Re: [TLS] PR for anti-downgrade mechanism
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 17 October 2015 19:00 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0AD91B2C76 for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 12:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSIHZ6KJ4YtA for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 12:00:53 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD7D1B2C5F for <tls@ietf.org>; Sat, 17 Oct 2015 12:00:43 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 13DFC284B56; Sat, 17 Oct 2015 19:00:37 +0000 (UTC)
Date: Sat, 17 Oct 2015 19:00:37 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20151017190036.GD15070@mournblade.imrryr.org>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com> <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com> <CAFewVt484VFa+bUPc41BXVhoYqx1qJdWR4z7c_xjx=Ff_6QZQw@mail.gmail.com> <CABkgnnVEUuWEEpqjRWm9=D7OkDuxvJj7pmX=8RMCU6T_qah5mw@mail.gmail.com> <CAFewVt6kPzMfjKb5deATw4funEa_=Z9G5U-6_QeX1f34abS55g@mail.gmail.com> <CABkgnnW1V6SbbFfjKekCTmWNK6gP1uH2rH4POSkwmycQwtPkoA@mail.gmail.com> <CAFewVt5qXaXGrMi8ids_3pfB7t=zdmmqRqe2N_GXjex_P=Qq1w@mail.gmail.com> <02BF1D46-DC94-4D4C-B0E6-5FE0E7D7F95B@gmail.com> <CABcZeBOzGhTjGo0xJVFCRCGAcw3mLXyUGBb0t1Hu9Rk6PBPd1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBOzGhTjGo0xJVFCRCGAcw3mLXyUGBb0t1Hu9Rk6PBPd1g@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tqPqyekg0jtlcq96SzXgg3A1uLQ>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2015 19:00:55 -0000
On Sat, Oct 17, 2015 at 11:35:35AM -0700, Eric Rescorla wrote: > Trying to close the loop on this, I think people are generally in favor of > this > mechanism, so we just need a concrete construction. > > I propose we use an N bit field divided as follows > > - N - 8 bits of fixed sentinel. > - 8 bits of version number with the semantics being the highest TLS version > number supported by the server, encoded with the high nibble being > the major version and the low version being the minor version. So, > concretely a TLS 1.3 implementation would use 0x34 here. > > I imagine people have opinions about N and the sentinel, but for > concreteness > I suggest that N = 64 bits, and that we use the ASCII string > 'DOWNGRD' as the sentinel. > > Let the bikeshedding begin! IIRC for TLS >= 1.3 the entire server hello (as part of a session transcript digest that includes it) is signed with the key exchange. So TLS 1.3 already protects against rollbacks from 1.4 to 1.3. If so, is it necessary to have a variable high octet? Just a single fixed patter signalling ">= 1.3" would then suffice. I must admit to not have looked closely, so perhaps wrong end of the stick... If the above is however correct, I think simpler is better, over-engineering this work-around "side-channel" is I think unwise. This seems to be a protection against rollback to TLS < 1.3, for TLS >= 1.3, the protocol should solve any issues more naturally than by overloading the server-random. -- Viktor.
- [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Yngve N. Pettersen
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Salz, Rich
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism David Benjamin
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Joseph Salowey