IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sat, 10 October 2015 01:01 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4BE1B2EBE for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 18:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPJToJSVmEBd for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 18:01:52 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C9151B2EC6 for <tls@ietf.org>; Fri, 9 Oct 2015 18:01:51 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so88845412wic.0 for <tls@ietf.org>; Fri, 09 Oct 2015 18:01:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IvrHfv5m9QtOvHBCYvpO/em4zgTRFYle8WOhhJxL7FI=; b=s6xiKNEIGkWD7RtUix9evcnRYaUlOSk5QV9m51j5O/jHqkUzIIBh8pwQnQXPuC/jVQ OSXYPi9QBXhv/pCNaGfcAVLUbgDTaRhHNgfvaM4WQHxZ6GNDMHSV6aYnP4GtBVzp8CT6 8IWIVUDLxmGTFFKGRqlzZ7hbBEYgBOXSztse/xSfpM8V6i7oV8xVAgZ4ROrnfgpTTbs5 LFcKzT4n6qLZ1FduAXDoHEDjs5rOXJb4rzncdONlknNPCP5Vb2C83zbdeA9L3Wnd94Pt fMMSBSvm8awCfAickf/4lk0N1SdVE9jzJgEPp80vVjDWGqQw7hB3pIvIHhu6SUGL90KW WW7g==
X-Received: by 10.194.82.198 with SMTP id k6mr17330899wjy.139.1444438910581; Fri, 09 Oct 2015 18:01:50 -0700 (PDT)
Received: from [192.168.0.12] (89-156-8-219.rev.numericable.fr. [89.156.8.219]) by smtp.gmail.com with ESMTPSA id ly4sm5050932wjb.4.2015.10.09.18.01.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 09 Oct 2015 18:01:49 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com>
Date: Sat, 10 Oct 2015 03:01:48 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gc0Q3w40db7HbHleUwPIzc_xsTA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2015 01:01:54 -0000

> 1. Why would the server ever receive a TLS 1.2 or below ClientHello from a client that supports TLS 1.3? Why doesn't the already-standardized downgrade SCSV mechanism work for those cases?

The attack we’re protecting against is the following:
- a TLS 1.3 client sends a client hello and the MitM changes the version field to TLS 1.0 (say) with some weak signature-based ciphersuite (e.g. DHE/DHE-EXPORT + AES-CBC)
- for good measure, the MitM also drops any protocol extensions that are inconvenient (e.g. FFDHE/extended master secret/…)
- the TLS 1.3 server thinks the client does not support TLS 1.3 and so falls back to the requested protocol
- in TLS 1.0, the server signature does not include the version, ciphersuite, or extensions, so the client accepts the server flight and computes a master secret and finished message

Now, the crucial step is that if the downgraded protocol is so weak that the attacker can (with some computational effort) forge the server’s finished message, the connection will complete.
There are some instances in which the attacker may be able to achieve this: by breaking SHA-1, or a weak DHE group, by redoing some variation of the triple handshake attack, or by 
exploiting some software bug in a rarely used low-preference ciphersuite. Note that the client did not fallback, the server did, so Fallback SCSV does not apply.

The key observation is that downgrade protection in TLS 1.2 (and below) relies on the Finished MAC, but the elements that go into computing this MAC (DH group, hash algorithm)
are themselves negotiated within the handshake and may be downgraded. This is a fundamental protocol limitation that is addressed by TLS 1.3. Now, our goal is to protect TLS 1.3 itself
from older protocol versions.

From an academic researcher’s viewpoint, there are two reasons to suggest such a countermeasure. 
1) Historically, signalling the ciphersuite in the server signature would have prevented high-profile attacks like FREAK, Logjam, and the cross-protocol attack between ECDHE/DHE in 2012.
    I agree that trying to protect from potential attacks may seem speculative, but the idea is to provide some additional protection against future attacks even if all TLS clients and servers are not immediately patched.
2) Looking forward, a number of researchers would like to give a strong security theorem for TLS 1.3, but at present we would not be able to guarantee security for any TLS 1.3 implementation 
    that also implements older protocol versions, because we would then also have to prove secure all the ciphersuites used in these old versions (some of which are certainly broken from the
    point of view of provable security). For our proofs, we’d like nothing better than to be able to assume that older versions of TLS have been disabled, but I guess that is unlikely to happen soon.


It would have been nice not to rely on a “clever” trick, but we could not see how else to add any mechanism that could itself not be deleted by an attacker in older versions. 
TLS has a long history of signalling downgrades in strange ways.  The RSA PMS still includes the protocol version due to an old SSL3->SSL2 downgrade attack. 
The Fallback SCSV is a signal encoded in a bogus ciphersuite, because SSL3 does not support extensions. 
These are all unfortunate hacks, made necessary by the limited handshake protections in older versions.
The chief benefit is that we can then protect clients and servers that implement our brand new protocol version.

Best,
Karthik



> 
> Cheers,
> Brian
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email