IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Brian Smith <brian@briansmith.org> Fri, 16 October 2015 19:22 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03E451B2DC7 for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 12:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV82mmqtEiVP for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 12:22:12 -0700 (PDT)
Received: from mail-oi0-f45.google.com (mail-oi0-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B54131B2A5D for <tls@ietf.org>; Fri, 16 Oct 2015 12:22:07 -0700 (PDT)
Received: by oiad129 with SMTP id d129so7521969oia.0 for <tls@ietf.org>; Fri, 16 Oct 2015 12:22:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gM+ehJZ9wuKVh5ZuXCBGrJkZ8HhRD16ASkBm5zVgIE8=; b=c6xCpfNLWHUmU5JvhtZF8SEWTqZyPuQDZML7keeNJl8xcgBylGHonMFneTg/CWSBr6 TasNBKnzq7TOBJBu2jAb8mQnqrbk3OPGv6Ln5VYyLwi4dJcd9dqSzYmzmy1qIZ9hJ2CS kGhsgroCAC1xrWkMhLHvICaUOvmODrYP0/SjK/svDMsMOjSMkWosc+Y5rS9WKuMSME0n 4TFjn3q5XORT1ipnms1f829pHyjuPW4H0xHo1jdKbmWs5N8haDcpInwJQcfQL3z1bf9O EZY3Gvq1B/3GqS1q0TzodgPATEfI44yitBtAF7jZ3/VSJYfcSXe75al6cvAQg2prVfRD N7mQ==
X-Gm-Message-State: ALoCoQlPJeQbzfXYFFl31o+m4J5rIyVjjP1yoNDd1ePigLhhWSrNF3/14aOl7/ndouriBKzpNYQo
MIME-Version: 1.0
X-Received: by 10.202.80.67 with SMTP id e64mr10411290oib.125.1445023327103; Fri, 16 Oct 2015 12:22:07 -0700 (PDT)
Received: by 10.76.100.36 with HTTP; Fri, 16 Oct 2015 12:22:06 -0700 (PDT)
In-Reply-To: <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com> <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com>
Date: Fri, 16 Oct 2015 09:22:06 -1000
Message-ID: <CAFewVt484VFa+bUPc41BXVhoYqx1qJdWR4z7c_xjx=Ff_6QZQw@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: multipart/alternative; boundary="001a113d843e1acb1805223db6a6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NEQd-1r7DFU4KCH0N_7Rt2TfE1w>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 19:22:15 -0000

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> wrote:

> The attack we’re protecting against is the following:
> [snip]
>

The key observation is that downgrade protection in TLS 1.2 (and below)
> relies on the Finished MAC, but the elements that go into computing this
> MAC (DH group, hash algorithm)
> are themselves negotiated within the handshake and may be downgraded. This
> is a fundamental protocol limitation that is addressed by TLS 1.3. Now, our
> goal is to protect TLS 1.3 itself
> from older protocol versions.
>

Thanks for explaining. I think this is a good idea.

Why only protect TLS 1.3 from such a downgrade? I think it is worthwhile to
protect TLS 1.2 from the downgrade too, in a similar way. Or, is there
something specific about TLS 1.3 that makes the downgrade worse?


> 2) Looking forward, a number of researchers would like to give a strong
> security theorem for TLS 1.3, but at present we would not be able to
> guarantee security for any TLS 1.3 implementation
>     that also implements older protocol versions, because we would then
> also have to prove secure all the ciphersuites used in these old versions
> (some of which are certainly broken from the
>     point of view of provable security). For our proofs, we’d like nothing
> better than to be able to assume that older versions of TLS have been
> disabled, but I guess that is unlikely to happen soon.
>

No doubt it is more interesting to work on TLS 1.3. But, I think that it
would also be useful to have such work done, insofar as it is possible, for
at least a subset of TLS 1.2--e.g. the subset that is used in DICE, which
prescribes TLS 1.2. I understand that the people working on proofs for TLS
1.3 may not be the same ones that might undertake the work for TLS 1.2.

Cheers,
Brian
-- 
https://briansmith.org/

v2.23.0 | Report a Bug | By Email