKE with the "message/bhttp request" label.
Designers of protocols that reuse this encryption format, especially
new versions of this protocol, can ensure key diversity by choosing a
different label in their use of HPKE. The "message/bhttp response"
label was chosen for symmetry only as it provides key diversity only
within the HPKE context created using the "message/bhttp request"
label; see Section 4.6.
6.5. Replay Attacks
A server is responsible for either rejecting replayed requests or
ensuring that the effect of replays does not adversely affect Clients
or resources.
Encapsulated Requests can be copied and replayed by the Oblivious
Relay Resource. The threat model for Oblivious HTTP allows the
possibility that an Oblivious Relay Resource might replay requests.
Furthermore, if a Client sends an Encapsulated Request in TLS early
data (see Section 8 of [TLS] and [RFC8470]), a network-based
adversary might be able to cause the request to be replayed. In both
cases, the effect of a replay attack and the mitigations that might
be employed are similar to TLS early data.
It is the responsibility of the application that uses Oblivious HTTP
to either reject replayed requests or ensure that replayed requests
have no adverse effect on their operation. This section describes
some approaches that are universally applicable and suggestions for
more targeted techniques.
A Client or Oblivious Relay Resource MUST NOT automatically attempt
to retry a failed request unless it receives a positive signal
indicating that the request was not processed or forwarded. The
HTTP/2 REFUSED_STREAM error code (Section 8.1.4 of [HTTP/2]), the
HTTP/3 H3_REQUEST_REJECTED error code (Section 8.1 of [HTTP/3]), or a
GOAWAY frame with a low enough identifier (in either protocol
version) are all sufficient signals that no processing occurred.
HTTP/1.1 [HTTP/1.1] provides no equivalent signal. Connection
failures or interruptions are not sufficient signals that no
processing occurred.
The anti-replay mechanisms described in Section 8 of [TLS] are
generally applicable to Oblivious HTTP requests. The encapsulated
keying material (or enc) can be used in place of a nonce to uniquely
identify a request. This value is a high-entropy value that is
freshly generated for every request, so two valid requests will have
different values with overwhelming probability.
The mechanism used in TLS for managing differences in Client and
server clocks cannot be used as it depends on being able to observe
previous interactions. Oblivious HTTP explicitly prevents such
linkability.
The considerations in [RFC8470] as they relate to managing the risk
of replay also apply, though there is no option to delay the
processing of a request.
Limiting requests to those with safe methods might not be
satisfactory for some applications, particularly those that involve
the submission of data to a server. The use of idempotent methods
might be of some use in managing replay risk, though it is important
to recognize that different idempotent requests can be combined to be
not idempotent.
Even without replay prevention, the server-chosen response_nonce
field ensures that responses have unique AEAD keys and nonces even
when requests are replayed.
6.5.1. Use of Date for Anti-replay
Clients SHOULD include a Date header field in Encapsulated Requests,
unless the Client has prior knowledge that indicates that the
Oblivious Gateway Resource does not use Date for anti-replay
purposes.
Though HTTP requests often do not include a Date header field, the
value of this field might be used by a server to limit the amount of
requests it needs to track if it needs to prevent replay attacks.
An Oblivious Gateway Resource can maintain state for requests for a
small window of time over which it wishes to accept requests. The
Oblivious Gateway Resource can store all requests it processes within
this window. Storing just the enc field of a request, which should
be unique to each request, is sufficient. The Oblivious Gateway
Resource can reject any request that is the same as one that was
previously answered within that time window or if the Date header
field from the decrypted request is outside of the current time
window.
Oblivious Gateway Resources might need to allow for the time it takes
requests to arrive from the Client, with a time window that is large
enough to allow for differences in clocks. Insufficient tolerance of
time differences could result in valid requests being unnecessarily
rejected. Beyond allowing for multiple round-trip times -- to
account for retransmission -- network delays are unlikely to be
significant in determining the size of the window, unless all
potential Clients are known to have excellent timekeeping. A
specific window size might need to be determined experimentally.
Oblivious Gateway Resources MUST NOT treat the time window as secret
information. An attacker can actively probe with different values
for the Date field to determine the time window over which the server
will accept responses.
