1

An excerpt of one of my courses about SSL/TLS says the following,

This excerpt is just after the Handshake finish phase of SSL (with change_cipher_spec and finished messages).

Role of the finish phase : counter the downgrade attack.

An attacker could have removed the cipher suites with strong encryption from the client_hello message, causing the entities to agree upon a weaker cipher.

How is the change_cipher_spec any useful to counter the downgrade attack ?

If an attacked would have removed strong encryptions method, and leaving only weak ones, since the change_cipher_spec chooses a cipher from the client_hello, how is that any useful ? What am I missing ?

Arthur Attout
  • 205
  • 2
  • 5
  • Dupe https://security.stackexchange.com/questions/71979/how-well-is-the-ssl-tls-handshake-protected-against-modifications https://security.stackexchange.com/questions/61535/what-stops-an-attacker-from-tampering-with-data-sent-during-the-ssl-tls-handshak https://security.stackexchange.com/questions/59283/ssl-finished-message-contents – dave_thompson_085 Jun 05 '18 at 07:26
  • Sorry about that .. I guess that's partly because I was really confused with the main point of my question, I wouldn't have thought such posts would have answered it – Arthur Attout Jun 05 '18 at 10:50

1 Answers1

1

The finishing of the handshake is done with both the ChangeCipherSpec and Finished message as your correctly state. But then you wrongly conclude from "Role of the finish phase : counter the downgrade attack." that the ChangeCipherSpec is the one which protects against downgrade attack. Only it is not - the Finished message instead is used to counter this attack.

This protection works because the Finished message consists of a hash which includes all handshake messages. In case of a downgrade attack the attacker has modified the ClientHello in transit which results in the server having a different idea of the handshake messages send by the client than the client itself. This means that the Finished message created by the client and received by the server does not meat the servers expectations and the handshake will thus be aborted.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Oh I wasn't even aware of that "all-messages-hash" thing. Does that mean that both `client finished` and `server_finished` message are always identical ? – Arthur Attout Jun 04 '18 at 21:23
  • @ArthurAttout: They are not the same since the handshake messages are only one part which is used in creating the Finished message. See [section 7.4.9 in the TLS 1.2 standard](https://tools.ietf.org/html/rfc5246#section-7.4.9) for more details and note especially the different `finished_label` for server and client. – Steffen Ullrich Jun 04 '18 at 21:28
  • Okay, so when a side receives a `finished` message, it will recompute a hash with all the previous messages and check if both hashes match. That seems way more clear now (but please correct me if I'm still wrong !) – Arthur Attout Jun 04 '18 at 21:35
  • @ArthurAttout: you are correct. – Steffen Ullrich Jun 04 '18 at 21:37