IETF Logo Mail Archive

Re: [TLS] RC4 deprecation path (Re: Deprecating more (DSA?))

Yoav Nir <ynir.ietf@gmail.com> Sat, 19 April 2014 19:28 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DBBE1A008D for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:28:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ShyAgRGe3IQ for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:28:38 -0700 (PDT)
Received: from mail-ee0-x22c.google.com (mail-ee0-x22c.google.com [IPv6:2a00:1450:4013:c00::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 497381A0078 for <tls@ietf.org>; Sat, 19 Apr 2014 12:28:38 -0700 (PDT)
Received: by mail-ee0-f44.google.com with SMTP id e49so2557718eek.17 for <tls@ietf.org>; Sat, 19 Apr 2014 12:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ytCaXUulmUnV/DvLpRmPVLQlkDuJOYCdtesnx04QU60=; b=QlH53zQVQW9UhzoE6zq4pVil3dYo2mLL6vF6zi9lpaSGhVquT6C18CQHmQvibfwz+s 4xk9Wk/CfPUBB3cECWBm1F76QBUpwstWI4AqfqXkZKdOrv3Wyt1XqXOp7BC6chvtosF7 X33/2+VXO+5Upv7MKe/b9EoivYbKj26WcX+nKFsMjso/W9BXvnKv7gvKXDKafu8pcaTP hOSDcS2zJKWFAPHi2LTzjwMN1m7BpbD93hMMBjKv5GyYaHWnLwjbPlEs5c3yzPv3QwQy REZqvGjY+AYl6ETejLL3d25RRtRlUxOpSxiUJViSJrU8R0KzQgG0PyPAXJTJsothZywU 6DOg==
X-Received: by 10.15.36.136 with SMTP id i8mr238435eev.113.1397935713460; Sat, 19 Apr 2014 12:28:33 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id h47sm88091514eey.13.2014.04.19.12.28.27 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Apr 2014 12:28:33 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E6E26ABC-713F-4C14-940D-AACA297FE379"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20140419175352.GA9090@roeckx.be>
Date: Sat, 19 Apr 2014 22:28:19 +0300
Message-Id: <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <5352B328.1080006@pobox.com> <20140419175352.GA9090@roeckx.be>
To: Kurt Roeckx <kurt@roeckx.be>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/5UAEpumTdmn6mHa9LgFiVnD848U
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 deprecation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:28:41 -0000

On Apr 19, 2014, at 8:53 PM, Kurt Roeckx <kurt@roeckx.be> wrote:

> On Sat, Apr 19, 2014 at 10:32:24AM -0700, Michael D'Errico wrote:
>> Kurt Roeckx wrote:
>>> 
>>> - Clients should not announce support for RC4 in their initial
>>> connection attempt, and only fall back to support it when the
>>> server says that there are no common ciphers.  (I'm not sure
>>> if a MITM can fake that response or not.)
>> 
>> Continue the handshake all the way through to the Finished messages
>> to determine if a MITM has tampered with it.  This will only not
>> work if the server is of the type that chooses RC4 no matter where
>> it is in the client's cipher suite list.
>> 
>> Here's the message flow I'm thinking about:
>> 
>>    ClientHello (w/o RC4)      ----->
>>                               <-----    Alert (handshake_failure)
>> 
>> close and reconnect:
>> 
>>    ClientHello (with RC4)     ----->
>>                               <-----    ServerHello (RC4 chosen)
>>                                         ..... continues
>> 
>> Place the RC4 suites at the end of the list so that the server will
>> not choose them if it respects the client's preference.
> 
> Right, so an MITM could downgrade to RC4 in case the server
> prefers RC4 over the rest in that case.

Yes. As long as the client is required to support such servers, I guess we have to live with it.

It’s possible to make some kind of extension to help discover this activity by a MitM, but I don’t expect servers that continue to support RC4 to be the kind of servers that upgrade to the latest version of the software, the one that supports the new extension.

Yoav

v2.23.0 | Report a Bug | By Email