Hi list, I am sorry for the very late answer concerning draft 18, but we (ANSSI) have several remarks after proof-reading the current specification.
We are sorry for the multiple long messages. If the WG is interested by some of our concerns/proposals, we would be glad to propose some PRs. = Donwgrade protection = On P.32 (section 4.1.3), the part about downgrade protection mechanism is not clear enough. As I understand it, the modified server_random only occurs with a ServerHello indicating TLS 1.2 or below. Moreover, a TLS 1.2 client should only abort the handshake with the TLS 1.1 value, which is not clear in the explanation. Finally, the ServerKeyExchange is only defined in TLS 1.2 or below, so it would be better to add some precision. Here is a proposal to make these points more explicit: TLS 1.3 has a downgrade protection mechanism embedded in the server's random value. TLS 1.3 server implementations MAY respond to a ClientHello indicating only support for TLS 1.2 or below with a ServerHello containing the appropriate version field. TLS 1.3 server implementations which respond with a TLS 1.2 ServerHello, MUST set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 01 TLS 1.3 server implementations which respond with a ServerHello indicating support for TLS 1.1 or below SHOULD set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 00 TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check that the last eight octets are not equal to either of these values. TLS 1.2 clients SHOULD also check that the last eight bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. If a match is found, the client MUST abort the handshake with an "illegal_parameter" alert. This mechanism provides limited protection against downgrade attacks over and above that provided by the Finished exchange: because the ServerKeyExchange, a message present in TLS 1.2 and below, includes a signature over both random values, it is not possible for an active attacker to modify the randoms without detection as long as ephemeral ciphers are used. It does not provide downgrade protection when static RSA is used. I can propose a PR if this makes sense to the WG. Olivier Levillain _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls