Re: [TLS] PR for anti-downgrade mechanism
Eric Rescorla <ekr@rtfm.com> Sat, 17 October 2015 21:17 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390E51A19E4 for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 14:17:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgkklIIhXING for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 14:17:30 -0700 (PDT)
Received: from mail-yk0-f169.google.com (mail-yk0-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD77E1A0AF8 for <tls@ietf.org>; Sat, 17 Oct 2015 14:17:29 -0700 (PDT)
Received: by ykdz2 with SMTP id z2so28425276ykd.3 for <tls@ietf.org>; Sat, 17 Oct 2015 14:17:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=v4QFbCrImc61j7leaQGq27DzpzF3kddwc8dal7DAHEg=; b=nEfWxArNdnni8GOoFyg/u06IzCfQbaqoVFcIaZ+kGM2sIdKk0lNZX+vRVugGor4ygV wFuhzopxX58inD2POZFxh4ciiZQPvAysw7LliBcuPP3wlObFZGVu0SpVdBmuzYpe9tDg vitGeRdgPTvKP+Os8mI0JHXMMmD3+Z16PU0kQUJ8DBkhNFi46ieiMkeXRxa4zHJKHxWT HH+mNgfW/B0obo9eI4EBI0btTEfnms288jR1PUwDD8FDEllMhzSRRbCGk/p6H8Otl+An oU4TuHiw4RRVwvJ2u4D51Y1kGahfOD2K38ZKiI2bVEmrDUG88jkXQINGo65Kv+BGYffG xj8g==
X-Gm-Message-State: ALoCoQl8vezZFeUue81Xv/5DbcKAb/N2/oGbxi8SAWHPbSwACfa1g148CR55BDIDP384EkHFqhFY
X-Received: by 10.129.89.131 with SMTP id n125mr6946941ywb.61.1445116649121; Sat, 17 Oct 2015 14:17:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.114.85 with HTTP; Sat, 17 Oct 2015 14:16:49 -0700 (PDT)
In-Reply-To: <201510171708.16547.davemgarrett@gmail.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CABcZeBMScyzd6+3aQc1+F+6gAnnJx16GpVqiojVkRPuTaj+Gbg@mail.gmail.com> <CABkgnnXjkky5CksdqR62ZRB4iQ9BKoibxXz3gMC+-hhvHKXFng@mail.gmail.com> <201510171708.16547.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 17 Oct 2015 14:16:49 -0700
Message-ID: <CABcZeBOzJkdjC-NnjPcHtoU_6rmEMPqj4Y7xKuA=CHZLT9r49w@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="001a114920c687dfcc05225370d6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/w4bMFCclUbsZT1IIfzBpAWdbtL4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2015 21:17:31 -0000
On Sat, Oct 17, 2015 at 2:08 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > On Saturday, October 17, 2015 03:10:18 pm Martin Thomson wrote: > > The observation is still valuable in the sense that prohibiting values > > > 1.3 would reduce the likelihood of a false positive by some > > miniscule amount. In other words, I agree with ekr here, though we > > could cap the value to 1.3. > > > > Maybe we could just define two values: one for TLS 1.3 (and greater, > > presumably) and one for TLS 1.2. I don't see any value in protecting > > 1.1 or 1.0 from downgrade any more given relative prevalence of those > > protocols and their age. > > Two values seems like a good compromise to me if one isn't considered > sufficient. I don't particularly want them changing in the future so old > (e.g. TLS 1.3, in a future with TLS 1.4+) implementations don't need to > worry about seeing something new here and making a mistake. Checks would be > for one of two 64-bit values, rather than 56-bit values with a byte with a > possibly unknown value My assumption here was that the client would do the following: 1. Look to see if the server negotiated its highest version. If so, then all is good. 2. If the server did not negotiate the highest version, then look for the sentinel. If it's set, you have a downgrade. 3. (Optional) If you have a downgrade, parse the last byte to see the server's actual version. In any case, abort. What have I missed? -Ekr > > > Dave >
- [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Yngve N. Pettersen
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Salz, Rich
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism David Benjamin
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Joseph Salowey