TLS Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
draft-bmoeller-tls-downgrade-scsv-00

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Last updated 2013-09-25
Replaced by draft-ietf-tls-downgrade-scsv, rfc7507
Stream (None)
Intended RFC status (None)
Formats pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         B. Moeller
Internet-Draft                                                    Google
Updates: 2246,4346,5246                               September 25, 2013
(if approved)
Intended status: Standards Track
Expires: March 29, 2014

    TLS Signaling Cipher Suite Value (SCSV) for Preventing Protocol
                           Downgrade Attacks
                  draft-bmoeller-tls-downgrade-scsv-00

Abstract

   This document defines a Signaling Cipher Suite Value (SCSV) that can
   be used to prevent protocol downgrades for Transport Layer Security
   (TLS).

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 29, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Moeller                  Expires March 29, 2014                 [Page 1]
Internet-Draft             TLS Downgrade SCSV             September 2013

   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The TLS_DOWNGRADE_SCSV Signaling Cipher Suite Value  . . . . .  4
   3.  Server behavior  . . . . . . . . . . . . . . . . . . . . . . .  5
   4.  Client behavior  . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
     6.1.  Normative References . . . . . . . . . . . . . . . . . . .  8
     6.2.  Informal References  . . . . . . . . . . . . . . . . . . .  8
   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . .  9
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10

Moeller                  Expires March 29, 2014                 [Page 2]
Internet-Draft             TLS Downgrade SCSV             September 2013

1.  Introduction

   To work around interoperability problems with legacy servers, many
   TLS client implementations do not rely on the TLS protocol version
   negotiation mechanism alone, but will intentionally reconnect using a
   downgraded protocol if initial handshake attempts fail.  Such clients
   may fall back to connections in which they announce a version as low
   as TLS 1.0 (or even its predecessor, SSL 3.0) as the highest
   supported version, and make no attempt of using TLS extensions.

   While such protocol downgrades can be a useful last resort for
   connections to actual legacy servers, there's a risk that active
   attackers could exploit the downgrade strategy to weaken the
   cryptographic security of connections.  (For example, if a server
   requires the client's Supported Elliptic Curves Extension [RFC4492]
   to choose a forward-secure key exchange algorithm, the attacker could
   interfere with connections using this extension to get the client and
   server to instead use a key exchange algorithm that does not
   providing forward secrecy.)  Also, handshake errors due to network
   glitches could similary be misinterpreted as interaction with a
   legacy server and result in a protocol downgrade.

   All unnecessary protocol downgrades are undesirable (e.g., from TLS
   1.2 to TLS 1.1 if both the client and the server actually do support
   TLS 1.1); they can be particularly critical if they mean losing the
   TLS extension feature (when downgrading to TLS 1.0 without
   extensions, or to SSL 3.0).  This document defines a Signaling Cipher
   Suite Value (SCSV) that can be employed to prevent such protocol
   downgrades between clients and servers that comply to this document.

   This specification applies to implementations of TLS 1.0 [RFC2246],
   TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246].  (It is particularly
Show full document text