The initial TLS handshake agrees on a cipher suite to use, but what stops an attacker from MITM-ing the initial handshake and downgrading the cipher suites?
Asked
Active
Viewed 284 times
1
-
I feel like this question is already answered somewhere on this site, but the quick summary is that even the initial request is protected by a signature... maybe I'll find the original soon... – Conor Mancone Sep 26 '19 at 18:24
-
You're interested in the `Finished` message referenced in this answer: https://security.stackexchange.com/a/20847/149676 – Conor Mancone Sep 26 '19 at 18:45
-
Also see this: https://security.stackexchange.com/questions/71979/how-well-is-the-ssl-tls-handshake-protected-against-modifications?rq=1 – Conor Mancone Sep 26 '19 at 18:45
1 Answers
2
In short, the Finished message is a hash of the entire handshake, encrypted with the negotiated keys. The negotiated keys are derived by something protected by asymmetric cryptography. Validation of the Finished message validates the transcript of the handshake.
This is probably answered in multiple answers on SE for "How does TLS work?".
