Preventing cross-protocol attacks in TLS protocol

The TLS protocol suffers from an issue in the ServerKeyExchange message signature discovered by Wagner and Schneier in . They describe a cross-protocol attack on the SSL 3.0 protocol, that re-uses a signed ServerKeyExchange packet in another session with a different key exchange algorithm. In effect the attack uses a server as an oracle to obtain signed ServerKeyExchange messages that are relayed to another, unrelated, session. The described attack turned to be impossible to implement in practice, but the underlying idea is applicable to all TLS protocol versions, and as the supported key exchange algorithms increase, it provides a tool for new attacks on the protocol [ref needed]. In this document we propose a fix for the TLS protocol that does not require a protocol version upgrade.

This document uses the same notation and terminology used in the TLS Protocol specification . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

Wagner and Schneier in describe a cross-protocol attack (The authors refer to it as "key exchange algorithm rollback attack") based on the observation that the digital signature in a Diffie-Hellman key exchange does not cover any identifier of the negotiated ciphersuite. According to the SSL 3.0 protocol when a Diffie-Hellman key exchange has been negotiated, the group parameters are sent by the server in the ServerKeyExchange message as shown below.

; opaque dh_g<1..2^16-1>; opaque dh_Ys<1..2^16-1>; Signature signed_params; case rsa: opaque rsa_modulus<1..2^16-1>; opaque rsa_exponent<1..2^16-1>; Signature signed_params; }; } ServerKeyExchange; ]]> The signature on that message is calculated on the algorithm parameters, and the nonces exchanged by both peers. The crucial observation is that the negotiated key exchange algorithm is not part of this signature. This omission allows an adversary to re-use a signed ServerKeyExchange packet in another session, with another key exchange algorithm, by initiating a parallel connection to the server. In particular, the described in attack deceives a client who advertises a TLS_RSA_EXPORT ciphersuite and expects temporary RSA parameters in the ServerKeyExchange message, into receiving Diffie-Hellman parameters from a TLS_DHE_RSA ciphersuite. The attack is based on a wrong assumption in the TLS packet parsing, which prevents it from being practical. It demonstrates, however, the idea of a cross-protocol attack utilizing two of the SSL 3.0 key exchange methods, the Diffie-Hellman and the RSA-EXPORT key exchanges.

The goal of this memo is to restrict the applicability of the server provided signed ServerKeyExchange to the current session. A simple fix may be to include the negotiated ciphersuite into the signature. However, the TLS protocol is complex and a key exchange method does not always imply a single format of the ServerKeyExchange signature. For example, the elliptic curves key exchange method may be used with an arbitrary elliptic curve which requires different data in the ServerKeyExchange than when used with a named curve. Such key exchange suboptions are negotiated using TLS extensions and such extensions should be covered by the signature, to prevent any attack that takes advantage of the different signature format. For that we propose that the signature of the ServerKeyExchange message to be modified to include in addition to explicit identifiers of the algorithms, all the previously exchanged messages. The proposed signature for a ServerKeyExchange message is shown below.

; } } ServerKeyExchange; ]]> The new format includes explicit indicators of the entity (server), the key exchange algorithm used, the handshake messages exchanged, and the parameters of the key exchange. This modification will be negotiated by using a new TLS extension to allow backwards compatibility.

In order for a client to advertise its support for the new ServerKeyExchange format we add a new extension "new_server_key_exchange", with value TBD-BY-IANA, to the enumerated ExtensionType defined in . The "extension_data" field of this extension is empty.

Clients, that wish to protect against cross-protocol attacks, SHOULD include the extension of type "new_server_key_exchange" in the (extended) client hello. Servers that receive an extended client hello containing a "new_server_key_exchange" extension, MAY accept the request for the new ServerKeyExchange format by including an extension of type "new_server_key_exchange" in the extended server hello. Servers compliant to this document, that did not receive the extension MUST set the gmt_unix_time part of the Random value included in ServerHello to zero. Because in cross-protocol attacks the server's random value is redirected to the client, this is a way for the server to indicate support for the extension even in the presence of an adversary. Clients compliant to this document, that advertised this extension but didn't receive a corresponding extension from the server, MUST check the gmt_unix_time part of the Random value included in ServerHello message for the value zero. If the gmt_unix_time is zero the client MUST abort the handshake with an "illegal_parameter" fatal alert. Note that this extension is applies to all versions of the TLS protocol including TLS 1.2 and SSL 3.0 .

This extension modifies the ServerKeyExchange message in order to prevent attacks to the protocol similar in nature with the Wagner and Schneier attack. In order for the protection to be applicable, both the client and the server must sbupport this extension. Compliant servers that did not receive the extension from the client are required to set the 4 bytes of the server's random value, that encodes the time, as zero. This provides a tool to indicate support for the extended format even in the presence of an adversary, but comes at the cost of reducing the total randomness from the server from 32 bytes to 28 bytes.

This document defines the TLS extension "new_server_key_exchange" (value TBD-BY-IANA) whose value should be assigned from the TLS ExtensionType Registry defined in .