[TLS] Downgrade prevention with authenticated list of ciphersuites?
Seth David Schoen <schoen@eff.org> Wed, 02 October 2013 19:18 UTC
Return-Path: <schoen@eff.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 1824421F9FC3 for <tls@ietfa.amsl.com>;
Wed, 2 Oct 2013 12:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id juDIly0tZd0R for
<tls@ietfa.amsl.com>; Wed, 2 Oct 2013 12:18:14 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [64.147.188.12]) by ietfa.amsl.com
(Postfix) with ESMTP id CED9C21E809D for <tls@ietf.org>;
Wed, 2 Oct 2013 12:02:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
s=mail2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date;
bh=kkE/T5d3TVWIDzy+vgsBU2Jh3vv+bC7ov42S5zCVV8g=;
b=fJvGcGElI7Y2C8J1OhHUEjK1KUlVv6iW5uIIkY7k4sbL5X/r/jE/adqzDqkIw4iKYXRV7sEk3x4F00urvjtn/5vThTNzpHlNUO9UmxCJPQsT5gatGhBd/sjQUVbAhx0L;
Received: from localhost ([127.0.0.1]:43360 helo=sescenties) by mail2.eff.org
with esmtp (Exim 4.80) (envelope-from <schoen@eff.org>) id 1VRRgW-0006KI-Vn
for tls@ietf.org; Wed, 02 Oct 2013 12:02:09 -0700
Date: Wed, 2 Oct 2013 12:02:09 -0700
From: Seth David Schoen <schoen@eff.org>
To: tls@ietf.org
Message-ID: <20131002190209.GN2532@sescenties.(null)>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [TLS] Downgrade prevention with authenticated list of ciphersuites?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2013 19:18:25 -0000
I'm wondering if there's any existing proposal for a mechanism to prevent ciphersuite downgrade attacks by authenticating the list of ciphersuites offered by a TLS server. One way to do this might be to put the list somewhere in the server's certificate (maybe someone's already specified a way to do so?), like a "subject offered ciphersuites list". The advantage of this is that a network attacker -- I think -- can't downgrade the connection to a less secure ciphersuite* than the most secure one supported by both ends (unless they can also cause misissuance of a certificate). The disadvantage is an extreme decrease in the flexibility of server configuration for a system administrator, because they need to get certs reissued in order to make changes to the ciphersuite list, at least if they want certain kinds of changes to have any effect. And it provides another way for connections to fail due to a misconfiguration. It seems like this policy would have good backward compatibility properties if the extension conveying this information is not marked critical. If a client doesn't understand the list, it ignores it and is just as vulnerable as today. If it does understand the list, it always uses what it regards as the most secure ciphersuite that's supported by both ends. * However, as Daniel Gillmor pointed out to me, they can still cause other kinds of non-ciphersuite-related downgrades (like a TLS protocol version downgrade) that could have security consequences that are as bad or worse. -- Seth Schoen <schoen@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
- [TLS] Downgrade prevention with authenticated lis… Seth David Schoen
- Re: [TLS] Downgrade prevention with authenticated… Adam Langley
- Re: [TLS] Downgrade prevention with authenticated… Seth David Schoen