[20153] in cryptography@c2.net mail archive
Re: hamachi p2p vpn nat-friendly protocol details
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Tue Feb 28 14:39:35 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "Travis H." <solinym@gmail.com>
Cc: "Alex Pankratov" <ap@hamachi.cc>, cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 26 Feb 2006 10:28:03 -0800
In-Reply-To: <d4f1333a0602242213r4d1cd1afm52fb3b71e3979674@mail.gmail.com> (Travis
H.'s message of "Sat, 25 Feb 2006 00:13:38 -0600")
"Travis H." <solinym@gmail.com> writes:
> On 2/24/06, Alex Pankratov <ap@hamachi.cc> wrote:
>> Tero Kivinen wrote:
>> >> Secondly I cannot find where it
>> >> authenticates the crypto suite used at all (it is not included in the
>> >> signature of the AUTH message).
>>
>> Crypto suite is essentially just a protocol number. It requires
>> no authentication. If the server side responds with HELO.OK, it
>> means that it can comprehend specified protocol revision. Similar
>> to what happens during the SSH handshake.
>
> In SSL, the lack of authentication of the cryptosuite could be used to
> convince a v3 client that it is communicating with a v2 server, and
> the v3 server that it is communicating with a v2 client, causing them
> to communicate using SSL v2, which is called the "version rollback
> attack".
This isn't quite accurate.
SSLv2 didn't do any kind of downgrade protection at all, for the
version number, cipher suite, or anything else. SSLv3 used a MAC
across the entire handshake. The tricky problem is to protect
downgrade from SSLv3 to SSLv2, which obviously can't be done with the
SSLv3 mechanisms. The trick that SSLv3 used was that when falling back
to SSLv2, SSLv3-capable clients would pad their RSA PKCS#1 blocks
in a special way that SSLv3 servers would detect. If they detected
it, that meant there had been a downgrade.
Unfortunately, not all clients correctly generate this padding
and the check wasn't universally implemented correctly:
http://www.openssl.org/news/secadv_20051011.txt
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
