IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Fri, 09 October 2015 12:48 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3DF31B3340 for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 05:48:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSIkcyVSfI2s for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 05:48:44 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA8B31B3339 for <tls@ietf.org>; Fri, 9 Oct 2015 05:48:42 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so65367305wic.0 for <tls@ietf.org>; Fri, 09 Oct 2015 05:48:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=5z+Sm+UmCb7AcRRZ8u+fqWHxUzG7rg+lOu+ar0j0oUM=; b=b2TvnUSwfHQGexbezzU/WBGXx+aUp+Q/gYnQoOJXWmzfFosn5uFvd9mYgQHDoZX1Xt l6m7S42eBhsBDqrw0FMj87qOkmouE8o/4Z91ZlJJKDiFg4p6kmvqfPmHPPsk2tmNDEeo CW6Cfp4UvUABQlAa+kDXB2nEr7dX8O7OccbEpR0qhbXI3EetvroZJKno/SqhuaAzHGtc VygUDAemlmwjjemk5Q2B/nqMUwDst5mm+4707lMW6HDUXCqm/VxMb+6tizfpH3nJExGX LihXo6bXk1IQQAvRDB0lMgCZdtu54wXOvJ2uYJJuSzvvYtVL41hE1jE5a3MirtOMsmYh G+Eg==
X-Received: by 10.180.188.47 with SMTP id fx15mr10029333wic.41.1444394921141; Fri, 09 Oct 2015 05:48:41 -0700 (PDT)
Received: from wifi-auth-191208.inria.fr (wifi-auth-191208.inria.fr. [128.93.191.208]) by smtp.gmail.com with ESMTPSA id kr10sm1949033wjc.25.2015.10.09.05.48.39 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 09 Oct 2015 05:48:40 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_787FDD53-BCDC-4337-845D-AF6256421D26"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com>
Date: Fri, 09 Oct 2015 14:48:38 +0200
Message-Id: <B6621FBD-8C45-43CC-96BB-FD71F279E339@gmail.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/sZX9ursx4ePK2Zr-yflO2nUtiQY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 12:48:46 -0000

A few more words on this proposal.

- The goal is to protect TLS 1.3 clients and servers from attacks on TLS 1.* ciphersuites.
   E.g. if a new attack on the MD5 | SHA1 concatenation in TLS 1.0 is announced, 
   connections between TLS 1.3 clients and servers would still be protected.
   Similarly, if the Apache default 1024-bit DHE group is broken, connections between
   TLS 1.3 clients and servers remain unaffected.
   (In the current TLS 1.3 design, an attacker could downgrade the connection and break
    it in both these cases. No, the fallback SCSV does not help.)

- We propose to fix the first N bits of the server random, but we can carry whatever information we want here.
   Protocol version + ciphersuite sounds like a good start to use up 4 bytes.
   (This would, for example, have protected TLS 1.2 against the Logjam attack on TLS 1.0.)

- The key idea is that the server random is signed even in older versions of TLS, and so
   we will get downgrade protection for free, without modifying these older versions in any way.
   (A protocol extension for TLS 1.* would not work, since the extension itself could be deleted by the attacker.)

- The first 4 bytes were traditionally used for a timestamp, so using (say) 4 bytes in a new way 
  does not lose entropy/replay-protection in comparison for servers that implement timestamps. 
  However, we do lose some replay-protection when compared to servers that use the full 32 bytes. 

- There is a 1/(2^N) chance that valid connections to TLS 1.2 servers will be dropped by
   TLS 1.3 clients, because of this proposal. This only happens for servers that do not 
   use the unix timestamp (the current timestamp is greater than 0304xxxx).
   Still, we need to carefully choose N so that this risk of connection dropping is acceptable.

- The proposed mechanism only protects TLS 1.3 clients and servers that exclusively support 	
   signature-based ciphersuites (DHE/ECDHE) even for older versions of TLS. E.g. it does not 
   protect against downgrade to RSA or PSK ciphersuites. 

- We note that RSA ciphersuites already provide a version downgrade mitigation, 
  although it has itself caused many headaches due to bleichenbacher attacks.
  But if a server implements good side-channel resistance to bleichenbacher attacks,
  TLS 1.3 can be protected from downgrades to both RSA and (EC)DHE ciphersuites in
  older protocol versions.



> On 09 Oct 2015, at 14:23, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Hi folks,
> 
> Please take a look at the following PR which documents a suggestion
> made by Karthik Bhargavan about how to prevent protection against
> downgrade against downgrade from TLS 1.3 to TLS 1.2 and below.
> 
>   https://github.com/tlswg/tls13-spec/pull/284 <https://github.com/tlswg/tls13-spec/pull/284>
> 
> The idea is that if a TLS 1.3 server receives a TLS 1.2 or below
> ClientHello, it sets the top N bits of the ServerRandom to be a
> specific fixed value. TLS 1.3 clients which receive a TLS 1.2 or below
> ServerHello check for this value and abort if they receive it. This
> allows for detection of downgrade attacks over and above the Finished
> handshake as long as ephemeral cipher suites are used (because the
> signature on the ServerKeyExchange covers the random values). No
> protection is provided for static RSA cipher suites, but this still
> has some value if you have an attack which only affects (EC)DHE.
> 
> I've written this up with 48 bits and a specific fixed value (03 04 03
> 04 03 04) but that's just a strawman and we can bikeshed on that if
> people think this is a good idea.
> 
> Thanks,
> -Ekr
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email