Re: [TLS] PR for anti-downgrade mechanism
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sat, 17 October 2015 06:23 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52A5C1A802A for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 23:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TBkS0YrRBIFS for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 23:23:33 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4871B1A711A for <tls@ietf.org>; Fri, 16 Oct 2015 23:23:33 -0700 (PDT)
Received: by wicgb1 with SMTP id gb1so33738657wic.1 for <tls@ietf.org>; Fri, 16 Oct 2015 23:23:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=vXgk85iaBQNRscK/TSzAwIz4SnT7n+czlbXYqKUu/q0=; b=VwED1glaaaRpJEsn2r3MScPIdrJvh5w5UI2gCKvnnhb33WjzIWHwakAnqoAzE+vHzN SBx2IL/GmdMcaSkoN1lAJEjwH5OEP39nLFR2eXycQunTJGxtLDMyx0jbe9gZMcK0VbTc S9pdKJnILAjPgTwfaC+7s+zzC2QSVpixZqpE2cADpNk633jjFPuYZWszAkJh09Jo1xKR 5G8ziPmiTHL6Y0oLnH8+i3KAt/5BoY9mEb1KmL+14wF17JOtYqixCAlQykfS6pC9lr6i GJugsHF1Y2ztKo0zl8MpNTCtbnjkMx/1jwyMWT827A6zwNF0YBBGqaoiDw7W6ziM2bGS ZJtw==
X-Received: by 10.180.102.195 with SMTP id fq3mr8949227wib.7.1445063011552; Fri, 16 Oct 2015 23:23:31 -0700 (PDT)
Received: from [192.168.0.12] (89-156-8-219.rev.numericable.fr. [89.156.8.219]) by smtp.gmail.com with ESMTPSA id cc8sm26532562wjc.46.2015.10.16.23.23.30 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 Oct 2015 23:23:31 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_1D6968D6-A549-40CE-83F8-54126E2F1657"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CAFewVt5qXaXGrMi8ids_3pfB7t=zdmmqRqe2N_GXjex_P=Qq1w@mail.gmail.com>
Date: Sat, 17 Oct 2015 08:23:29 +0200
Message-Id: <02BF1D46-DC94-4D4C-B0E6-5FE0E7D7F95B@gmail.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com> <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com> <CAFewVt484VFa+bUPc41BXVhoYqx1qJdWR4z7c_xjx=Ff_6QZQw@mail.gmail.com> <CABkgnnVEUuWEEpqjRWm9=D7OkDuxvJj7pmX=8RMCU6T_qah5mw@mail.gmail.com> <CAFewVt6kPzMfjKb5deATw4funEa_=Z9G5U-6_QeX1f34abS55g@mail.gmail.com> <CABkgnnW1V6SbbFfjKekCTmWNK6gP1uH2rH4POSkwmycQwtPkoA@mail.gmail.com> <CAFewVt5qXaXGrMi8ids_3pfB7t=zdmmqRqe2N_GXjex_P=Qq1w@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5u7NpYb6S2KltAo4z39rROHozIk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2015 06:23:35 -0000
Hi Brian, yes, the mechanism proposed here could also be used by TLS 1.2 implementations to signal each other about their preferred connection parameters. To make most use of the bytes provided, one could use the sentinel value to indicate support for an extension, which then carries a signed server configuration of arbitrary size. The attacker would then be unable to downgrade the connection by deleting this extension. False Start is an interesting use case, because (a) it sends data before the server has confirmed the chosen version/ciphersuite/etc and (b) it already tries to prevent downgrades by whitelisting versions and ciphersuites. Some downgrade attacks fail because of (b), but others are easier to exploit because of (a). For example, Logjam was easier to mount on False Start clients since the attacker could collect the False Start data and decrypt it at leisure. Extended master secret (EMS) provides some additional protection to False Start, because the encryption keys implicitly include the full handshake transcript and, so if the MitM tampers with the connection, the False Start data would not be accepted by a server. (However, that this would not have prevented Logjam.) Moreover, even the EMS extension can be deleted by a MitM. The current proposal could protect EMS from downgrade by indicating support for it in the server hello. To sum up, we’re focusing on TLS 1.3 because we have a chance to bake in strong downgrade protection into its implementations from the very beginning. I think this could be useful for older versions too, as an optional mechanism which protects clients and servers that both implement it, and does not affect others. -Karthik > On 17 Oct 2015, at 00:34, Brian Smith <brian@briansmith.org> wrote: > > On Fri, Oct 16, 2015 at 12:12 PM, Martin Thomson <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote: > On 16 October 2015 at 13:39, Brian Smith <brian@briansmith.org <mailto:brian@briansmith.org>> wrote: > > That would be especially true for an implementation that does False Start > > for TLS 1.2. > > I don't see how false start plays into this. We could have clients > reject false start if they see this sentinel value. But don't we want > to just treat this as an attack and abort instead? > > Yes. The client needs the sentinel to know to abort the connection, if its willing to false start with TLS 1.2 when it also support TLS 1.3, right? > > Cheers, > Brian > -- > https://briansmith.org/ <https://briansmith.org/> >
- [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Yngve N. Pettersen
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Salz, Rich
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism David Benjamin
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Joseph Salowey