IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 09 October 2015 20:38 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37C31A1B6E for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 13:38:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.579
X-Spam-Level:
X-Spam-Status: No, score=-1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mz3YMzWMvXTU for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 13:38:01 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA8E1A1B6B for <tls@ietf.org>; Fri, 9 Oct 2015 13:38:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3D047284B56; Fri, 9 Oct 2015 20:38:00 +0000 (UTC)
Date: Fri, 09 Oct 2015 20:38:00 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: tls@ietf.org
Message-ID: <20151009203759.GU15070@mournblade.imrryr.org>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <201510091615.54305.davemgarrett@gmail.com> <CABcZeBOtp4VLEcAWjBFoXcWJ6f=6vWyvc-MF82R5Ly_f+JrqVw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBOtp4VLEcAWjBFoXcWJ6f=6vWyvc-MF82R5Ly_f+JrqVw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jmOB_DqcsNCC5J53Q-2uBqNQ_j0>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 20:38:03 -0000

On Fri, Oct 09, 2015 at 10:23:09PM +0200, Eric Rescorla wrote:

> It's largely arbitrary, but the reasoning is as follows. There are
> apparently some TLS 1.2 servers which randomly generate the entire server
> random (and https://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00 would
> encourage more to do so). The chance of a false positive between such
> a server and a TLS 1.3 client is 2^{-32}, which seemed a bit high.

Yes, law of large numbers.  While any one session is unlikely to
fail, the chance of some sessions failing needlessly becomes
appreciable, and some of failures may be have high criticality and
be latency sensitive.  

Of course packet corruption undetected by TCP checksums is perhaps
more likely, and the client should treat this like as data corruption,
rather than a MITM attack, and just reconnect and try again.

The problem is that reconnecting is not something the TLS layer
can do.  And applications might not be instrumented to recover as
quickly or as gracefully as they should.  Plus, not all use of TLS
is over unreliable network transports.  TLS is also used over Unix
domain sockets, where one does not expect either MITM attacks or
data corruption.

So even 2^{-48} is perhaps not quite low enough.  I still think
we're better off fixing serious problems in TLS 1.2 as we find
them regardles of whether the server and client happen to also
support 1.3.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email