6.5.2. Correcting Clock Differences
An Oblivious Gateway Resource can reject requests that contain a Date
value that is outside of its active window with a 400 series status
code. The problem type [PROBLEM] of "https://iana.org/assignments/
http-problem-types#date" is defined to allow the server to signal
that the Date value in the request was unacceptable.
Figure 8 shows an example response in HTTP/1.1 format.
HTTP/1.1 400 Bad Request
Date: Mon, 07 Feb 2022 00:28:05 GMT
Content-Type: application/problem+json
Content-Length: 128
{"type":"https://iana.org/assignments/http-problem-types#date",
"title": "date field in request outside of acceptable range"}
Figure 8: Example Rejection of Request Date Field
Disagreements about time are unlikely if both Client and Oblivious
Gateway Resource have a good source of time; see [NTP]. However,
clock differences are known to be commonplace; see Section 7.1 of
[CLOCKSKEW].
Including a Date header field in the response allows the Client to
correct clock errors by retrying the same request using the value of
the Date field provided by the Oblivious Gateway Resource. The value
of the Date field can be copied if the response is fresh, with an
adjustment based on the Age field otherwise; see Section 4.2 of
[HTTP-CACHING]. When retrying a request, the Client MUST create a
fresh encryption of the modified request, using a new HPKE context.
+---------+ +-------------------+ +----------+
| Client | | Relay and Gateway | | Target |
| | | Resources | | Resource |
+----+----+ +----+-----------+--+ +----+-----+
| | | |
| | | |
| Request | | |
+============================>+------------->|
| | | |
| | | 400 Response |
| | | + Date |
|<============================+<-------------+
| | | |
| Request | | |
| + Updated Date | | |
+============================>+------------->|
| | | |
Figure 9: Retrying with an Updated Date Field
Retrying immediately allows the Oblivious Gateway Resource to measure
the round-trip time to the Client. The observed delay might reveal
something about the location of the Client. Clients could delay
retries to add some uncertainty to any observed delay.
Intermediaries can sometimes rewrite the Date field when forwarding
responses. This might cause problems if the Oblivious Gateway
Resource and intermediary clocks differ by enough to cause the retry
to be rejected. Therefore, Clients MUST NOT retry a request with an
adjusted date more than once.
Oblivious Gateway Resources that condition their responses on the
Date header field SHOULD either ensure that intermediaries do not
cache responses (by including a Cache-Control directive of no-store)
or designate the response as conditional on the value of the Date
request header field (by including the token "date" in a Vary header
field).
Clients MUST NOT use the date provided by the Oblivious Gateway
Resource for any other purpose, including future requests to any
resource. Any request that uses information provided by the
Oblivious Gateway Resource might be correlated using that
information.
6.6. Forward Secrecy
This document does not provide forward secrecy for either requests or
responses during the lifetime of the key configuration. A measure of
forward secrecy can be provided by generating a new key configuration
then deleting the old keys after a suitable period.
6.7. Post-Compromise Security
This design does not provide post-compromise security for responses.
A Client only needs to retain keying material that might be used to
compromise the confidentiality and integrity of a response until that
response is consumed, so there is negligible risk associated with a
Client compromise.
A server retains a secret key that might be used to remove protection
from messages over much longer periods. A server compromise that
provided access to the Oblivious Gateway Resource secret key could
allow an attacker to recover the plaintext of all requests sent
toward affected keys and all of the responses that were generated.
Even if server keys are compromised, an adversary cannot access
messages exchanged by the Client with the Oblivious Relay Resource as
messages are protected by TLS. Use of a compromised key also
requires that the Oblivious Relay Resource cooperate with the
attacker or that the attacker is able to compromise these TLS
connections.
The total number of messages affected by server key compromise can be
limited by regular rotation of server keys.
6.8. Client Clock Exposure
Including a Date field in requests reveals some information about the
Client clock. This might be used to fingerprint Clients [UWT] or to
identify Clients that are vulnerable to attacks that depend on
incorrect clocks.
