[TLS] Authenticating incompatible protocols

Martin Thomson <mt@lowentropy.net> Tue, 14 July 2020 01:21 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00CC3A0D6C for <tls@ietfa.amsl.com>; Mon, 13 Jul 2020 18:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=lBgcX0Lx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=FbL1w9Nx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xDB6ARy53To for <tls@ietfa.amsl.com>; Mon, 13 Jul 2020 18:21:45 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF6CB3A0D27 for <tls@ietf.org>; Mon, 13 Jul 2020 18:21:45 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 50E895C01B1 for <tls@ietf.org>; Mon, 13 Jul 2020 21:21:44 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Mon, 13 Jul 2020 21:21:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm2; bh=rymbT1oz2eXAf3cuxzz7vmyITPslJRxmcERl03DO148=; b=lBgcX0Lx CrPAXmAT/voki2K/ZUKF9apzg3Cf++i3wBdbSICbu8o3OhvgmEUoaJNAtuYA9jz7 pA3U83dkZEuGuteL1OYD3SpYPiIgSNzpwvNnt8SMMJtF0KR4OG6XfNLZiGQfWCG7 LKQg3pxnWiKXmoo9EYvt0no8QMg3mDjIGwvVxOvBgRZNt+fO6NoJo+UwyuIO5VLJ WgXyERVxgEWTNZf3bgqGELcVoLTjqZ5gHStmeoAn7pXKDw8uQJDf30tvr+Uh06P7 m47wRHPQem/5IM+E1rGQNTMkuSrmrlUWUCsCfM9DA6ajDg9Rge9qsF6W3ztFvzO6 8VnwUodDOAbqEg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=rymbT1oz2eXAf3cuxzz7vmyITPslJ RxmcERl03DO148=; b=FbL1w9Nxg5eGEA6Nweu3zqZpK/lidTR82gpx/Uk+kZRVW GJnnzHrZBVxk+kFY4uCBvLkeaG4JfRV9taITKSb0rOnlRT/6p2ZVN06hJHbf/IBS c+PeD64UNszCTXb6KsgNIN3EAswwFQftmTUuWttk2zlEIlf34N8S7hjUbrAfI4S/ Y4JXC99Bo6audQ282K3GX/0wjE3Ysc8DzmUBlMP9s8h6c2dNd2hgRmeD5SXBCInl kJNTi4Okf7BElv5tzi3BaoOk44lDAta88JXwwBKfcReqYBe3wUPBPwkn+4oV6sHg z0c/87omUqd+etfbpQkGcS/PFbx3fH2bn2805xW1w==
X-ME-Sender: <xms:qAgNX2d-Q-3Jp345_Yy0TyuBIacshwDmS2pwBLLzkZFUf_0I_f4kBw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrvdelgdegfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenuc fjughrpefofgggkfffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhhtihhn ucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtffrrg htthgvrhhnpeffgeegfeeutdegleehgfdtieffieefteevheelieeliedtgeeuleevuedt teduvdenucffohhmrghinhepihgvthhfrdhorhhgpdhgihhthhhusgdrihhonecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghn thhrohhphidrnhgvth
X-ME-Proxy: <xmx:qAgNXwN4N8oljZb0X9FH070Qipv98DwQk8Ys3Cb3qm2-HGhNtlypOw> <xmx:qAgNX3gjlSOtyV5-q8E1G3QZJFPb9tYfC5bwU98f5DsckFdARsekCg> <xmx:qAgNXz9W4StACKHQbJ2PsodjLE0YBJQh1oHG2yk2JejwCp4ArbBa-A> <xmx:qAgNX_PF-K-qfU4hgbXJALf069qhvLHFDcdImsQ5HYEZi3Fez_VMKA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id F22BAE00CE; Mon, 13 Jul 2020 21:21:43 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-613-g8a73ad6-fm-20200709.001-g8a73ad6e
Mime-Version: 1.0
Message-Id: <60bc7458-c054-4715-aba2-8c4c9393f74d@www.fastmail.com>
Date: Tue, 14 Jul 2020 11:21:24 +1000
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/etA0z0kIaw4vEc1XpRKM7_i6Xy0>
Subject: [TLS] Authenticating incompatible protocols
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 01:21:50 -0000

The work in DNSOP on the SVCB record raised a few awkward questions about the potential for downgrade attacks.  Where protocols aren't compatible -- that is, A is not compatible with B if you can't attempt A and negotiate B -- you don't get downgrade protection.  ALPN only really protects against downgrades with compatible protocols.

With QUIC, and increasing diversity of protocol usage across TLS and DTLS, there are more opportunities for incompatible protocols to be used.

I've done a quick writeup of something that might work:

https://datatracker.ietf.org/doc/draft-thomson-tls-snip/
https://martinthomson.github.io/snip/draft-thomson-tls-snip.html

Thoughts would be appreciated.

As a footnote: this makes some assumptions about the way that ALPN is used.  That is, this relies on the same ALPN not being used in incompatible protocols.  The ALPN registry already lists one counterexample in stun.turn [RFC7443] which can be used over both DTLS and TLS.  I personally think that was a mistake, but I know that others disagree.