Hi folks, Please take a look at the following PR which documents a suggestion made by Karthik Bhargavan about how to prevent protection against downgrade against downgrade from TLS 1.3 to TLS 1.2 and below.
https://github.com/tlswg/tls13-spec/pull/284 The idea is that if a TLS 1.3 server receives a TLS 1.2 or below ClientHello, it sets the top N bits of the ServerRandom to be a specific fixed value. TLS 1.3 clients which receive a TLS 1.2 or below ServerHello check for this value and abort if they receive it. This allows for detection of downgrade attacks over and above the Finished handshake as long as ephemeral cipher suites are used (because the signature on the ServerKeyExchange covers the random values). No protection is provided for static RSA cipher suites, but this still has some value if you have an attack which only affects (EC)DHE. I've written this up with 48 bits and a specific fixed value (03 04 03 04 03 04) but that's just a strawman and we can bikeshed on that if people think this is a good idea. Thanks, -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls