Hi Olivier, Thanks for your comments. I do want this section to be clear.
It would be very helpful if you formatted this as a PR. That would make it easier to understand the changes in this text. Thanks, -Ekr On Tue, Nov 22, 2016 at 11:01 AM, Olivier Levillain < olivier.levill...@ssi.gouv.fr> wrote: > Hi list, > > I am sorry for the very late answer concerning draft 18, but we > (ANSSI) have several remarks after proof-reading the current > specification. > > We are sorry for the multiple long messages. > > If the WG is interested by some of our concerns/proposals, we would be > glad to propose some PRs. > > > = Donwgrade protection = > > On P.32 (section 4.1.3), the part about downgrade protection mechanism > is not clear enough. As I understand it, the modified server_random > only occurs with a ServerHello indicating TLS 1.2 or below. Moreover, > a TLS 1.2 client should only abort the handshake with the TLS 1.1 > value, which is not clear in the explanation. Finally, the > ServerKeyExchange is only defined in TLS 1.2 or below, so it would be > better to add some precision. Here is a proposal to make these points > more explicit: > > TLS 1.3 has a downgrade protection mechanism embedded in the server's > random value. TLS 1.3 server implementations MAY respond to a > ClientHello indicating only support for TLS 1.2 or below with a > ServerHello containing the appropriate version field. > > TLS 1.3 server implementations which respond with a TLS 1.2 > ServerHello, MUST set the last eight bytes of their Random value > to the bytes: > > 44 4F 57 4E 47 52 44 01 > > TLS 1.3 server implementations which respond with a ServerHello > indicating support for TLS 1.1 or below SHOULD set the last > eight bytes of their Random value to the bytes: > > 44 4F 57 4E 47 52 44 00 > > TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check > that the last eight octets are not equal to either of these values. > TLS 1.2 clients SHOULD also check that the last eight bytes are not > equal to the second value if the ServerHello indicates TLS 1.1 or > below. If a match is found, the client MUST abort the handshake > with an "illegal_parameter" alert. This mechanism provides limited > protection against downgrade attacks over and above that provided > by the Finished exchange: because the ServerKeyExchange, a message > present in TLS 1.2 and below, includes a signature over both random > values, it is not possible for an active attacker to modify the > randoms without detection as long as ephemeral ciphers are used. > It does not provide downgrade protection when static RSA is used. > > I can propose a PR if this makes sense to the WG. > > > Olivier Levillain > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
