Cipher Suite Downgrade Attack

0 votes
If we switch out the ClientHello message to only propose really weak cipher suites that we are able to break very fast, how is this prevented?

It seems to me that when we are able to break the encryption, we are also able to change the Finished message that contains the HMAC over all messages because we know the key for the weak cipher that is also used for the HMAC. Is this correct?
by
edit history

1 Answer

0 votes
Best answer
Hi,

I do not really understand your question.

Just because we change the cipher suite does not mean that we know the key.
Does this clear up your question?

Cheers,
Sebastian
by (2.4k points)
edit history
0
I mean that if we downgrade to an insecure cipher suite of which we can e.g. bruteforce the key quickly, wouldn't that allow us to also forge the MAC that uses the key which we were able to crack?
by
0
Hi,

If I understand your question correctly, you mean the following attack:

- Client sends CH
- Attacker changes CH to only list a very insecure cipher suite
- Server supports this cipher suite and sends SH with insecure CS as the chosen CS.
- Handshake continues
- Client sends FIN, which is intercepted by attacker
- Attacker somehow bruteforces a correct master secret (using the original MAC?), sends forged MAC to the server
- Success

This attack assumes that the attacker can somehow try each bruteforce step without the server closing the connection.
It would only work if both client AND server support this very insecure CS.
The client also needs to initially offer this CS, otherwise, it would not continue with the handshake.

In practice, this is very unlikely.

Does this clear it up?

Cheers,
Sebastian
by (2.4k points)
0
Yes, thank you
by