Karthikeyan Bhargavan <karthik.bharga...@gmail.com> wrote: > The attack we’re protecting against is the following: > [snip] >
The key observation is that downgrade protection in TLS 1.2 (and below) > relies on the Finished MAC, but the elements that go into computing this > MAC (DH group, hash algorithm) > are themselves negotiated within the handshake and may be downgraded. This > is a fundamental protocol limitation that is addressed by TLS 1.3. Now, our > goal is to protect TLS 1.3 itself > from older protocol versions. > Thanks for explaining. I think this is a good idea. Why only protect TLS 1.3 from such a downgrade? I think it is worthwhile to protect TLS 1.2 from the downgrade too, in a similar way. Or, is there something specific about TLS 1.3 that makes the downgrade worse? > 2) Looking forward, a number of researchers would like to give a strong > security theorem for TLS 1.3, but at present we would not be able to > guarantee security for any TLS 1.3 implementation > that also implements older protocol versions, because we would then > also have to prove secure all the ciphersuites used in these old versions > (some of which are certainly broken from the > point of view of provable security). For our proofs, we’d like nothing > better than to be able to assume that older versions of TLS have been > disabled, but I guess that is unlikely to happen soon. > No doubt it is more interesting to work on TLS 1.3. But, I think that it would also be useful to have such work done, insofar as it is possible, for at least a subset of TLS 1.2--e.g. the subset that is used in DICE, which prescribes TLS 1.2. I understand that the people working on proofs for TLS 1.3 may not be the same ones that might undertake the work for TLS 1.2. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls