IETF Logo Mail Archive

Re: [TLS] RC4 deprecation path (Re: Deprecating more (DSA?))

Michael D'Errico <mike-list@pobox.com> Sat, 19 April 2014 17:32 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFCBD1A004C for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 10:32:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWr1gaUZk2s2 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 10:32:33 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by ietfa.amsl.com (Postfix) with ESMTP id EFFCC1A0041 for <tls@ietf.org>; Sat, 19 Apr 2014 10:32:31 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 4826D10CFC for <tls@ietf.org>; Sat, 19 Apr 2014 13:32:27 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=0FELS/+RCKc3 3m8bYlCM3UkcknI=; b=x7PgsirgUvERCROQ/M/ifPU5tz0j9S/ghPbcvLHQJHNJ 5Pt0uxwbyM0RkhuINU0qVn1FBGCiNm5hhwYk73qpP5668+Jm2UkMEPY3M/cMv1Wt 6tBytoZp0//pN1M6RqqA891KIYj0pbVxOGUbp7ieSf8nL9brDId22DdV385nijY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=SeAg9x pBMtvIPqy6MZ9iS5iyo3yakCINZYWnKncJgLvEy+uP8EbIIVAHTMx5x/fkfNJW60 La0LUFEM0I8ytyW1xamzqc/nvnsyQTMbkYQnIJ2WEH6Cn5gcjjcPqTsdzaP9DU7s lao4nkuB1XZVnut4Dp9K49kvtosJBSRwI+jMA=
Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 3F6CD10CFB for <tls@ietf.org>; Sat, 19 Apr 2014 13:32:27 -0400 (EDT)
Received: from iMac.local (unknown [24.234.153.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id D70E010CFA for <tls@ietf.org>; Sat, 19 Apr 2014 13:32:25 -0400 (EDT)
Message-ID: <5352B328.1080006@pobox.com>
Date: Sat, 19 Apr 2014 10:32:24 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be>
In-Reply-To: <20140419131019.GA29561@roeckx.be>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 92C1BE52-C7E8-11E3-BEFD-6F330E5B5709-38729857!a-pb-sasl-quonix.pobox.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6b4w1GMy7PwtYJKPFEsnqQf8m4Q
Subject: Re: [TLS] RC4 deprecation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 17:32:36 -0000

Kurt Roeckx wrote:
> 
> - Clients should not announce support for RC4 in their initial
>   connection attempt, and only fall back to support it when the
>   server says that there are no common ciphers.  (I'm not sure
>   if a MITM can fake that response or not.)

Continue the handshake all the way through to the Finished messages
to determine if a MITM has tampered with it.  This will only not
work if the server is of the type that chooses RC4 no matter where
it is in the client's cipher suite list.

Here's the message flow I'm thinking about:

     ClientHello (w/o RC4)      ----->
                                <-----    Alert (handshake_failure)

close and reconnect:

     ClientHello (with RC4)     ----->
                                <-----    ServerHello (RC4 chosen)
                                          ..... continues

Place the RC4 suites at the end of the list so that the server will
not choose them if it respects the client's preference.

Mike

v2.23.0 | Report a Bug | By Email