Paper 2016/072
Downgrade Resilience in Key-Exchange Protocols
Karthikeyan Bhargavan, Chris Brzuska, Cédric Fournet, Matthew Green, Markulf Kohlweiss, and Santiago Zanella-Béguelin
Abstract
Key-exchange protocols such as TLS, SSH, IPsec, and ZRTP are highly configurable, with typical deployments supporting multiple protocol versions, cryptographic algorithms and parameters. In the first messages of the protocol, the peers negotiate one specific combination: the protocol mode, based on their local configurations. With few notable exceptions, most cryptographic analyses of configurable protocols consider a single mode at a time. In contrast, downgrade attacks, where a network adversary forces peers to use a mode weaker than the one they would normally negotiate, are a recurrent problem in practice. How to support configurability while at the same time guaranteeing the preferred mode is negotiated? We set to answer this question by designing a formal framework to study downgrade resilience and its relation to other security properties of key-exchange protocols. First, we study the causes of downgrade attacks by dissecting and classifying known and novel attacks against widely used protocols. Second, we survey what is known about the downgrade resilience of existing standards. Third, we combine these findings to define downgrade security, and analyze the conditions under which several protocols achieve it. Finally, we discuss patterns that guarantee downgrade security by design, and explain how to use them to strengthen the security of existing protocols, including a newly proposed draft of TLS 1.3.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Major revision. IEEE Symposium on Security and Privacy 2016
- Keywords
- downgradekey exchangeTLSIKEZRTPSSH
- Contact author(s)
- markulf @ microsoft com
- History
- 2016-04-20: last of 2 revisions
- 2016-01-26: received
- See all versions
- Short URL
- https://ia.cr/2016/072
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/072, author = {Karthikeyan Bhargavan and Chris Brzuska and Cédric Fournet and Matthew Green and Markulf Kohlweiss and Santiago Zanella-Béguelin}, title = {Downgrade Resilience in Key-Exchange Protocols}, howpublished = {Cryptology {ePrint} Archive, Paper 2016/072}, year = {2016}, url = {https://eprint.iacr.org/2016/072} }