How to support configurability while at the same time guaranteeing the preferred mode is negotiated? We set to answer this question by designing a formal framework to study downgrade resilience and its relation to other security properties of key-exchange protocols. First, we study the causes of downgrade attacks by dissecting and classifying known and novel attacks against widely used protocols. Second, we survey what is known about the downgrade resilience of existing standards. Third, we combine these findings to define downgrade security, and analyze the conditions under which several protocols achieve it. Finally, we discuss patterns that guarantee downgrade security by design, and explain how to use them to strengthen the security of existing protocols, including a newly proposed draft of TLS 1.3.
Category / Keywords: cryptographic protocols / downgrade, key exchange, TLS, IKE, ZRTP, SSH Original Publication (with major differences): IEEE Symposium on Security and Privacy 2016 Date: received 26 Jan 2016, last revised 20 Apr 2016 Contact author: markulf at microsoft com Available format(s): PDF | BibTeX Citation Version: 20160420:095558 (All versions of this report) Short URL: ia.cr/2016/072 Discussion forum: Show discussion | Start new discussion