Clients can randomize the value that they provide for Date to obscure
the true value of their clock and reduce the chance of linking
requests over time. However, this increases the risk that their
request is rejected as outside the acceptable window.
6.9. Media Type Security
The key configuration media type defined in Section 3.2 represents
keying material. The content of this media type is not active (see
Section 4.6 of [RFC6838]), but it governs how a Client might interact
with an Oblivious Gateway Resource. The security implications of
processing it are described in Section 6.1; privacy implications are
described in Section 7.
The security implications of handling the message media types defined
in Section 4.5 is covered in other parts of this section in more
detail. However, these message media types are also encrypted
encapsulations of HTTP requests and responses.
HTTP messages contain content, which can use any media type. In
particular, requests are processed by an Oblivious Target Resource,
which -- as an HTTP resource -- defines how content is processed; see
Section 3.1 of [HTTP]. HTTP clients can also use resource identity
and response content to determine how content is processed.
Consequently, the security considerations of Section 17 of [HTTP]
also apply to the handling of the content of these media types.
6.10. Separate Gateway and Target
This document generally assumes that the same entity operates the
Oblivious Gateway Resource and the Target Resource. However, as the
Oblivious Gateway Resource performs generic HTTP processing, the use
of forwarding cannot be completely precluded.
The scheme specified in the Encapsulated Request determines the
security requirements for any protocol that is used between the
Oblivious Gateway and Target Resources. Using HTTPS is RECOMMENDED;
see Section 6.3.
A Target Resource that is operated on a different server from the
Oblivious Gateway Resource is an ordinary HTTP resource. A Target
Resource can privilege requests that are forwarded by a given
Oblivious Gateway Resource if it trusts the operator of the Oblivious
Gateway Resource to only forward requests that meet the expectations
of the Target Resource. Otherwise, the Target Resource treats
requests from an Oblivious Gateway Resource no differently than any
other HTTP client.
For instance, an Oblivious Gateway Resource might -- possibly with
the help of Oblivious Relay Resources -- be trusted not to forward an
excessive volume of requests. This might allow the Target Resource
to accept a greater volume of requests from that Oblivious Gateway
Resource relative to other HTTP clients.
An Oblivious Gateway Resource could implement policies that improve
the ability of the Target Resource to implement policy exemptions,
such as only forwarding requests toward specific Target Resources
according to an allowlist; see Section 6.3.
7. Privacy Considerations
One goal of this design is that independent Client requests are only
linkable by their content. However, the choice of Client
configuration might be used to correlate requests. A Client
configuration includes the Oblivious Relay Resource URI, the
Oblivious Gateway key configuration, and the Oblivious Gateway
Resource URI. A configuration is active if Clients can successfully
use it for interacting with a target.
Oblivious Relay and Gateway Resources can identify when requests use
the same configuration by matching the key identifier from the key
configuration or the Oblivious Gateway Resource URI. The Oblivious
Gateway Resource might use the source address of requests to
correlate requests that use an Oblivious Relay Resource run by the
same operator. If the Oblivious Gateway Resource is willing to use
trial decryption, requests can be further separated into smaller
groupings based on active configurations that clients use.
Each active Client configuration partitions the Client anonymity set.
In practice, it is infeasible to reduce the number of active
configurations to one. Enabling diversity in choice of Oblivious
Relay Resource naturally increases the number of active
configurations. More than one configuration might need to be active
to allow for key rotation and server maintenance.
Client privacy depends on having each configuration used by many
other Clients. It is critical to prevent the use of unique Client
configurations, which might be used to track individual Clients, but
it is also important to avoid creating small groupings of Clients
that might weaken privacy protections.
A specific method for a Client to acquire configurations is not
included in this specification. Applications using this design MUST
provide accommodations to mitigate tracking using Client
configurations. [CONSISTENCY] provides options for ensuring that
Client configurations are consistent between Clients.
The content of requests or responses, if used in forming new
requests, can be used to correlate requests. This includes obvious
methods of linking requests, like cookies [COOKIES], but it also
includes any information in either message that might affect how
subsequent requests are formulated. For example, [FIELDING]
describes how interactions that are individually stateless can be
used to build a stateful system when a Client acts on the content of
a response.
8. Operational and Deployment Considerations
This section discusses various operational and deployment
considerations.
8.1. Performance Overhead
Using Oblivious HTTP adds both cryptographic overhead and latency to
requests relative to a simple HTTP request-response exchange.
Deploying relay services that are on path between Clients and servers
avoids adding significant additional delay due to network topology.
A study of a similar system [ODOH-PETS] found that deploying proxies
close to servers was most effective in minimizing additional latency.
8.2. Resource Mappings
This protocol assumes a fixed, one-to-one mapping between the
Oblivious Relay Resource and the Oblivious Gateway Resource. This
means that any Encapsulated Request sent to the Oblivious Relay
Resource will always be forwarded to the Oblivious Gateway Resource.
This constraint was imposed to simplify relay configuration and
mitigate against the Oblivious Relay Resource being used as a generic
relay for unknown Oblivious Gateway Resources. The relay will only
forward for Oblivious Gateway Resources that it has explicitly
configured and allowed.
It is possible for a server to be configured with multiple Oblivious
Relay Resources, each for a different Oblivious Gateway Resource as
needed. If the goal is to support a large number of Oblivious
Gateway Resources, Clients might be provided with a URI template
[TEMPLATE], from which multiple Oblivious Relay Resources could be
constructed.
8.3. Network Management
Oblivious HTTP might be incompatible with network interception
regimes, such as those that rely on configuring Clients with trust
anchors and intercepting TLS connections. While TLS might be
intercepted successfully, interception middlebox devices might not
receive updates that would allow Oblivious HTTP to be correctly
identified using the media types defined in Sections 9.2 and 9.3.
Oblivious HTTP has a simple key management design that is not
trivially altered to enable interception by intermediaries. Clients
that are configured to enable interception might choose to disable
Oblivious HTTP in order to ensure that content is accessible to
middleboxes.
9. IANA Considerations
IANA has registered the following media types in the "Media Types"
registry at <https://iana.org/assignments/media-types>, following the
procedures of [RFC6838]: "application/ohttp-keys" (Section 9.1),
"message/ohttp-req" (Section 9.2), and "message/ohttp-res"
(Section 9.3).
IANA has added the following types to the "HTTP Problem Types"
registry at <https://iana.org/assignments/http-problem-types>: "date"
(Section 9.4) and "ohttp-key" (Section 9.5).
9.1. application/ohttp-keys Media Type
The "application/ohttp-keys" media type identifies a key
configuration used by Oblivious HTTP.
Type name: application
Subtype name: ohttp-keys
Required parameters: N/A
Optional parameters: N/A
Encoding considerations: "binary"
Security considerations: See Section 6.9
Interoperability considerations: N/A
Published specification: RFC 9458
Applications that use this media type: This type identifies a key
configuration as used by Oblivious HTTP and applications that use
Oblivious HTTP.
Fragment identifier considerations: N/A
Additional information:
Magic number(s): N/A
Deprecated alias names for this type: N/A
File extension(s): N/A
Macintosh file type code(s): N/A
Person and email address to contact for further information:
See Authors' Addresses section
Intended usage: COMMON
Restrictions on usage: N/A
Author: See Authors' Addresses section
Change controller: IETF
9.2. message/ohttp-req Media Type
The "message/ohttp-req" identifies an encrypted binary HTTP request.
This is a binary format that is defined in Section 4.3.
Type name: message
Subtype name: ohttp-req
Required parameters: N/A
Optional parameters: N/A
Encoding considerations: "binary"
Security considerations: See Section 6.9
Interoperability considerations: N/A
Published specification: RFC 9458
Applications that use this media type: Oblivious HTTP and
applications that use Oblivious HTTP use this media type to
identify encapsulated binary HTTP requests.
Fragment identifier considerations: N/A
Additional information:
Magic number(s): N/A
Deprecated alias names for this type: N/A
File extension(s): N/A
Macintosh file type code(s): N/A
Person and email address to contact for further information:
See Authors' Addresses section
Intended usage: COMMON
Restrictions on usage: N/A
Author: See Authors' Addresses section
Change controller: IETF
9.3. message/ohttp-res Media Type
The "message/ohttp-res" identifies an encrypted binary HTTP response.
