Re: [TLS] TLS 1.3 supported versions and downgrade protection

David Benjamin <davidben@chromium.org> Thu, 05 December 2019 17:48 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5B71209C2 for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 09:48:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.751
X-Spam-Level:
X-Spam-Status: No, score=-8.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YMZoVXqr4Sq for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 09:48:28 -0800 (PST)
Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B41D12095C for <tls@ietf.org>; Thu, 5 Dec 2019 09:48:28 -0800 (PST)
Received: by mail-pl1-x644.google.com with SMTP id k20so1526707pll.13 for <tls@ietf.org>; Thu, 05 Dec 2019 09:48:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GfN93Yec3wpUnscSsotc5LkuqUS9Nqx5xbOWeXmw/8w=; b=SpIcg7nhHNx4EqHRrfqHdTYce+ERWNnOLaGA00IxCQNUBXeRFex6BZt6ruMob5l8Cg kkJ6EvoZdKViup84aGnQb+l9MYSmcWMdYQf2HAehl2u78lisxcq2TU4xEjfxa89TLv28 ZcrJod9rDrhWH4EcjCAsVBymC5g5UUGOP3tNo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GfN93Yec3wpUnscSsotc5LkuqUS9Nqx5xbOWeXmw/8w=; b=e/IZPWm8JEYBMq4//l3jZa8pEESl3UuB5fxxGpPIOUH5totRq8IOAyxAwmP+fCPcgW 4jemOHrFDvEa1fpd8tC/9O7n0iunnBtJuJZlicx2nr/n9rcSlHIgzgg50x4ib+bW0C4h ZqkrlKJ3bpzc9Z7pLrfQnAnrSB/1WX3/9dVFucT9VW2Uqd6Ey0E9zCfiiiEu9tjZD/ox l3UjT6z09WMghqXfAyfSrQ3AuPY7yU+sxbU7ns0G/PsW08Wt7BxrSMKMykPqXMX7PNT5 v/2mNRV8lmeAn6SW64no08BFGFWi4tWwVtE3dM6LD754xgehijvyVjEpEI+1YXZ/zmzM AvZg==
X-Gm-Message-State: APjAAAW25UgsvxML7+iy5YKk0JW7V0F0whyTtT9KcMlOVpiJcP003VBf VXOd+moGpAGD62yXoOfQ6Hw14REzeSOaEU4aYvRa
X-Google-Smtp-Source: APXvYqyT4ENGIiYDmWfyeSsgKFv8pZ9p0ToBs6pyIaLyyPVZho49qxmwFL2bwyKWhmgvbwXZCuwdnYMZ/KCbA7RuWAc=
X-Received: by 2002:a17:90a:2188:: with SMTP id q8mr10613689pjc.47.1575568107667; Thu, 05 Dec 2019 09:48:27 -0800 (PST)
MIME-Version: 1.0
References: <D4904384-8893-410A-A516-06B0226FFA4E@isara.com> <20191205173553.GS3397@akamai.com>
In-Reply-To: <20191205173553.GS3397@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 5 Dec 2019 12:48:11 -0500
Message-ID: <CAF8qwaAt3jeZFf0wc9SMfDYjBvdmM8KDaZyHDL42QwL3pSZQ0A@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Daniel Van Geest <Daniel.VanGeest@isara.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006118f60598f8890e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aaQfVH1sJCFFE3zqnZf0iVG4o7M>
Subject: Re: [TLS] TLS 1.3 supported versions and downgrade protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 17:48:33 -0000

On Thu, Dec 5, 2019 at 12:36 PM Benjamin Kaduk <bkaduk@akamai.com> wrote:

