Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
mrex@sap.com (Martin Rex) Tue, 20 January 2015 22:46 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37BD51A0064 for <tls@ietfa.amsl.com>; Tue, 20 Jan 2015 14:46:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bq4DdY1E3owt for <tls@ietfa.amsl.com>; Tue, 20 Jan 2015 14:46:05 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611F51A005C for <tls@ietf.org>; Tue, 20 Jan 2015 14:46:05 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 5242C3A27C; Tue, 20 Jan 2015 23:46:03 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 2EB23425F6; Tue, 20 Jan 2015 23:46:03 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 2531B1B105; Tue, 20 Jan 2015 23:46:03 +0100 (CET)
In-Reply-To: <eb31eab16495491bbaf9508088657f3c@usma1ex-dag1mb2.msg.corp.akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
Date: Tue, 20 Jan 2015 23:46:03 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150120224603.2531B1B105@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JVQhxDH8xuujV1qAKvhlztp5xZc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2015 22:46:09 -0000
Salz, Rich wrote: > >> Permitting the server to continue the TLS handshake with >> ServerHello.server_version = (ClientHello.client_version +1) > > Brian pointed out that this seems to not work. Technically, my proposed and extremely simple improvement works *PERFECTLY* in his example. But Brian and I might be talking past each other. I'm not saying that the early adopters of the downgrade-scsv proposal must change. But I also do not want to see a knee-jerk reaction, that can easily lead to a complete interop failure rubber-stamped for standards track, when it could be easily improved by allowing servers an alternative response that bears a significantly lower risk of causing harm in the form of complete interop failure, when shipped as server patch into an installed base of unknown usage scenarios. The semantics of the FALLBACK_SCSV (i.e. the presence of the cipher suite in ClientHello) specified in the current proposal could be described as "Client signals to Server that it supports a TLS protocol version that is higher than what is currently conveyed in ClientHello.client_version". The semantics of the fatal inappropriate_fallback(86) alert from the server of the current proposal could be described as "Server signals to Client that it also supports a TLS protocol version that is higher than what the server received in ClientHello.client_version". Improving the current downgrade-scsv proposal, by giving the server the choice to alternatively continue the TLS handshake successfully, using ServerHello.server_version = (ClientHello.client_version+1) will convey back to the client the same information as the "inappropriate_fallback(86)" fatal alert--but give the client significantly *MORE* options to perform a successful TLS handshake with that server. The server's willigness to continue the handshake, selected from among the TLS protocol options actually offered in ClientHello, is *NOT* an obligation for the client to continue that handshake and to send application data over the resulting session. If the TLS client believes that it could do better, it may take chances and retry a new connection immediately. But with the alternative of a successful continuation of the handshake, interop is still a viable option to the client, and not all conceivable protocol downgrades will actually impair the security. Clients, in particular Web Browsers, are notorious about breaking connections frequently and during all connection states (after connect after TLS handshake start or during data transfer). This may be users doing navigation on partially loaded pages that contain myriads of embedded seperate objects, or this may be active scripting composing colorful UIs from myriads of small UI elements. Servers, on the other hand, are normally patient and well-behaved, but may appear unresponsive under high load or flaky network connectivity. I firmly believe that most of the causes for TLS protocol downgrades will continue to be non-malicious rather than active attacks. And in many cases, the proposed improvement of the server successfully continuing with ServerHello.server_version=(ClientHello.client_version + 1) will provide a comparable level of security to what would happen had the client had proposed a higher protocol version in ClientHello. So this improvement can also save network round-trips on non-malicious downgrades. Looking at the downgrade dance of Firefox 34, it does 1. record={3,1} client_version={3,3} + extensions 2. record={3,1} client_version={3,2} + extensions 3. record={3,1} client_version={3,1} + extensions <error page> So Firefox seems to have abandoned not only SSLv3, but also extension-less ClientHellos. It seems that the only "problem" that is left here, is an unfortunate requirement in AEAD cipher suite RFCs (such as AES-GCM, rfc5288): https://tools.ietf.org/html/rfc5288#section-4 4. TLS Versions These cipher suites make use of the authenticated encryption with additional data defined in TLS 1.2 [RFC5246]. They MUST NOT be negotiated in older versions of TLS. * Clients MUST NOT offer these * cipher suites if they do not offer TLS 1.2 or later. Servers that select an earlier version of TLS MUST NOT select one of these cipher suites. Because TLS has no way for the client to indicate that it supports TLS 1.2 but not earlier, a non-compliant server might potentially negotiate TLS 1.1 or earlier and select one of the cipher suites in this document. Clients MUST check the TLS version and generate a fatal "illegal_parameter" alert if they detect an incorrect version. Considering that TLS version intolerance had been well-known when the AEAD cipher suite documents where published, the above (*) requirement should have better been something like the following from the beginning: When a Client offers any of these cipher suites, it implies that the client supports and is willing to use protocol version TLS 1.2 or later. This implication will take precedence over any protocol version in ClientHello.client_version that is lower than TLS 1.2, and might have been used by the client purely for better interoperability with old or defective TLS servers that are intolerant to newer TLS protocol versions in ClientHello.client_version. Then browsers would not have had to worry as much about their downgrade dance, there would be a strong argument for programmatic clients (those that do not contain any app-level downgrade dance heuristics) to adopt TLSv1.2 + AEAD cipher suites. How about assigning a small number (<=4) of alternative TLS cipher suite IDs to existing AEAD TLS cipher suites than will carry the above implication? Candidate cipher suites for assignment of an alias cipher suite ID: CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = {0xC0,0x27}; CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = {0xC0,0x28}; -Martin
- [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-0… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hanno Böck
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Adam Langley
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Andrei Popov
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Watson Ladd
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Colm MacCárthaigh
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael D'Errico
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- [TLS] advertizing the minimum TLS supported versi… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hubert Kario
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Dave Garrett
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex