In TLS, client hello and server hello messages are not authenticated. Explain why this is the case, and present one attack that relies on this fact.
The correct answer and explanation is:
Correct Answer:
In TLS, the ClientHello and ServerHello messages are not authenticated because they occur before the secure session is fully established and cryptographic keys are exchanged. This means that at the time these messages are sent, there is no shared secret or trusted identity yet established between the client and the server to enable authentication or encryption.
Explanation (300 words):
Transport Layer Security (TLS) is a cryptographic protocol used to secure communications over the internet. The handshake phase of TLS initiates the secure session. During this handshake, the ClientHello message (sent by the client) and the ServerHello message (sent by the server) are exchanged as the first steps in the process. These messages include important information such as:
- Supported TLS versions and cipher suites
- Random values used in key generation
- Extensions (e.g., Server Name Indication)
However, at this early stage, no encryption or authentication has yet occurred. There is no shared key or certificate verification in place when these messages are transmitted. As a result, they are sent in plaintext and are not cryptographically protected, making them vulnerable to interception or modification by attackers on the network.
Example Attack: Downgrade Attack (e.g., POODLE)
A well-known attack that exploits the unauthenticated nature of these early messages is a downgrade attack. In this attack, a man-in-the-middle (MITM) intercepts the ClientHello message and modifies it to indicate weaker cipher suites or an older protocol version, such as SSL 3.0. If the server accepts this modified message and responds accordingly, the attacker can force both parties to use an outdated and vulnerable encryption method.
A specific example is the POODLE attack, which relies on downgrading a TLS connection to SSL 3.0, a protocol with known security flaws. Once the connection is downgraded, the attacker can exploit vulnerabilities in SSL 3.0 to decrypt secure information such as cookies.
Thus, the lack of authentication for these early handshake messages makes TLS susceptible to such downgrade and MITM attacks.