IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Henrik Grubbström <grubba@gmail.com> Fri, 23 January 2015 23:59 UTC

Return-Path: <grubba@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54C121AD1D5 for <tls@ietfa.amsl.com>; Fri, 23 Jan 2015 15:59:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQvAZMGzclUb for <tls@ietfa.amsl.com>; Fri, 23 Jan 2015 15:59:21 -0800 (PST)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A2F1A88A7 for <tls@ietf.org>; Fri, 23 Jan 2015 15:59:21 -0800 (PST)
Received: by mail-la0-f41.google.com with SMTP id gm9so287658lab.0 for <tls@ietf.org>; Fri, 23 Jan 2015 15:59:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=2EuA/MpUEVzrlHfAaASBbdEVwKbefS/iQ5SWZpXmt/c=; b=gZce2+YuPvV+sBlo28/XT+W7R9jbeeVtZ5DaIkGavBsxRtL85UlFE8Ew4pvJRiThKZ HvVA2LrSGKpcjtQdCOwlRK+yGkmNI02cAqZbIbM9ppyI33tYXEnQlBQ8X7c16bmXpxIG r9wKSsif1NlUPIsSJdhgBsYlFg+I4idEJQrQjE9urX73jBaLPlKKRRhK66jID2RGsYck pGTVkNbGX9M47zNrDnmdQNLi0mzdm4DfR0rD2iAv7w6Yg0rYv09ATjIFe1snddmgCPSH cUsTsUPFfBSf560mqSjLbQYkxnQOmF55XSCcvgsxaT6zW0hBOJuITMPm3fkGcYCt4hKV MwQw==
MIME-Version: 1.0
X-Received: by 10.152.4.200 with SMTP id m8mr9888471lam.17.1422057559686; Fri, 23 Jan 2015 15:59:19 -0800 (PST)
Received: by 10.112.200.4 with HTTP; Fri, 23 Jan 2015 15:59:19 -0800 (PST)
In-Reply-To: <54C1B2EC.2060507@metaparadigm.com>
References: <40128f312378442fbd26459bf5d7593b@usma1ex-dag1mb2.msg.corp.akamai.com> <20150119192701.190C71B0FF@ld9781.wdf.sap.corp> <CAFewVt6LRafnJN_L=xVeiAxNcpSB+8vPYzquPfjXsduudyj+QQ@mail.gmail.com> <BAY180-W688DE2930CB7F231E60989FF480@phx.gbl> <04690E05-4905-4941-A60D-7BC5CDC93431@gmail.com> <BAY180-W1849690A1D8C42F1063DDBFF480@phx.gbl> <39B8BC24-D539-456F-970B-B11665B0E892@gmail.com> <54C0B783.2060604@metaparadigm.com> <CADMpkcJLidpZcQd-zmFAyd022xHB9Cj0xkhQyjBxQBsLk54SbA@mail.gmail.com> <54C1B2EC.2060507@metaparadigm.com>
Date: Sat, 24 Jan 2015 00:59:19 +0100
Message-ID: <CALuAYvaALnfHiv3sfotROiR0NfWmdxSopzSWmTCDO2wSHJPJww@mail.gmail.com>
From: Henrik Grubbström <grubba@gmail.com>
To: Michael Clark <michael@metaparadigm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YOuTzVt6hfvVXWPvaf9MGKebLXo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 23:59:23 -0000

On Fri, Jan 23, 2015 at 3:33 AM, Michael Clark <michael@metaparadigm.com> wrote:
> On 23/1/15 12:59 am, Bodo Moeller wrote:
>
> Michael Clark <michael@metaparadigm.com>:
>
>> + SCSV served a purpose of a mitigation while clients downgraded
>>   due to version upgrade intolerant servers. It may have served its
>>   purpose. Don't downgrade and there is no attack vector
[...]
> A).
>
>     1). Codify use of a "Supported TLS Versions Extension" with either a
> strong recommendation for a minimum of TLSv1.0 { 3, 1 } to deprecate SSLv3.0
>         * Advisory to recommend the record layer ClientHello version be
> fixed to the lower bound { 3, 0 } ; which there seems to be some consensus
> for
>         * In the case where the extension is echoed. i.e. supported, the
> record layer version is echoed by the server and signed in the handshake.
>         * This is TLSv1.0 through TLSv1.2 compatible via extension
> tolerance. i.e. All TLS implementations can benefit from it.

I don't see a need for this. The current SCSV in the draft seems
sufficient; it indicates to the server that the client believes that
there's some sort of problem with the connection, which not
necessarily is due to the protocol version, but that the client has
downgraded in an attempt to workaround.

Your approach risks cementing the misinterpretation of the record
layer version as the minimum protocol version, which is the cause of
many of the version-related problems.

> And in TLSv1.3, where payload can be changed, and extensions can be
> mandated, without breaking backwards compatibility, it also makes sense to:
>
> B).
>
>     1). MUST Codify use of a "Supported TLS Versions Extension" with either
> a strong recommendation or MUST for a minimum of TLSv1.0 { 3, 1 } to
> deprecate SSLv3.0
>         * In the case where the extension is echoed. i.e. the lower bound is
> signed in the handshake.
>         * This provides administrators with a clear indication of supported
> versions and the ability to set their lower bound
>         * This is TLSv1.0 through TLSv1.2 compatible via extension
> tolerance.
>         * Complete deprecation of SSLv3.0 would like be achieved by the time
> TLSv1.3 is in the wild.

Why mess with the version negotiation? The current protocol works fine
if the parties actually implement the RFCs.

>     2). MUST tighten the wording with respect to the ClientHello record
> layer and message layer versions
>         * Fix the record layer ClientHello version to the lower bound { 3, 0
> } ; which there seems to be some consensus for
>         * This is TLSv1.0 through TLSv1.2 compatible via extension
> tolerance.

See above.

>     3). MUST Extend the TLSv1.3 verify_data size from 12 octets to >=16
> octets
>         * In the TLSv1.3 time frame we are approaching a point where (
> handshakes * ( 2^12) / ( 2^96 ) ) becomes a potentially exploitable weakness
>         * The wording that defers to the cipher suite for verify_data_length
> should be changed.

This makes some sense.

>     4). MUST Include the entire handshake record layer rather than content
> in the veryify_data hash
>         * While this is a duplication of the mitigation in A.1, it is in
> fact the real fix and the "Supported TLS Versions Extension" becomes an
> indicator
>         * "Supported TLS Versions Extension" would echoed to indicate the
> lower bound and { 3, 0 } would be fixed at record layer.
>         * Reasoning: The fact a mitigation is deployed (for backwards
> compatibility) should not prevent the standard from deploying the real fix.
>         * TLSv1.3 has an opportunity to change content layer semantics of
> the handshake hash without breaking backwards compatibility
>         * It needs to be tight { 3, 1} lower bound via extension and at the
> same time loose { 3, 0 } in record layer for inclusive backwards and
> forwards compatibility.

This seems stupid. There are three pieces of extra information
contained at the packet level in this case:

  * The packet content type

     This is handshake for all packets in the handshake (now that CCS
is gone in TLS 1.3), and thus contains no information.

  * The packet fragmentation.

    This is not relevant, since all payloads are concatenated before
the protocol actually looks at them.

  * The packet version number.

    This is not relevant, as either the version is 3.x in all packets
and the packets are accepted, or the version is something else and the
connection will be terminated.

/grubba

-- 
Henrik Grubbström                                       grubba@grubba.org
Roxen Internet Software AB                              grubba@roxen.com

v2.23.0 | Report a Bug | By Email