This is a binary format that is defined in Section 4.4.
Type name: message
Subtype name: ohttp-res
Required parameters: N/A
Optional parameters: N/A
Encoding considerations: "binary"
Security considerations: See Section 6.9
Interoperability considerations: N/A
Published specification: RFC 9458
Applications that use this media type: Oblivious HTTP and
applications that use Oblivious HTTP use this media type to
identify encapsulated binary HTTP responses.
Fragment identifier considerations: N/A
Additional information:
Magic number(s): N/A
Deprecated alias names for this type: N/A
File extension(s): N/A
Macintosh file type code(s): N/A
Person and email address to contact for further information:
See Authors' Addresses section
Intended usage: COMMON
Restrictions on usage: N/A
Author: See Authors' Addresses section
Change controller: IETF
9.4. Registration of "date" Problem Type
IANA has added a new entry in the "HTTP Problem Types" registry
established by [PROBLEM].
Type URI: https://iana.org/assignments/http-problem-types#date
Title: Date Not Acceptable
Recommended HTTP Status Code: 400
Reference: Section 6.5.2 of RFC 9458
9.5. Registration of "ohttp-key" Problem Type
IANA has added a new entry in the "HTTP Problem Types" registry
established by [PROBLEM].
Type URI: https://iana.org/assignments/http-problem-types#ohttp-key
Title: Oblivious HTTP key configuration not acceptable
Recommended HTTP Status Code: 400
Reference: Section 5.3 of RFC 9458
10. References
10.1. Normative References
[ASCII] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969,
<https://www.rfc-editor.org/info/rfc20>.
[BINARY] Thomson, M. and C. A. Wood, "Binary Representation of HTTP
Messages", RFC 9292, DOI 10.17487/RFC9292, August 2022,
<https://www.rfc-editor.org/info/rfc9292>.
[HPKE] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid
Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180,
February 2022, <https://www.rfc-editor.org/info/rfc9180>.
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/info/rfc9110>.
[HTTP-CACHING]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Caching", STD 98, RFC 9111,
DOI 10.17487/RFC9111, June 2022,
<https://www.rfc-editor.org/info/rfc9111>.
[PROBLEM] Nottingham, M., Wilde, E., and S. Dalal, "Problem Details
for HTTP APIs", RFC 9457, DOI 10.17487/RFC9457, July 2023,
<https://www.rfc-editor.org/info/rfc9457>.
[QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13,
RFC 6838, DOI 10.17487/RFC6838, January 2013,
<https://www.rfc-editor.org/info/rfc6838>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8470] Thomson, M., Nottingham, M., and W. Tarreau, "Using Early
Data in HTTP", RFC 8470, DOI 10.17487/RFC8470, September
2018, <https://www.rfc-editor.org/info/rfc8470>.
[TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
10.2. Informative References
[CLOCKSKEW]
Acer, M., Stark, E., Felt, A., Fahl, S., Bhargava, R.,
Dev, B., Braithwaite, M., Sleevi, R., and P. Tabriz,
"Where the Wild Warnings Are: Root Causes of Chrome HTTPS
Certificate Errors", Proceedings of the 2017 ACM SIGSAC
Conference on Computer and Communications Security,
DOI 10.1145/3133956.3134007, October 2017,
<https://doi.org/10.1145/3133956.3134007>.
[CONSISTENCY]
Davidson, A., Finkel, M., Thomson, M., and C. A. Wood,
"Key Consistency and Discovery", Work in Progress,
Internet-Draft, draft-ietf-privacypass-key-consistency-01,
10 July 2023, <https://datatracker.ietf.org/doc/html/
draft-ietf-privacypass-key-consistency-01>.
[COOKIES] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/info/rfc6265>.
[DMS2004] Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The
Second-Generation Onion Router", May 2004,
<https://svn.torproject.org/svn/projects/design-paper/tor-
design.html>.
[FIELDING] Fielding, R. T., "Architectural Styles and the Design of
Network-based Software Architectures", January 2000,
<https://www.ics.uci.edu/~fielding/pubs/dissertation/
fielding_dissertation.pdf>.
[FORWARDED]
Petersson, A. and M. Nilsson, "Forwarded HTTP Extension",
RFC 7239, DOI 10.17487/RFC7239, June 2014,
<https://www.rfc-editor.org/info/rfc7239>.
[HTTP/1.1] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP/1.1", STD 99, RFC 9112, DOI 10.17487/RFC9112,
June 2022, <https://www.rfc-editor.org/info/rfc9112>.
[HTTP/2] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
DOI 10.17487/RFC9113, June 2022,
<https://www.rfc-editor.org/info/rfc9113>.
[HTTP/3] Bishop, M., Ed., "HTTP/3", RFC 9114, DOI 10.17487/RFC9114,
June 2022, <https://www.rfc-editor.org/info/rfc9114>.
[NTP] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>.
[ODOH] Kinnear, E., McManus, P., Pauly, T., Verma, T., and C.A.
Wood, "Oblivious DNS over HTTPS", RFC 9230,
DOI 10.17487/RFC9230, June 2022,
<https://www.rfc-editor.org/info/rfc9230>.
[ODOH-PETS]
Singanamalla, S., Chunhapanya, S., Hoyland, J., Vavruša,
M., Verma, T., Wu, P., Fayed, M., Heimerl, K., Sullivan,
N., and C. A. Wood, "Oblivious DNS over HTTPS (ODoH): A
Practical Privacy Enhancement to DNS", PoPETS Proceedings
Volume 2021, Issue 4, pp. 575-592, DOI 10.2478/popets-
2021-0085, January 2021,
<https://www.petsymposium.org/2021/files/papers/issue4/
popets-2021-0085.pdf>.
[OHTTP-ANALYSIS]
Hoyland, J., "Tamarin Model of Oblivious HTTP", commit
6824eee, October 2022,
<https://github.com/cloudflare/ohttp-analysis>.
[PRIO] Corrigan-Gibbs, H. and D. Boneh, "Prio: Private, Robust,
and Scalable Computation of Aggregate Statistics", March
2017, <https://crypto.stanford.edu/prio/paper.pdf>.
[RANDOM] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>.
[RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP
Alternative Services", RFC 7838, DOI 10.17487/RFC7838,
April 2016, <https://www.rfc-editor.org/info/rfc7838>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
[TEMPLATE] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/info/rfc6570>.
[UWT] Nottingham, M., "Unsanctioned Web Tracking", W3C TAG
Finding, July 2015,
<https://www.w3.org/2001/tag/doc/unsanctioned-tracking/>.
[X25519] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
Appendix A. Complete Example of a Request and Response
A single request and response exchange is shown here. Binary values
(key configuration, secret keys, the content of messages, and
intermediate values) are shown in hexadecimal. The request and
response here are minimal; the purpose of this example is to show the
cryptographic operations. In this example, the Client is configured
with the Oblivious Relay Resource URI of
https://proxy.example.org/request.example.net/proxy, and the proxy is
configured to map requests to this URI to the Oblivious Gateway
Resource URI https://example.com/oblivious/request. The Target
Resource URI, i.e., the resource the Client ultimately wishes to
query, is https://example.com.
