[TLS] When/why is the RSA premaster secret version rollback check needed?
"Brian Smith" <brian@briansmith.org> Tue, 10 August 2010 18:01 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A59E3A6A95 for <tls@core3.amsl.com>; Tue, 10 Aug 2010 11:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.665
X-Spam-Level:
X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[AWL=0.933, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmrRofhwKowk for <tls@core3.amsl.com>; Tue, 10 Aug 2010 11:01:47 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 0874C3A6867 for <tls@ietf.org>; Tue, 10 Aug 2010 11:01:46 -0700 (PDT)
Received: from T60 (unknown [98.200.150.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id F0C89509DD for <tls@ietf.org>; Tue, 10 Aug 2010 14:02:15 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: tls@ietf.org
Date: Tue, 10 Aug 2010 13:02:14 -0500
Message-ID: <001801cb38b6$2cfd1d20$86f75760$@briansmith.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0019_01CB388C.442DF2F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJQhPCoMWvCkrPhmfXViGCyYPHC0g==
Content-Language: en-us
Subject: [TLS] When/why is the RSA premaster secret version rollback check needed?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 18:01:50 -0000
What attack is thwarted by checking the version number in the premaster secret that isn't thwarted by the Finished message hash & HMAC? If a server finds this check problematic for some reason, what alternate countermeasures could it take to achieve a same security assurance? At first, I thought it was enough to disable SSL 2.0 support. But, the TLS 1.2 specification actually requires *stricter* checks when the hello versions are newer than it does when the hello versions are older. I am having trouble understanding how this makes sense. My intuition tells me that for a server that doesn't support SSL 2.0, the premaster secret version check must either be unnecessary, or it must be caused by some problem inherent to RSA key exchange that I've overlooked, since the Finished message protects the entire contents of hello messages (including the version numbers), and this specific check isn't done for other key exchange methods. Any help-even simply a link to the discussion that motivated the addition of the version number into the RSA encrypted premaster secret-would be greatly appreciated. Thank you, Brian
- [TLS] When/why is the RSA premaster secret versio… Brian Smith
- Re: [TLS] When/why is the RSA premaster secret ve… Michael D'Errico
- Re: [TLS] When/why is the RSA premaster secret ve… Brian Smith