On Fri, Oct 09, 2015 at 02:23:30PM +0200, Eric Rescorla wrote:
> Hi folks,
>
> Please take a look at the following PR which documents a suggestion
> made by Karthik Bhargavan about how to prevent protection against
> downgrade against downgrade from TLS 1.3 to TLS 1.2 and below.
>
> https://github.com/tlswg/tls13-spec/pull/284
>
> The idea is that if a TLS 1.3 server receives a TLS 1.2 or below
> ClientHello, it sets the top N bits of the ServerRandom to be a
> specific fixed value. TLS 1.3 clients which receive a TLS 1.2 or below
> ServerHello check for this value and abort if they receive it. This
> allows for detection of downgrade attacks over and above the Finished
> handshake as long as ephemeral cipher suites are used (because the
> signature on the ServerKeyExchange covers the random values). No
> protection is provided for static RSA cipher suites, but this still
> has some value if you have an attack which only affects (EC)DHE.
I think this is "too clever" (a "hack" not a design) and offers
incomplete protection (does nothing to protect RSA key transport).
So I do not support adoption of this proposal.
If new attacks against TLS 1.0--1.2 emerge that enable MITM via
version downgrade combined with use of weaker algorithms, then
we'll just have to prohibit those weaker algorithms in TLS 1.3
servers (and possibly also clients).
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
