draft-ietf-tls-downgrade-scsv-03.txt   draft-ietf-tls-downgrade-scsv-04.txt 
Network Working Group B. Moeller Network Working Group B. Moeller
Internet-Draft A. Langley Internet-Draft A. Langley
Updates: 2246, 4346, 4347, 5246, 6347 Google Updates: 2246, 4346, 4347, 5246, 6347 Google
(if approved) December 15, 2014 (if approved) February 12, 2015
Intended status: Standards Track Intended status: Standards Track
Expires: June 18, 2015 Expires: August 16, 2015
TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol
Downgrade Attacks Downgrade Attacks
draft-ietf-tls-downgrade-scsv-03 draft-ietf-tls-downgrade-scsv-04
Abstract Abstract
This document defines a Signaling Cipher Suite Value (SCSV) that This document defines a Signaling Cipher Suite Value (SCSV) that
prevents protocol downgrade attacks on the Transport Layer Security prevents protocol downgrade attacks on the Transport Layer Security
(TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246. (TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246. Server
update considerations are included.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 18, 2015. This Internet-Draft will expire on August 16, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 41 skipping to change at page 2, line 41
While such fallback retries can be a useful last resort for While such fallback retries can be a useful last resort for
connections to actual legacy servers, there's a risk that active connections to actual legacy servers, there's a risk that active
attackers could exploit the downgrade strategy to weaken the attackers could exploit the downgrade strategy to weaken the
cryptographic security of connections. Also, handshake errors due to cryptographic security of connections. Also, handshake errors due to
network glitches could similarly be misinterpreted as interaction network glitches could similarly be misinterpreted as interaction
with a legacy server and result in a protocol downgrade. with a legacy server and result in a protocol downgrade.
All unnecessary protocol downgrades are undesirable (e.g., from TLS All unnecessary protocol downgrades are undesirable (e.g., from TLS
1.2 to TLS 1.1 if both the client and the server actually do support 1.2 to TLS 1.1 if both the client and the server actually do support
TLS 1.2); they can be particularly critical if they mean losing the TLS 1.2); they can be particularly harmful when the result is loss of
TLS extension feature (when downgrading to SSL 3.0). This document the TLS extension feature by downgrading to SSL 3.0. This document
defines a Signaling Cipher Suite Value (SCSV) that can be employed to defines a Signaling Cipher Suite Value (SCSV) that can be employed to
prevent unintended protocol downgrades between clients and servers prevent unintended protocol downgrades between clients and servers
that comply with this document, by having the client indicate that that comply with this document, by having the client indicate that
the current connection attempt is merely a fallback, and by having the current connection attempt is merely a fallback, and by having
the server return a fatal alert if it detects an inappropriate the server return a fatal alert if it detects an inappropriate
fallback. (The alert does not necessarily indicate an intentional fallback. (The alert does not necessarily indicate an intentional
downgrade attack, since network glitches too could result in downgrade attack, since network glitches too could result in
inappropriate fallback retries.) inappropriate fallback retries.)
The fallback SCSV defined in this document is not suitable substitute The fallback SCSV defined in this document is not a suitable
for proper TLS version negotiation. TLS implementations need to substitute for proper TLS version negotiation. TLS implementations
properly handle TLS version negotiation and extensibility mechanisms need to properly handle TLS version negotiation and extensibility
to avoid the security issues and connection delays associated with mechanisms to avoid the security issues and connection delays
fallback retries. associated with fallback retries.
This specification applies to implementations of TLS 1.0 [RFC2246], This specification applies to implementations of TLS 1.0 [RFC2246],
TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of
DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly
relevant if TLS implementations also include support for predecessor relevant if the TLS implementations also include support for
protocol SSL 3.0 [RFC6101].) It can be applied similarly to later predecessor protocol SSL 3.0 [RFC6101].) It can be applied similarly
protocol versions. to later protocol versions.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Protocol values 2. Protocol values
This document defines a new TLS cipher suite value: This document defines a new TLS cipher suite value:
TLS_FALLBACK_SCSV {0x56, 0x00} TLS_FALLBACK_SCSV {0x56, 0x00}
skipping to change at page 6, line 40 skipping to change at page 6, line 40
Internet-Draft, IANA so far has in fact not added the cipher suite Internet-Draft, IANA so far has in fact not added the cipher suite
number and alert number to the respective registries. The values as number and alert number to the respective registries. The values as
shown are used in early implementations. shown are used in early implementations.
+-----------+-------------------+---------+-----------------+ +-----------+-------------------+---------+-----------------+
| Value | Description | DTLS-OK | Reference | | Value | Description | DTLS-OK | Reference |
+-----------+-------------------+---------+-----------------+ +-----------+-------------------+---------+-----------------+
| 0x56,0x00 | TLS_FALLBACK_SCSV | Y | (this document) | | 0x56,0x00 | TLS_FALLBACK_SCSV | Y | (this document) |
+-----------+-------------------+---------+-----------------+ +-----------+-------------------+---------+-----------------+
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml http://www.iana.org/assignments/tls-parameters
#tls-parameters-4
+-------+------------------------+---------+-----------------+ +-------+------------------------+---------+-----------------+
| Value | Description | DTLS-OK | Reference | | Value | Description | DTLS-OK | Reference |
+-------+------------------------+---------+-----------------+ +-------+------------------------+---------+-----------------+
| 86 | inappropriate_fallback | Y | (this document) | | 86 | inappropriate_fallback | Y | (this document) |
+-------+------------------------+---------+-----------------+ +-------+------------------------+---------+-----------------+
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml http://www.iana.org/assignments/tls-parameters
#tls-parameters-6
]] ]]
IANA has added TLS cipher suite number 0x56,0x00 with name IANA has added TLS cipher suite number 0x56,0x00 with name
TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number
86 with name inappropriate_fallback to the TLS Alert registry. 86 with name inappropriate_fallback to the TLS Alert registry.
8. References 8. References
8.1. Normative References 8.1. Normative References
 End of changes. 11 change blocks. 
20 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/