[TLS] PR for anti-downgrade mechanism
Eric Rescorla <ekr@rtfm.com> Fri, 09 October 2015 12:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883911B3AA5 for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 05:24:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMVKD3vabC2H for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 05:24:11 -0700 (PDT)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A24E1B3AA0 for <tls@ietf.org>; Fri, 9 Oct 2015 05:24:11 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so64799681wic.1 for <tls@ietf.org>; Fri, 09 Oct 2015 05:24:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=maZQaBAdvAei/d0wl3P3YqLzt6UQRTpl4EfORIG5O9U=; b=bkBASdm+7+JcNhD6pl2LZ01hkWmXnMWtqHnPrL81TYbTYepdbEdi5W+SipfFiEuCSo fcg0M5p5dzKgFAb7TZkerzLWaJb9db1pFYXWfLmZrEB6siBxFFezdavzte+xMK8MuKN8 NVhBmZMLhpuSssQ5dgv1Gko0o/KgFLwbGiD9DN8y94nQ+hJti77QkJJMM2TbU8aLPOEH 11uO2f3RUB5CxGQSamBWaumM8PfZ8RzaYTA6sxsgNyx6Tl+ohq5WA2YJ5LvLIY6zzEZc 0vO81ldtHwc5rtmH7AWlzWkl2enGpFJAwygubBHDPx8GnRvnwiHXciaG55ZC21RlzL2W difA==
X-Gm-Message-State: ALoCoQmkOuG1oPJ0kgyBKt25zctaAz07O/rPqP/eWuxQfi1rcThx/bSr5CKsQ4BnaSJJ6ivPH82n
X-Received: by 10.194.94.71 with SMTP id da7mr14166435wjb.8.1444393449631; Fri, 09 Oct 2015 05:24:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Fri, 9 Oct 2015 05:23:30 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 09 Oct 2015 14:23:30 +0200
Message-ID: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bf0c1027b4f980521ab0eb5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xW4-BzhmJOCb-v7z7Jd0Yi4QA7s>
Subject: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 12:24:13 -0000
Hi folks, Please take a look at the following PR which documents a suggestion made by Karthik Bhargavan about how to prevent protection against downgrade against downgrade from TLS 1.3 to TLS 1.2 and below. https://github.com/tlswg/tls13-spec/pull/284 The idea is that if a TLS 1.3 server receives a TLS 1.2 or below ClientHello, it sets the top N bits of the ServerRandom to be a specific fixed value. TLS 1.3 clients which receive a TLS 1.2 or below ServerHello check for this value and abort if they receive it. This allows for detection of downgrade attacks over and above the Finished handshake as long as ephemeral cipher suites are used (because the signature on the ServerKeyExchange covers the random values). No protection is provided for static RSA cipher suites, but this still has some value if you have an attack which only affects (EC)DHE. I've written this up with 48 bits and a specific fixed value (03 04 03 04 03 04) but that's just a strawman and we can bikeshed on that if people think this is a good idea. Thanks, -Ekr
- [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Yngve N. Pettersen
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Salz, Rich
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism David Benjamin
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Joseph Salowey