IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Eric Rescorla <ekr@rtfm.com> Sat, 17 October 2015 18:36 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A571B2C09 for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 11:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFDVbLi_i8D5 for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 11:36:15 -0700 (PDT)
Received: from mail-yk0-f174.google.com (mail-yk0-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 744121B2C07 for <tls@ietf.org>; Sat, 17 Oct 2015 11:36:15 -0700 (PDT)
Received: by ykfy204 with SMTP id y204so111730036ykf.1 for <tls@ietf.org>; Sat, 17 Oct 2015 11:36:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=BAYlUzgOxdB8IO6iwNqAg8sNcuAP1WbuVtoRGyPMafY=; b=AZIgjD0hACnXxw9Iq6jOqPcRzzUifO/8qkuwx2+++KbS2IFGQ5UGi/1OG0tEGQi0AI HrLVlYN3ejBQj3/O9XLvlrXZWz6ME2ZyWbK57a5qQgnL65DUQusAnyYrlXOBc/JmBGqI qD7hLI2OG8T9QOAVVC3hr5DJSyDtK7JrnOwjVs34zq8+OC/VgzOdfdAaXrcOZ5z2DnnC LOX5cRSd1ixOJzGpqYleU6W082KYcKj6Dy6ZgesnfE2c/I2tZZEUsawjEL7jLvOEz644 HR8mXy3swbQ21CGgyMO2wjPo18ndRhFmRYDPPYLNKrwuHfT3U4O11w4S7wCUk+JdDQBH yInw==
X-Gm-Message-State: ALoCoQmKvtInUt+Pwef1RG0t8FCdHk4Jvn0/1rGFrTK13W2wO04KvqvtYLgQblCsSTbn8xKkM5Uw
X-Received: by 10.13.217.207 with SMTP id b198mr14455329ywe.166.1445106974669; Sat, 17 Oct 2015 11:36:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.114.85 with HTTP; Sat, 17 Oct 2015 11:35:35 -0700 (PDT)
In-Reply-To: <02BF1D46-DC94-4D4C-B0E6-5FE0E7D7F95B@gmail.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com> <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com> <CAFewVt484VFa+bUPc41BXVhoYqx1qJdWR4z7c_xjx=Ff_6QZQw@mail.gmail.com> <CABkgnnVEUuWEEpqjRWm9=D7OkDuxvJj7pmX=8RMCU6T_qah5mw@mail.gmail.com> <CAFewVt6kPzMfjKb5deATw4funEa_=Z9G5U-6_QeX1f34abS55g@mail.gmail.com> <CABkgnnW1V6SbbFfjKekCTmWNK6gP1uH2rH4POSkwmycQwtPkoA@mail.gmail.com> <CAFewVt5qXaXGrMi8ids_3pfB7t=zdmmqRqe2N_GXjex_P=Qq1w@mail.gmail.com> <02BF1D46-DC94-4D4C-B0E6-5FE0E7D7F95B@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 17 Oct 2015 11:35:35 -0700
Message-ID: <CABcZeBOzGhTjGo0xJVFCRCGAcw3mLXyUGBb0t1Hu9Rk6PBPd1g@mail.gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: multipart/alternative; boundary="001a114fb244e374c20522512fea"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pbSMI53GhLR2raXrMxUMSZMe9M4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2015 18:36:17 -0000

Trying to close the loop on this, I think people are generally in favor of
this
mechanism, so we just need a concrete construction.

I propose we use an N bit field divided as follows

- N - 8 bits of fixed sentinel.
- 8 bits of version number with the semantics being the highest TLS version
  number supported by the server, encoded with the high nibble being
  the major version and the low version being the minor version. So,
  concretely a TLS 1.3 implementation would use 0x34 here.

I imagine people have opinions about N and the sentinel, but for
concreteness
I suggest that N = 64 bits, and that we use the ASCII string
'DOWNGRD' as the sentinel.

Let the bikeshedding begin!

-Ekr










On Fri, Oct 16, 2015 at 11:23 PM, Karthikeyan Bhargavan <
karthik.bhargavan@gmail.com> wrote:

> Hi Brian, yes, the mechanism proposed here could also be used by TLS 1.2
> implementations to signal each other about their preferred connection
> parameters.
>
> To make most use of the bytes provided, one could use the sentinel value
> to indicate
> support for an extension, which then carries a signed server configuration
> of arbitrary size.
> The attacker would then be unable to downgrade the connection by deleting
> this extension.
>
> False Start is an interesting use case, because
> (a) it sends data before the server has confirmed the chosen
> version/ciphersuite/etc and
> (b) it already tries to prevent downgrades by whitelisting versions and
> ciphersuites.
> Some downgrade attacks fail because of (b), but others are easier to
> exploit because of (a).
> For example, Logjam was easier to mount on False Start clients since the
> attacker could
> collect the False Start data and decrypt it at leisure.
>
> Extended master secret (EMS) provides some additional protection to False
> Start, because the encryption
> keys implicitly include the full handshake transcript and, so if the MitM
> tampers with the connection,
> the False Start data would not be accepted by a server. (However, that
> this would not have prevented Logjam.)
> Moreover, even the EMS extension can be deleted by a MitM.
> The current proposal could protect EMS from downgrade by indicating
> support for it in the server hello.
>
> To sum up, we’re focusing on TLS 1.3 because we have a chance to bake in
> strong downgrade protection
> into its implementations from the very beginning. I think this could be
> useful for older versions too, as an optional
> mechanism which protects clients and servers that both implement it, and
> does not affect others.
>
> -Karthik
>
> On 17 Oct 2015, at 00:34, Brian Smith <brian@briansmith.org> wrote:
>
> On Fri, Oct 16, 2015 at 12:12 PM, Martin Thomson <martin.thomson@gmail.com
> > wrote:
>
>> On 16 October 2015 at 13:39, Brian Smith <brian@briansmith.org> wrote:
>> > That would be especially true for an implementation that does False
>> Start
>> > for TLS 1.2.
>>
>> I don't see how false start plays into this.  We could have clients
>> reject false start if they see this sentinel value.  But don't we want
>> to just treat this as an attack and abort instead?
>>
>
> Yes. The client needs the sentinel to know to abort the connection, if its
> willing to false start with TLS 1.2 when it also support TLS 1.3, right?
>
> Cheers,
> Brian
> --
> https://briansmith.org/
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email