| < draft-ietf-tls-downgrade-scsv-03.txt | draft-ietf-tls-downgrade-scsv-04.txt > | |||
|---|---|---|---|---|
| Network Working Group B. Moeller | Network Working Group B. Moeller | |||
| Internet-Draft A. Langley | Internet-Draft A. Langley | |||
| Updates: 2246, 4346, 4347, 5246, 6347 Google | Updates: 2246, 4346, 4347, 5246, 6347 Google | |||
| (if approved) December 15, 2014 | (if approved) February 12, 2015 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: June 18, 2015 | Expires: August 16, 2015 | |||
| TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol | TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol | |||
| Downgrade Attacks | Downgrade Attacks | |||
| draft-ietf-tls-downgrade-scsv-03 | draft-ietf-tls-downgrade-scsv-04 | |||
| Abstract | Abstract | |||
| This document defines a Signaling Cipher Suite Value (SCSV) that | This document defines a Signaling Cipher Suite Value (SCSV) that | |||
| prevents protocol downgrade attacks on the Transport Layer Security | prevents protocol downgrade attacks on the Transport Layer Security | |||
| (TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246. | (TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246. Server | |||
| update considerations are included. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 18, 2015. | This Internet-Draft will expire on August 16, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 41 ¶ | skipping to change at page 2, line 41 ¶ | |||
| While such fallback retries can be a useful last resort for | While such fallback retries can be a useful last resort for | |||
| connections to actual legacy servers, there's a risk that active | connections to actual legacy servers, there's a risk that active | |||
| attackers could exploit the downgrade strategy to weaken the | attackers could exploit the downgrade strategy to weaken the | |||
| cryptographic security of connections. Also, handshake errors due to | cryptographic security of connections. Also, handshake errors due to | |||
| network glitches could similarly be misinterpreted as interaction | network glitches could similarly be misinterpreted as interaction | |||
| with a legacy server and result in a protocol downgrade. | with a legacy server and result in a protocol downgrade. | |||
| All unnecessary protocol downgrades are undesirable (e.g., from TLS | All unnecessary protocol downgrades are undesirable (e.g., from TLS | |||
| 1.2 to TLS 1.1 if both the client and the server actually do support | 1.2 to TLS 1.1 if both the client and the server actually do support | |||
| TLS 1.2); they can be particularly critical if they mean losing the | TLS 1.2); they can be particularly harmful when the result is loss of | |||
| TLS extension feature (when downgrading to SSL 3.0). This document | the TLS extension feature by downgrading to SSL 3.0. This document | |||
| defines a Signaling Cipher Suite Value (SCSV) that can be employed to | defines a Signaling Cipher Suite Value (SCSV) that can be employed to | |||
| prevent unintended protocol downgrades between clients and servers | prevent unintended protocol downgrades between clients and servers | |||
| that comply with this document, by having the client indicate that | that comply with this document, by having the client indicate that | |||
| the current connection attempt is merely a fallback, and by having | the current connection attempt is merely a fallback, and by having | |||
| the server return a fatal alert if it detects an inappropriate | the server return a fatal alert if it detects an inappropriate | |||
| fallback. (The alert does not necessarily indicate an intentional | fallback. (The alert does not necessarily indicate an intentional | |||
| downgrade attack, since network glitches too could result in | downgrade attack, since network glitches too could result in | |||
| inappropriate fallback retries.) | inappropriate fallback retries.) | |||
| The fallback SCSV defined in this document is not suitable substitute | The fallback SCSV defined in this document is not a suitable | |||
| for proper TLS version negotiation. TLS implementations need to | substitute for proper TLS version negotiation. TLS implementations | |||
| properly handle TLS version negotiation and extensibility mechanisms | need to properly handle TLS version negotiation and extensibility | |||
| to avoid the security issues and connection delays associated with | mechanisms to avoid the security issues and connection delays | |||
| fallback retries. | associated with fallback retries. | |||
| This specification applies to implementations of TLS 1.0 [RFC2246], | This specification applies to implementations of TLS 1.0 [RFC2246], | |||
| TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of | TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of | |||
| DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly | DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly | |||
| relevant if TLS implementations also include support for predecessor | relevant if the TLS implementations also include support for | |||
| protocol SSL 3.0 [RFC6101].) It can be applied similarly to later | predecessor protocol SSL 3.0 [RFC6101].) It can be applied similarly | |||
| protocol versions. | to later protocol versions. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Protocol values | 2. Protocol values | |||
| This document defines a new TLS cipher suite value: | This document defines a new TLS cipher suite value: | |||
| TLS_FALLBACK_SCSV {0x56, 0x00} | TLS_FALLBACK_SCSV {0x56, 0x00} | |||
| skipping to change at page 6, line 40 ¶ | skipping to change at page 6, line 40 ¶ | |||
| Internet-Draft, IANA so far has in fact not added the cipher suite | Internet-Draft, IANA so far has in fact not added the cipher suite | |||
| number and alert number to the respective registries. The values as | number and alert number to the respective registries. The values as | |||
| shown are used in early implementations. | shown are used in early implementations. | |||
| +-----------+-------------------+---------+-----------------+ | +-----------+-------------------+---------+-----------------+ | |||
| | Value | Description | DTLS-OK | Reference | | | Value | Description | DTLS-OK | Reference | | |||
| +-----------+-------------------+---------+-----------------+ | +-----------+-------------------+---------+-----------------+ | |||
| | 0x56,0x00 | TLS_FALLBACK_SCSV | Y | (this document) | | | 0x56,0x00 | TLS_FALLBACK_SCSV | Y | (this document) | | |||
| +-----------+-------------------+---------+-----------------+ | +-----------+-------------------+---------+-----------------+ | |||
| http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml | http://www.iana.org/assignments/tls-parameters | |||
| #tls-parameters-4 | ||||
| +-------+------------------------+---------+-----------------+ | +-------+------------------------+---------+-----------------+ | |||
| | Value | Description | DTLS-OK | Reference | | | Value | Description | DTLS-OK | Reference | | |||
| +-------+------------------------+---------+-----------------+ | +-------+------------------------+---------+-----------------+ | |||
| | 86 | inappropriate_fallback | Y | (this document) | | | 86 | inappropriate_fallback | Y | (this document) | | |||
| +-------+------------------------+---------+-----------------+ | +-------+------------------------+---------+-----------------+ | |||
| http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml | http://www.iana.org/assignments/tls-parameters | |||
| #tls-parameters-6 | ||||
| ]] | ]] | |||
| IANA has added TLS cipher suite number 0x56,0x00 with name | IANA has added TLS cipher suite number 0x56,0x00 with name | |||
| TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number | TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number | |||
| 86 with name inappropriate_fallback to the TLS Alert registry. | 86 with name inappropriate_fallback to the TLS Alert registry. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| End of changes. 11 change blocks. | ||||
| 20 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||