Re: [TLS] When/why is the RSA premaster secret version rollback check needed?
"Brian Smith" <brian@briansmith.org> Wed, 11 August 2010 06:02 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE5853A69EF for <tls@core3.amsl.com>; Tue, 10 Aug 2010 23:02:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.712
X-Spam-Level:
X-Spam-Status: No, score=-1.712 tagged_above=-999 required=5 tests=[AWL=0.887, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YN817GiG2Uin for <tls@core3.amsl.com>; Tue, 10 Aug 2010 23:02:11 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id E21B43A68DE for <tls@ietf.org>; Tue, 10 Aug 2010 23:02:10 -0700 (PDT)
Received: from T60 (unknown [98.200.150.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 528D5509B4; Wed, 11 Aug 2010 02:02:40 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: 'Michael D'Errico' <mike-list@pobox.com>
References: <001801cb38b6$2cfd1d20$86f75760$@briansmith.org> <4C619A90.1010403@pobox.com>
In-Reply-To: <4C619A90.1010403@pobox.com>
Date: Wed, 11 Aug 2010 00:56:18 -0500
Message-ID: <000f01cb391a$d0b755c0$72260140$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJQhPCoMWvCkrPhmfXViGCyYPHC0gJ7zjAPAlG1kSM=
Content-Language: en-us
x-cr-hashedpuzzle: AQ7/ BPTs DXdx D0fO FMJO F0Kz HGZA HYLI K9IY LIHj OjDF O5Fk Q+l+ TRgd Tgrn WBIb; 2; bQBpAGsAZQAtAGwAaQBzAHQAQABwAG8AYgBvAHgALgBjAG8AbQA7AHQAbABzAEAAaQBlAHQAZgAuAG8AcgBnAA==; Sosha1_v1; 7; {3DF7FE65-055A-400C-9BC9-966EB0B00C80}; YgByAGkAYQBuAEAAYgByAGkAYQBuAHMAbQBpAHQAaAAuAG8AcgBnAA==; Wed, 11 Aug 2010 05:55:13 GMT; UgBFADoAIABbAFQATABTAF0AIABXAGgAZQBuAC8AdwBoAHkAIABpAHMAIAB0AGgAZQAgAFIAUwBBACAAcAByAGUAbQBhAHMAdABlAHIAIABzAGUAYwByAGUAdAAgAHYAZQByAHMAaQBvAG4AIAByAG8AbABsAGIAYQBjAGsAIABjAGgAZQBjAGsAIABuAGUAZQBkAGUAZAA/AA==
x-cr-puzzleid: {3DF7FE65-055A-400C-9BC9-966EB0B00C80}
Cc: tls@ietf.org
Subject: Re: [TLS] When/why is the RSA premaster secret version rollback check needed?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2010 06:02:12 -0000
Michael D'Errico wrote: > > What attack is thwarted by checking the version number in the > > premaster secret that isn't thwarted by the Finished message hash & HMAC? > > I think it is a "belt and suspenders" approach to security, which is a good thing. > It probably isn't strictly necessary. You probably realize that with DH-based > cipher suites, the premaster secret can not include a version; thus if the version > check was actually critical, then DH would be less secure than RSA. I haven't > heard anybody claim that to be true. I guess the RSA encrypted premaster secret version check (REPMSVC) does provide a mechanism for protecting version rollbacks even in the event that an enabled SSL/TLS version's finished hash is be ineffective. But, the finished hash is required for cipher suite rollback prevention, secure renegotiation, defense against the Bleichenbacher/Klima attacks, defense against version rollback attacks for non-RSA key exchange methods, and probably more. The REPMSVC doesn't offer any of these protections, so it seems it is now useless. In certain common situations, the TLS 1.2 spec's suggested defense against the Klima attack exacts a notable performance penalty. Skipping the version check completely can result in a notable savings on *every* RSA handshake, completely avoid the Klima attack, and apparently prevent interoperability problems with IE8. It seems clear to me that the pros and cons of permanently disabling the check outweigh the potential benefits. However, I am very eager to hear arguments to the contrary, in the event I am overlooking something. Again, feedback is greatly appreciated. Thanks again, Brian
- [TLS] When/why is the RSA premaster secret versio… Brian Smith
- Re: [TLS] When/why is the RSA premaster secret ve… Michael D'Errico
- Re: [TLS] When/why is the RSA premaster secret ve… Brian Smith