Score:2

In TLS, does the client know the server's public key before starting the data exchange?

cn flag

I am reading about the logjam attack. I was asked if the attack could be prevented by checking the integrity of the Server Hello message.

My answer would be no because the man-in-the-middle can still not send the original Server Hello message and send its own.

From my research, it seems like the client only gets hold of the server's public key during the Server Hello message which includes the server's public key.

If it's so, my answer should be correct.

Is there a way for the client to know the server's public key before the Server Hello message?

dave_thompson_085 avatar
cn flag
Which server publickey? The one used for authentication, or the one used for keyexchange which is always different in 1.3 and often but not always different in earlier protocols? _Only_ the ephemeral kx key in 1.3 is in ServerHello, and that can't be used to verify integrity of anything. But Logjam wouldn't apply to 1.3 because it no longer allows too-small or unvalidated and potentially defective FFDH groups for kx.
Jack avatar
cn flag
@dave_thompson_085 as seen here: https://cryptologie.net/upload/logjam.png the ServerHello message sends certS, sign(skS,[p512, g, g^b]). I am trying to find out if during this point the client can verify the identity of the server can the logjam attack be prevented?
dave_thompson_085 avatar
cn flag
That diagram shows only the specific data items relevant to the attack, not anywhere near all the protocol and definitely not the messages containing them. See RFC 2246 et seq. Although as Maarten says, the critical item to _verify_ is the chosen ciphersuite and _that_ is indeed in ServerHello.
Score:1
in flag

The attack, which we call Logjam, is depicted in Figure 2 and relies on a flaw in the way TLS composes DHE and DHE_EXPORT. When a server selects DHE_EXPORT for a handshake, it proceeds by issuing a signed ServerKeyExchange message containing a 512-bit $p_{512}$, but the structure of this message is identical to the message sent during standard DHE ciphersuites. Critically, the signed portion of the server’s message fails to include any indication of the specific ciphersuite that the server has chosen. Provided that a client offers DHE, an active attacker can rewrite the client’s ClientHello to offer a corresponding DHE_EXPORT ciphersuite accepted by the server and remove other ciphersuites that could be chosen instead. The attacker rewrites the ServerHello response to replace the chosen DHE_EXPORT ciphersuite with a matching non-export ciphersuite and forwards the ServerKeyExchange message to the client as is. The client will interpret the export-grade tuple $(p_{512}, g, g^b)$ as valid DHE parameters chosen by the server and proceed with the handshake. The client and server have different handshake transcripts at this stage, but an attacker who can compute $b$ in close to real time can then derive the master secret and connection keys to complete the handshake with the client, and then freely read and write application data pretending to be the server.

And your question reads:

I am reading about the logjam attack. I was asked if the attack could be prevented by checking the integrity of the Server Hello message.

And I guess that the answer is yes, but only if it would sign / verify the set of cipher suites that is being offered within the ServerHello, and it seems that at least TLS up to 1.2 fails to do so. In other words, you'd have to change the TLS protocol to include the offered cipher suites in the signature generation / verification, making it incompatible with any other TLS software.

So currently it seems that simply disallowing your implementation to execute DHE_EXPORT (or 1024 bit ephemeral DH) is the way forward for TLS up to 1.2.

Jack avatar
cn flag
Hello sorry but why did you say it is a yes? Also the question would be purely at the ServerHello stage (verifying the identity there)
Maarten Bodewes avatar
in flag
I meant that **theoretically** you can also sign the cipher suite in the `ServerHello`, but that would mean change of the overall protocol. If you are just **using** the protocol then it's a strong **no**.
dave_thompson_085 avatar
cn flag
Technically the standards for 1.1 and 1.2 (RFC 4346 and 5246) already prohibit all export suites (DHE, staticDH, DHanon, plainRSA, and (!) Kerberos, remember that?) so this _should_ be an issue only up to 1.0, but in practice, well, ...
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.