hamachi p2p vpn nat-friendly protocol details

[Eric Rescorla]

"Travis H." <solinym at gmail.com> writes:

> On 2/24/06, Alex Pankratov <ap at hamachi.cc> wrote:
>> Tero Kivinen wrote:
>> >> Secondly I cannot find where it
>> >> authenticates the crypto suite used at all (it is not included in the
>> >> signature of the AUTH message).
>>
>> Crypto suite is essentially just a protocol number. It requires
>> no authentication. If the server side responds with HELO.OK, it
>> means that it can comprehend specified protocol revision. Similar
>> to what happens during the SSH handshake.
>
> In SSL, the lack of authentication of the cryptosuite could be used to
> convince a v3 client that it is communicating with a v2 server, and
> the v3 server that it is communicating with a v2 client, causing them
> to communicate using SSL v2, which is called the "version rollback
> attack".

This isn't quite accurate.

SSLv2 didn't do any kind of downgrade protection at all, for the
version number, cipher suite, or anything else. SSLv3 used a MAC
across the entire handshake. The tricky problem is to protect
downgrade from SSLv3 to SSLv2, which obviously can't be done with the
SSLv3 mechanisms. The trick that SSLv3 used was that when falling back
to SSLv2, SSLv3-capable clients would pad their RSA PKCS#1 blocks
in a special way that SSLv3 servers would detect. If they detected
it, that meant there had been a downgrade.

Unfortunately, not all clients correctly generate this padding
and the check wasn't universally implemented correctly:

http://www.openssl.org/news/secadv_20051011.txt


-Ekr

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com