Re: [TLS] Cipher suite values to indicate TLS capability

Geoffrey Keating <geoffk@geoffk.org> Tue, 05 June 2012 23:16 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6BC921F863C for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcmX+3ZPjl5V for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:16:33 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB5D21F8639 for <tls@ietf.org>; Tue, 5 Jun 2012 16:16:33 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id E771933D077; Tue, 5 Jun 2012 23:16:31 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Adam Langley <agl@google.com>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Tue, 05 Jun 2012 16:16:31 -0700
In-Reply-To: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com>
Message-ID: <m2sje9xsc0.fsf@localhost.localdomain>
Lines: 51
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: tls@ietf.org
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2012 23:16:33 -0000

Adam Langley <agl@google.com> writes:

> (I'm floating this idea before implementing it.)
> 
> All major HTTPS clients (and possibly other TLS clients too) implement
> fallback in order to workaround buggy networks and buggy servers. If a
> handshake fails with any one of a number of spoofable errors, the
> client will retry with more conservative options enabled. Eventually
> the client will retry the connection with vanilla SSLv3.
> 
> There is no indication that the world is going to improve to the point
> where we can remove this fallback any time soon. About 1% of
> connections still need to do it.
> 
> However, with the downgrade to SSLv3 we loose an important security
> feature: ECDHE. As SSLv3 doesn't support ECDHE, an attacker can cause
> the key-agreement algorithm to switch from ECDHE-RSA to RSA (this
> affects Google at least). On the server side, we're not going to
> switch on multiplicative DH at a strength similar to P-256 because of
> the DoS impact so clients will loose forward security. Also, with a
> plain RSA ciphersuite, it's possible for an attacker with the server's
> private key to decrypt the pre-master secret and assume control of a
> TLS connection. This means that the attacker will be authenticated
> with any client-certificate used, something that isn't possible with
> forward secure ciphersuites.

Could you simply send the ECDHE values anyway?  If the remote end
accepts them, you can reasonably be sure you're under a downgrade
attack (but see below).

> So I'd like to introduce TLS_CAPABLE_SCSV (0x00fe) in SSLv3
> handshakes. TLS_EMPTY_RENEGOTIATION_INFO_SCSV has shown that we can
> deploy new ciphersuites for SSLv3 and the semantics of
> TLS_CAPABLE_SCSV would be that servers would reject any SSLv3
> handshakes that included this ciphersuite with a fatal error. (Thus
> TLS_CAPABLE_SCSV would only be included when the handshake was the
> result of a fallback.)

One problem with this proposal is that in practice it isn't really
indicating 'TLS 1.0 capable'.  A system might actually support TLS
1.0, but not extensions, or it might have trouble parsing the
particular EC extensions you sent, or some other extension, or it
might not like the negotiated cipher suite, or the total number of
proposed cipher suites, or the compression algorithm.  Or it could
have mysteriously failed (once) for reasons unconnected to the TLS
negotiation.

So, I don't think this is a good candidate for standardization.  You'd
need to come up with a 'preferred' client hello, and then have the
cipher suite value mean very specifically that the preferred client
hello should have been accepted...