- From: Tom Weinstein <tomw@netscape.com>
- Date: Wed, 05 Feb 1997 14:14:18 -0800
- To: Ned Smith <nsmith@ibeam.jf.intel.com>
- CC: ietf-tls@w3.org
Ned Smith wrote: > > Help me understand at what point the cipher suite rollbak attack can > be waged (and if we care given that we are trying to use NWNN). We > know the initial handshaking (implicitly using NWNN ciphersuite) is > vulnerable to the attacks during handshaking until the finished > message is sent which contains a mac on the entire handshake protocol. > We can detect mischief by checking the MAC. The MAC is only as strong > as the *new* ciphersuite dictates. If the new ciphersuite is NWNN > (assuming we could negotiate to this ciphersuite) then we have not > lost anything yet (nothing to loose). > > At what point do any of the attacks in Wagner/Schneier translate to > loss of security? Is it when an existing session re-hanshakes to a > higher level of security? (Wagner/Schneier explicitly did not analyse > this scenario for the ciphersuite rollback attack.) > > Tom when you say "nothing prevents an attacker from forcing you down > to that [NWNN] ciphersuite"; are you intimating that the ciphersuite > list contains non-NWNN ciphersuites? Yes, that's precisely it. Assume that the client and server both support RSA_WITH_RC4_128_SHA and NULL_WITH_NULL_NULL. Normally they would negotiate to RSA_WITH_RC4_128SHA, but instead an attacker modifies the client hello to only include NWNN. -- You should only break rules of style if you can | Tom Weinstein coherently explain what you gain by so doing. | tomw@netscape.com
Received on Thursday, 6 February 1997 08:19:43 UTC