Re: Questions about Version Negotiation Concerning Possible Handshake Interruption

[Kazuho Oku <kazuhooku@gmail.com>]

2018-02-10 17:34 GMT+09:00  <alexandre.ferrieux@orange.com>:
> On 10/02/2018 07:24, Christian Huitema wrote:
>>
>>
>>
>> On 2/9/2018 3:06 PM, Lingmo Zhu wrote:
>>>
>>>
>>>  IMHO we can see that such interference is pretty easy to be used and
>>>  it could leading to aborted QUIC connection and probably a fallback to
>>>  any old approach for higher level protocol. Even virus targeting home
>>>  routers could do that, without gov involved. For what outcome, I think
>>>  it's pretty simple: forcing higher level protocol fallback to other
>>>  transport protocol. Since QUIC has been designed much more secure than
>>>  older protocols, it could be hard to do some eavesdropping or
>>>  hijacking. But if fallback happens, it would be another story.
>>>  Considering DNS over QUIC, a virus-infected home router could
>>>  interfere with QUIC handshake cause fallback to TLS, then RST may
>>>  cause fallback to clear text, which is easy to be hijacked and leads
>>>  client to some phishing site.
>>>
>>
>> In theory, it should be possible to protect against "man on the side"
>> attacks. Do some kind of speculative execution on the first packet that
>> you receive, but also keep the context available for some time in case a
>> "better" packet comes later. With that approach, the attacker could not
>> just inject a "packet of death"; they will also need to suppress the
>> correct response from the actual server. That's an interesting idea.
>> Have you tried some experiments?
>
>
> Alternatively, what about a "no fallback" mode for sensitive applications
> like DNS ?

I agree that providing such an option would narrow the attack window.
The other option is to let the client propose multiple versions and
the server select one, as proposed in my previous mail.

But even if we do that, there's still the chance of an attacker
injecting a Handshake packet that contains a corrupt ServerHello
message. In such case, the client would fail to complete the handshake
with the server.

To evade such attacks, a client is required to create a backup of its
TLS context before handling the Handshake packet that might have been
sent from an attacker, so that it could restore the context one the
TLS handshake ends up in an error.

However, I am not sure if any of the TLS stacks provide such a feature
(personally I would be interested in adding one in picotls, though).


> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu
> ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and
> delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.
>



-- 
Kazuho Oku