[TLS] Draft 18 review: Downgrade protection

Tue, 22 Nov 2016 10:59:20 -0800 

Hi list,

I am sorry for the very late answer concerning draft 18, but we
(ANSSI) have several remarks after proof-reading the current
specification.

We are sorry for the multiple long messages.

If the WG is interested by some of our concerns/proposals, we would be
glad to propose some PRs.


= Donwgrade protection =

On P.32 (section 4.1.3), the part about downgrade protection mechanism
is not clear enough.  As I understand it, the modified server_random
only occurs with a ServerHello indicating TLS 1.2 or below.  Moreover,
a TLS 1.2 client should only abort the handshake with the TLS 1.1
value, which is not clear in the explanation.  Finally, the
ServerKeyExchange is only defined in TLS 1.2 or below, so it would be
better to add some precision.  Here is a proposal to make these points
more explicit:

   TLS 1.3 has a downgrade protection mechanism embedded in the server's
   random value.  TLS 1.3 server implementations MAY respond to a
   ClientHello indicating only support for TLS 1.2 or below with a
   ServerHello containing the appropriate version field.

   TLS 1.3 server implementations which respond with a TLS 1.2
   ServerHello, MUST set the last eight bytes of their Random value
   to the bytes:

     44 4F 57 4E 47 52 44 01

   TLS 1.3 server implementations which respond with a ServerHello
   indicating support for TLS 1.1 or below SHOULD set the last
   eight bytes of their Random value to the bytes:

     44 4F 57 4E 47 52 44 00

   TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check
   that the last eight octets are not equal to either of these values.
   TLS 1.2 clients SHOULD also check that the last eight bytes are not
   equal to the second value if the ServerHello indicates TLS 1.1 or
   below.  If a match is found, the client MUST abort the handshake
   with an "illegal_parameter" alert.  This mechanism provides limited
   protection against downgrade attacks over and above that provided
   by the Finished exchange: because the ServerKeyExchange, a message
   present in TLS 1.2 and below, includes a signature over both random
   values, it is not possible for an active attacker to modify the
   randoms without detection as long as ephemeral ciphers are used.
   It does not provide downgrade protection when static RSA is used.

I can propose a PR if this makes sense to the WG.


Olivier Levillain

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to