To begin the process, the Oblivious Gateway Resource generates a key
pair. In this example, the server chooses DHKEM(X25519, HKDF-SHA256)
and generates an X25519 key pair [X25519]. The X25519 secret key is:
3c168975674b2fa8e465970b79c8dcf09f1c741626480bd4c6162fc5b6a98e1a
The Oblivious Gateway Resource constructs a key configuration that
includes the corresponding public key as follows:
01002031e1f05a740102115220e9af918f738674aec95f54db6e04eb705aae8e
79815500080001000100010003
This key configuration is somehow obtained by the Client. Then, when
a Client wishes to send an HTTP GET request to the target
https://example.com, it constructs the following binary HTTP message:
00034745540568747470730b6578616d706c652e636f6d012f
The Client then reads the Oblivious Gateway Resource key
configuration and selects a mutually supported KDF and AEAD. In this
example, the Client selects HKDF-SHA256 and AES-128-GCM. The Client
then generates an HPKE sending context that uses the server public
key. This context is constructed from the following ephemeral secret
key:
bc51d5e930bda26589890ac7032f70ad12e4ecb37abb1b65b1256c9c48999c73
The corresponding public key is:
4b28f881333e7c164ffc499ad9796f877f4e1051ee6d31bad19dec96c208b472
The context is created with an info parameter of:
6d6573736167652f626874747020726571756573740001002000010001
Applying the Seal operation from the HPKE context produces an
encrypted message, allowing the Client to construct the following
Encapsulated Request:
010020000100014b28f881333e7c164ffc499ad9796f877f4e1051ee6d31bad1
9dec96c208b4726374e469135906992e1268c594d2a10c695d858c40a026e796
5e7d86b83dd440b2c0185204b4d63525
The Client then sends this to the Oblivious Relay Resource in a POST
request, which might look like the following HTTP/1.1 request:
POST /request.example.net/proxy HTTP/1.1
Host: proxy.example.org
Content-Type: message/ohttp-req
Content-Length: 78
<content is the Encapsulated Request above>
The Oblivious Relay Resource receives this request and forwards it to
the Oblivious Gateway Resource, which might look like:
POST /oblivious/request HTTP/1.1
Host: example.com
Content-Type: message/ohttp-req
Content-Length: 78
<content is the Encapsulated Request above>
The Oblivious Gateway Resource receives this request, selects the key
it generated previously using the key identifier from the message,
and decrypts the message. As this request is directed to the same
server, the Oblivious Gateway Resource does not need to initiate an
HTTP request to the Target Resource. The request can be served
directly by the Target Resource, which generates a minimal response
(consisting of just a 200 status code) as follows:
0140c8
The response is constructed by exporting a secret from the HPKE
context:
62d87a6ba569ee81014c2641f52bea36
The key derivation for the Encapsulated Response uses both the
encapsulated KEM key from the request and a randomly selected nonce.
This produces a salt of:
4b28f881333e7c164ffc499ad9796f877f4e1051ee6d31bad19dec96c208b472
c789e7151fcba46158ca84b04464910d
The salt and secret are both passed to the Extract function of the
selected KDF (HKDF-SHA256) to produce a pseudorandom key of:
979aaeae066cf211ab407b31ae49767f344e1501e475c84e8aff547cc5a683db
The pseudorandom key is used with the Expand function of the KDF and
an info field of "key" to produce a 16-byte key for the selected AEAD
(AES-128-GCM):
5d0172a080e428b16d298c4ea0db620d
With the same KDF and pseudorandom key, an info field of "nonce" is
used to generate a 12-byte nonce:
f6bf1aeb88d6df87007fa263
The AEAD Seal() function is then used to encrypt the response, which
is added to the randomized nonce value to produce the Encapsulated
Response:
c789e7151fcba46158ca84b04464910d86f9013e404feea014e7be4a441f234f
857fbd
The Oblivious Gateway Resource constructs a response with the same
content:
HTTP/1.1 200 OK
Date: Wed, 27 Jan 2021 04:45:07 GMT
Cache-Control: private, no-store
Content-Type: message/ohttp-res
Content-Length: 38
<content is the Encapsulated Response>
The same response might then be generated by the Oblivious Relay
Resource, which might change as little as the Date header. The
Client is then able to use the HPKE context it created and the nonce
from the Encapsulated Response to construct the AEAD key and nonce
and decrypt the response.
Acknowledgments
This design is based on a design for Oblivious DNS (queries) over
HTTPS (DoH), described in [ODOH]. David Benjamin, Mark Nottingham,
and Eric Rescorla made technical contributions. The authors also
thank Ralph Giles, Lucas Pardue, and Tommy Pauly for invaluable
assistance.
Authors' Addresses
Martin Thomson
Mozilla
Email: mt@lowentropy.net
Christopher A. Wood
Cloudflare
Email: caw@heapingbits.net
|