TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
draft-ietf-tls-downgrade-scsv-04

The information below is for an old version of the document
Document Type Active Internet-Draft (tls WG)
Last updated 2015-02-19 (latest revision 2015-02-12)
Replaces draft-bmoeller-tls-downgrade-scsv
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Sean Turner
Shepherd write-up Show (last changed 2015-02-10)
IESG IESG state Approved-announcement to be sent::Point Raised - writeup needed
Consensus Boilerplate Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to "Sean Turner" <turners@ieca.com>
IANA IANA review state IANA OK - Actions Needed
IANA action state None
Network Working Group                                         B. Moeller
Internet-Draft                                                A. Langley
Updates: 2246, 4346, 4347, 5246, 6347                             Google
         (if approved)                                 February 12, 2015
Intended status: Standards Track
Expires: August 16, 2015

TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol
                           Downgrade Attacks
                    draft-ietf-tls-downgrade-scsv-04

Abstract

   This document defines a Signaling Cipher Suite Value (SCSV) that
   prevents protocol downgrade attacks on the Transport Layer Security
   (TLS) protocol.  It updates RFC 2246, RFC 4346, and RFC 5246.  Server
   update considerations are included.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 16, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Moeller & Langley        Expires August 16, 2015                [Page 1]
Internet-Draft              TLS Fallback SCSV              February 2015

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Protocol values . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Server behavior . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Client behavior . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Operational Considerations  . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   To work around interoperability problems with legacy servers, many
   TLS client implementations do not rely on the TLS protocol version
   negotiation mechanism alone, but will intentionally reconnect using a
   downgraded protocol if initial handshake attempts fail.  Such clients
   may fall back to connections in which they announce a version as low
   as TLS 1.0 (or even its predecessor, SSL 3.0) as the highest
   supported version.

   While such fallback retries can be a useful last resort for
   connections to actual legacy servers, there's a risk that active
   attackers could exploit the downgrade strategy to weaken the
   cryptographic security of connections.  Also, handshake errors due to
   network glitches could similarly be misinterpreted as interaction
   with a legacy server and result in a protocol downgrade.

   All unnecessary protocol downgrades are undesirable (e.g., from TLS
   1.2 to TLS 1.1 if both the client and the server actually do support
   TLS 1.2); they can be particularly harmful when the result is loss of
   the TLS extension feature by downgrading to SSL 3.0.  This document
   defines a Signaling Cipher Suite Value (SCSV) that can be employed to
   prevent unintended protocol downgrades between clients and servers
   that comply with this document, by having the client indicate that
   the current connection attempt is merely a fallback, and by having
   the server return a fatal alert if it detects an inappropriate
   fallback.  (The alert does not necessarily indicate an intentional
   downgrade attack, since network glitches too could result in
   inappropriate fallback retries.)

Moeller & Langley        Expires August 16, 2015                [Page 2]
Internet-Draft              TLS Fallback SCSV              February 2015
Show full document text