Re: [TLS] Draft 18 review: Downgrade protection
Hi, > Thanks for your comments. I do want this section to be clear. > > It would be very helpful if you formatted this as a PR. That would make it > easier to understand the changes in this text. The text has been proposed as PR 775 (https://github.com/tlswg/tls13-spec/pull/775). olivier ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Draft 18 review: Downgrade protection
Hi Olivier, Thanks for your comments. I do want this section to be clear. It would be very helpful if you formatted this as a PR. That would make it easier to understand the changes in this text. Thanks, -Ekr On Tue, Nov 22, 2016 at 11:01 AM, Olivier Levillain < olivier.levill...@ssi.gouv.fr> wrote: > Hi list, > > I am sorry for the very late answer concerning draft 18, but we > (ANSSI) have several remarks after proof-reading the current > specification. > > We are sorry for the multiple long messages. > > If the WG is interested by some of our concerns/proposals, we would be > glad to propose some PRs. > > > = Donwgrade protection = > > On P.32 (section 4.1.3), the part about downgrade protection mechanism > is not clear enough. As I understand it, the modified server_random > only occurs with a ServerHello indicating TLS 1.2 or below. Moreover, > a TLS 1.2 client should only abort the handshake with the TLS 1.1 > value, which is not clear in the explanation. Finally, the > ServerKeyExchange is only defined in TLS 1.2 or below, so it would be > better to add some precision. Here is a proposal to make these points > more explicit: > >TLS 1.3 has a downgrade protection mechanism embedded in the server's >random value. TLS 1.3 server implementations MAY respond to a >ClientHello indicating only support for TLS 1.2 or below with a >ServerHello containing the appropriate version field. > >TLS 1.3 server implementations which respond with a TLS 1.2 >ServerHello, MUST set the last eight bytes of their Random value >to the bytes: > > 44 4F 57 4E 47 52 44 01 > >TLS 1.3 server implementations which respond with a ServerHello >indicating support for TLS 1.1 or below SHOULD set the last >eight bytes of their Random value to the bytes: > > 44 4F 57 4E 47 52 44 00 > >TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check >that the last eight octets are not equal to either of these values. >TLS 1.2 clients SHOULD also check that the last eight bytes are not >equal to the second value if the ServerHello indicates TLS 1.1 or >below. If a match is found, the client MUST abort the handshake >with an "illegal_parameter" alert. This mechanism provides limited >protection against downgrade attacks over and above that provided >by the Finished exchange: because the ServerKeyExchange, a message >present in TLS 1.2 and below, includes a signature over both random >values, it is not possible for an active attacker to modify the >randoms without detection as long as ephemeral ciphers are used. >It does not provide downgrade protection when static RSA is used. > > I can propose a PR if this makes sense to the WG. > > > Olivier Levillain > > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] Draft 18 review: Downgrade protection
Hi list, I am sorry for the very late answer concerning draft 18, but we (ANSSI) have several remarks after proof-reading the current specification. We are sorry for the multiple long messages. If the WG is interested by some of our concerns/proposals, we would be glad to propose some PRs. = Donwgrade protection = On P.32 (section 4.1.3), the part about downgrade protection mechanism is not clear enough. As I understand it, the modified server_random only occurs with a ServerHello indicating TLS 1.2 or below. Moreover, a TLS 1.2 client should only abort the handshake with the TLS 1.1 value, which is not clear in the explanation. Finally, the ServerKeyExchange is only defined in TLS 1.2 or below, so it would be better to add some precision. Here is a proposal to make these points more explicit: TLS 1.3 has a downgrade protection mechanism embedded in the server's random value. TLS 1.3 server implementations MAY respond to a ClientHello indicating only support for TLS 1.2 or below with a ServerHello containing the appropriate version field. TLS 1.3 server implementations which respond with a TLS 1.2 ServerHello, MUST set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 01 TLS 1.3 server implementations which respond with a ServerHello indicating support for TLS 1.1 or below SHOULD set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 00 TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check that the last eight octets are not equal to either of these values. TLS 1.2 clients SHOULD also check that the last eight bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. If a match is found, the client MUST abort the handshake with an "illegal_parameter" alert. This mechanism provides limited protection against downgrade attacks over and above that provided by the Finished exchange: because the ServerKeyExchange, a message present in TLS 1.2 and below, includes a signature over both random values, it is not possible for an active attacker to modify the randoms without detection as long as ephemeral ciphers are used. It does not provide downgrade protection when static RSA is used. I can propose a PR if this makes sense to the WG. Olivier Levillain ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls