Re: [TLS] One approach to rollback protection
"Yngve N. Pettersen" <yngve@opera.com> Wed, 28 September 2011 21:14 UTC
Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6ADE21F8DD9 for <tls@ietfa.amsl.com>; Wed, 28 Sep 2011 14:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.564
X-Spam-Level:
X-Spam-Status: No, score=-6.564 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2bjM39N+JBp for <tls@ietfa.amsl.com>; Wed, 28 Sep 2011 14:14:56 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id A6C0921F8DD8 for <tls@ietf.org>; Wed, 28 Sep 2011 14:14:55 -0700 (PDT)
Received: from lessa-ii.oslo.os (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p8SLHccX026190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 28 Sep 2011 21:17:41 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org, Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBNFtVBh7a=j4LE73Q0c-W8KGe4aKNBVZam1qOZr=aRaRQ@mail.gmail.com>
Date: Wed, 28 Sep 2011 23:17:48 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@opera.com>
Organization: Opera Software ASA
Message-ID: <op.v2jery1vkvaitl@lessa-ii.oslo.os>
In-Reply-To: <CABcZeBNFtVBh7a=j4LE73Q0c-W8KGe4aKNBVZam1qOZr=aRaRQ@mail.gmail.com>
User-Agent: Opera Mail/10.62 (Win32)
Subject: Re: [TLS] One approach to rollback protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 21:14:56 -0000
Hi, I am not sure I like this proposal, for several reasons: - It does not protect against downgrades when connecting to older servers. (rather impossible to do that, of course) - As noted, it is not protected against a compromised handshake integrity function of an older version, but I guess the handshake version could be changed in such a case. - Forward compatibility. How does a X-year old server that support TLS 1.2 understand that that new cipher suite code point is not some new cipher it does not support, but an indication that the client support TLS 1.5? The codepoints would have to not just be predictable, but the codepoints would also have to work for TLS NG using protocol version 4.1. How far ahead do we reserve codepoints, how much of the ciphersuite codepoint space will this eat up? Or do we assume that any TLS 1.2+ server is version and extension tolerant, so TLS 1.2 is the highest version we will ever need to assign a code point for? - There is no way (at least in the draft) for the client to know that the server understands the SCSV, and processed it correctly. And I can see no possibility expect requiring the server to return a special extension signaling that, similar to the requirement for the Renego SCSV. - How easy would it be for a server or client implementor to get it wrong? - How does the server tell the client that it should always negotiated with the highest supported version when connecting? The server may send a fatal error, but it does not really tell the client what is wrong, or that it should be trying its highest supported version. IMO The best way to stop version rollbacks occurring is to not allow them, at all. Unfortunately, however, for a time it will still be necessary, for interoperability reasons, to allow fallbacks if the server is intolerant. That means finding, or declaring, that certain indications from the server, protected by the handshake hash, means that the server will not willingly require rollback to an older version. This could be either a new extension (which runs up against the extension intolerance problem, and the possibility of an attacker faking the intolerance) or we could use an existing extension to indicate this. As I have mentioned earlier, I think the second option is best, and that I think it already exists in the form of the Renego Indication (RI) Extension. My suggestion is that when a client detects that a server have the RI extension, it MUST only use the highest configured version when connecting to that server. If a server not known to have RI triggers a fallback, and turns out to have RI support, it should immediately start using the highest supported version, and not fall back to an older version if the negotiation fails. Sure, this is a bit of a hack, too, but it is one that can be deployed quickly (60+% of servers already support RI) without any further server updates, it need only be implemented client side, and the current server failure rate is less than 0.1% of all tested servers when signalling TLS 1.1, TLS 1.2, or extensions (which is the major part of the failures), totaling only a few hundred sites in my sample (and I think these will be straightened out in short order once they start failing in all clients). Any server that would implement a check for these SCSVs would (or should) also already: - Be extension tolerant - Be version tolerant - Implement the RI extension If the RI is used as an indication of tolerance then the only way an attacker would be able to force a downgrade would be if he is able to fake the Finished message, a problem that this document admits also exists for the SCSV suggestion. I therefore think using RI as an indicator will be a better solution (there is no perfect solution, unfortunately) On Tue, 27 Sep 2011 01:44:18 +0200, Eric Rescorla <ekr@rtfm.com> wrote: > I've been doing some thinking about how to prevent rollback to > TLS 1.0/SSLv3 from TLS 1.1-capable agents. > > Since there's very little deployment of TLS 1.1+, basically anything > we do now will roll out more or less in parallel with TLS 1.1 deployment, > as long as it's backward compatible.The obvious technique here is to > stuff the relevant indicator in the cipher suites list, since we know > that > servers ignore unknown entries there. > > I've taken an initial crack at a draft for this: > http://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-version-cs.txt > > -Ekr > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
- [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Nico Williams
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Adam Langley
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Adam Langley
- Re: [TLS] One approach to rollback protection Marsh Ray
- Re: [TLS] One approach to rollback protection Juho Vähä-Herttua
- Re: [TLS] One approach to rollback protection Nikos Mavrogiannopoulos
- Re: [TLS] One approach to rollback protection Yoav Nir
- Re: [TLS] One approach to rollback protection Dan Winship
- Re: [TLS] One approach to rollback protection Nikos Mavrogiannopoulos
- Re: [TLS] One approach to rollback protection Badra
- Re: [TLS] One approach to rollback protection Matt McCutchen
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Yngve N. Pettersen
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Nikos Mavrogiannopoulos
- Re: [TLS] One approach to rollback protection Martin Rex