> On Thu, Dec 05, 2019 at 05:30:10PM +0000, Daniel Van Geest wrote:
> > Hi all,
> >
> > I think there might be ambiguity or an interoperability issue with the
> TLS 1.3 ServerHello Random value downgrade protection and some (possibly?)
> legitimate negotiation of TLS 1.2 using the supported_versions extension.
> Looking through RFC 8446 and the mail archives I don’t see anything that
> addresses this, maybe I’ve missed something?
> >
> > RFC 8446 Section 4.1.3:
> >
> >    TLS 1.3 has a downgrade protection mechanism embedded in the server's
> >    random value.  TLS 1.3 servers which negotiate TLS 1.2 or below in
> >    response to a ClientHello MUST set the last 8 bytes of their Random
> >    value specially in their ServerHello.
> >
> >    If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of
> >    their Random value to the bytes:
> >
> >      44 4F 57 4E 47 52 44 01
> >
> >    If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2
> >    servers SHOULD, set the last 8 bytes of their ServerHello.Random
> >    value to the bytes:
> >
> >      44 4F 57 4E 47 52 44 00
> >
> >    TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
> >    MUST check that the last 8 bytes are not equal to either of these
> >    values.  TLS 1.2 clients SHOULD also check that the last 8 bytes are
> >    not equal to the second value if the ServerHello indicates TLS 1.1 or
> >    below.  If a match is found, the client MUST abort the handshake with
> >    an "illegal_parameter" alert.
> >
> > So whenever a TLS 1.3-capable server negotiates a TLS 1.2 or lower
> session it MUST set the appropriate Random values.
> >
> > And a TLS 1.3 client MUST check for these values and abort if found.
> Future TLS versions aren’t mentioned so perhaps one of the use cases I’ll
> mention below is not a concern until the next version is defined and the
> behavior can be adjusted then.
> >
> > Consider the potential cases for the ClientHello supported_versions
> values:
> >
> >
> >   1.  supported_versions = { 0x0305 (TLS 1.4), 0x0303 (TLS 1.2) }
> > Okay, TLS 1.4 doesn’t exist so maybe this can be addressed in the
> future.  If the server supports TLS 1.2 and TLS 1.3, it will negotiate TLS
> 1.2 and add the TLS 1.2 downgrade protection Random value.  The Client will
> see the TLS 1.2 version, check the downgrade protection and abort the
> connection.  But this is not a downgrade issue, this is the only mutually
> acceptable TLS version.
>
> This is analogous to the case of wanting to support TLS 1.0 and 1.2 but
> not 1.1, which did (IIRC) get a little bit of discussion including from
> Andrei Popov.  My recollection is that we didn't really feel a need to
> support "gaps" in supported versions for this downgrade-protection scheme.
>

Prior to supported_versions we didn't have gaps at all. We can now do gaps,
but only starting at TLS 1.3. You're right that gaps which span TLS 1.3 are
problematic. This is related to why we couldn't ship the downgrade signal
in early draft deployments.

Note TLS is still downgrade-protected without this signal by way of the
transcript. The signal fixes some fragilities in the downgrade when you get
all the way down to TLS 1.2.


> >   2.  supported_versions = { 0x0303 (TLS 1.2), 0x0304 (TLS 1.3) }
> > The supported_versions list is in order of client preference, but it’s
> not required that the server respect the preference.  I’ve seen
> implementations which respect the client’s preference and ones which pick
> the highest mutually acceptable version.  If a server supports TLS 1.2 and
> TLS 1.3 and respects the client’s preference it will negotiate TLS 1.2 and
> add the downgrade protection random value.  The client would then abort the
> connection even though this would seem to be a legitimate non-downgrade
> situation  Or can we wave our hands at this and say if a client doesn’t
> prefer TLS 1.3 above TLS 1.2 then it’s not really a true Scotsman TLS 1.3
> client and those MUSTs don’t really apply to it?.
>
> I had forgotten that we implied a potential for client preference of
> supported versions.  We could perhaps debate whether it's "legitimate" for
> a server to prefer 1.2 over 1.3, but I think it's clear that (assuming the
> negotiation is protected by a full transcript hash, as in 1.3 or 1.2 with
> extended master secret) a server negotiating 1.2 in this case should not
> apply the downgrade-protection scheme.
>

(FWIW, our server implementation uses server preference and doesn't pay
attention to the client order.)

Having the server sometimes omit the "PS: I support TLS 1.3" signal in TLS
1.2 ServerHellos would break the protection. The ServerHello random signal
is a hardening measure because TLS 1.2 failed to include the entire
handshake transcript in the ServerKeyExchange signature, only the randoms.
As a result the downgrade protection is rather fragile. This signal takes
advantage of the few pieces which are signed. But because the signature
does not include the ClientHello which triggered it, it's important that
*all* TLS 1.2 ServerHellos from the server include it.

I think a client which advertises something like (2) probably shouldn't
enforce the signal because it apparently doesn't actually prefer TLS 1.3
over TLS 1.2. Better yet, don't advertise (2). :-)

David