[TLS] Downgrade prevention with authenticated list of ciphersuites?

Seth David Schoen <schoen@eff.org> Wed, 02 October 2013 19:18 UTC

Return-Path: <schoen@eff.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1824421F9FC3 for <tls@ietfa.amsl.com>; Wed, 2 Oct 2013 12:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id juDIly0tZd0R for <tls@ietfa.amsl.com>; Wed, 2 Oct 2013 12:18:14 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org []) by ietfa.amsl.com (Postfix) with ESMTP id CED9C21E809D for <tls@ietf.org>; Wed, 2 Oct 2013 12:02:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=kkE/T5d3TVWIDzy+vgsBU2Jh3vv+bC7ov42S5zCVV8g=; b=fJvGcGElI7Y2C8J1OhHUEjK1KUlVv6iW5uIIkY7k4sbL5X/r/jE/adqzDqkIw4iKYXRV7sEk3x4F00urvjtn/5vThTNzpHlNUO9UmxCJPQsT5gatGhBd/sjQUVbAhx0L;
Received: from localhost ([]:43360 helo=sescenties) by mail2.eff.org with esmtp (Exim 4.80) (envelope-from <schoen@eff.org>) id 1VRRgW-0006KI-Vn for tls@ietf.org; Wed, 02 Oct 2013 12:02:09 -0700
Date: Wed, 2 Oct 2013 12:02:09 -0700
From: Seth David Schoen <schoen@eff.org>
To: tls@ietf.org
Message-ID: <20131002190209.GN2532@sescenties.(null)>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [TLS] Downgrade prevention with authenticated list of ciphersuites?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2013 19:18:25 -0000

I'm wondering if there's any existing proposal for a mechanism to prevent
ciphersuite downgrade attacks by authenticating the list of ciphersuites
offered by a TLS server.  One way to do this might be to put the list
somewhere in the server's certificate (maybe someone's already specified
a way to do so?), like a "subject offered ciphersuites list".

The advantage of this is that a network attacker -- I think -- can't
downgrade the connection to a less secure ciphersuite* than the
most secure one supported by both ends (unless they can also cause
misissuance of a certificate).  The disadvantage is an extreme decrease
in the flexibility of server configuration for a system administrator,
because they need to get certs reissued in order to make changes to the
ciphersuite list, at least if they want certain kinds of changes to have
any effect.  And it provides another way for connections to fail due to
a misconfiguration.

It seems like this policy would have good backward compatibility
properties if the extension conveying this information is not marked
critical.  If a client doesn't understand the list, it ignores it and is
just as vulnerable as today.  If it does understand the list, it always
uses what it regards as the most secure ciphersuite that's supported by
both ends.

* However, as Daniel Gillmor pointed out to me, they can still cause
  other kinds of non-ciphersuite-related downgrades (like a TLS
  protocol version downgrade) that could have security consequences
  that are as bad or worse.

Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107