Advertisement

What’s in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

  • Eman Salem AlashwaliEmail author
  • Kasper Rasmussen
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)

Abstract

A number of important real-world protocols including the Transport Layer Security (TLS) protocol have the ability to negotiate various security-related choices such as the protocol version and the cryptographic algorithms to be used in a particular session. Furthermore, some insecure application-layer protocols such as the Simple Mail Transfer Protocol (SMTP) negotiate the use of TLS itself on top of the application protocol to secure the communication channel. These protocols are often vulnerable to a class of attacks known as downgrade attacks which targets this negotiation mechanism. In this paper we create the first taxonomy of TLS downgrade attacks. Our taxonomy classifies possible attacks with respect to four different vectors: the protocol element that is targeted, the type of vulnerability that enables the attack, the attack method, and the level of damage that the attack causes. We base our taxonomy on a thorough analysis of fifteen notable published attacks. Our taxonomy highlights clear and concrete aspects that many downgrade attacks have in common, and allows for a common language, classification, and comparison of adowngrade attacks. We demonstrate the application of our taxonomy by classifying the surveyed attacks.

Notes

Acknowledgment

The authors would like to thank Prof. Kenny Paterson, Prof. Andrew Martin, and Nicholas Moore for their feedback, and Mary Bispham, Ilias Giechaskiel, Jacqueline Eggenschwiler, and John Gallacher for proofreading earlier versions of this paper.

References

  1. 1.
  2. 2.
    Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of Conference on Computer and Communications Security (CCS), pp. 5–17 (2015)Google Scholar
  3. 3.
    Aviram, N., et al.: DROWN: breaking TLS using SSLv2. In: Proceedings of USENIX Security Symposium, pp. 689–706 (2016)Google Scholar
  4. 4.
    Beurdouche, B., et al.: A Messy state of the union: taming the composite state machines of TLS. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 535–552 (2015)Google Scholar
  5. 5.
    Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., Zanella-Béguelin, S.: Downgrade resilience in key-exchange protocols. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 506–525 (2016)Google Scholar
  6. 6.
    Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  7. 7.
    Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS) (2006). https://tools.ietf.org/html/rfc4492
  8. 8.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS-1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055716CrossRefGoogle Scholar
  9. 9.
    Bursztein, E.: Understanding how TLS downgrade attacks prevent email encryption (2015). https://www.elie.net/blog/understanding-how-tls-downgrade-attacks-prevent-email-encryption
  10. 10.
    Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 511-525 (2013)Google Scholar
  11. 11.
    Dierks, T., Allen, C.: The TLS protocol version 1.0 (1999). https://www.ietf.org/rfc/rfc2246.txt
  12. 12.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1 (2006). https://tools.ietf.org/html/rfc4346
  13. 13.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2 (2008). https://tools.ietf.org/html/rfc5246
  14. 14.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Dukhovni, V.: Opportunistic security: some protection most of the time (2014). https://tools.ietf.org/html/rfc7435
  16. 16.
    Durumeric, Z., et al.: The security impact of HTTPS interception. In: Proceedings of Network and Distributed Systems Symposium (NDSS) (2017)Google Scholar
  17. 17.
    Durumeric, Z., et al.: Neither snow nor rain nor MITM...: an empirical analysis of email delivery security. In: Proceedings of Internet Measurement Conference (IMC), pp. 27–39 (2015)Google Scholar
  18. 18.
    Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0 (2011). https://tools.ietf.org/html/rfc6101
  19. 19.
    Hickman, K.: SSL 0.2 protocol specification (2008). http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
  20. 20.
    Hoffman, P.: SMTP service extension for secure SMTP over transport layer security (2002). https://tools.ietf.org/html/rfc3207
  21. 21.
    Howard, J.D., Longstaff, T.A.: A common language for computer security incidents. Sandia National Laboratories (1998). https://prod.sandia.gov/techlib-noauth/access-control.cgi/1998/988667.pdf
  22. 22.
    Klensin, J.: Simple mail transfer protocol (2001). https://www.ietf.org/rfc/rfc2821.txt
  23. 23.
    Langley, A., Modadugu, N., Moeller, B.: Transport layer security (TLS) false start (2016). https://tools.ietf.org/html/rfc7918
  24. 24.
    Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B.: A cross-protocol attack on the TLS protocol. In: Proceedings of Conference on Computer and Communications Security (CCS), pp. 62–72 (2012)Google Scholar
  25. 25.
    Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  26. 26.
    Meyer, C., Schwenk, J.: SoK: lessons learned from SSL/TLS attacks. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 189–209. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-05149-9_12CrossRefGoogle Scholar
  27. 27.
    Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014). https://www.openssl.org/~bodo/ssl-poodle.pdf
  28. 28.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3 draft-ietf-tls-tls13-10 (2015). https://tools.ietf.org/html/draft-ietf-tls-tls13-10
  29. 29.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3 draft-ietf-tls-tls13-25 (2018). https://tools.ietf.org/html/draft-ietf-tls-tls13-25
  30. 30.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Stricot-Tarboton, S., Chaisiri, S., Ko, R.K.: Taxonomy of man-in-the-middle attacks on HTTPS. In: Proceedings of IEEE Trustcom/BigDataSE/ISPA, pp. 527–534 (2016)Google Scholar
  32. 32.
    Turner, S., Polk, T.: Prohibiting secure sockets layer (SSL) version 2.0 (2011). https://tools.ietf.org/html/rfc6176
  33. 33.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proceedings of USENIX Workshop on Electronic Commerce (EC 96), pp. 29–40 (1996)Google Scholar
  34. 34.
    Wikipedia: Export of cryptography from the United States (2017). https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.University of OxfordOxfordUK
  2. 2.King Abdulaziz University (KAU)JeddahSaudi Arabia

Personalised recommendations