I\'m reading the SSL specs, and it seems that the initial handshake has no authe
ID: 649017 • Letter: I
Question
I'm reading the SSL specs, and it seems that the initial handshake has no authenticity protection at all. What is to prevent, say, an attacker from overwriting the "available ciphers" list with one that is full of broken, or even null, ciphers? Is there some sort of defense for this, or is this fundamentally unsolvable because the handshake part by definition cannot itself be authenticated (which leads to infinite regress)? Is there a way to anonymously authenticate the initial, non-authenticated part of an SSL connection?
Explanation / Answer
The cornerstone of the handshake security is that the Finished messages, sent under the protection of the newly exchanged key (for encryption and MAC), contain hash values computed over all the handshake messages exchanged so far, including the list of cipher suites and all other parameters. As long as client and server don't negotiate the use of a cipher suite which can be broken instantaneously, these Finished messages reliably detect foul play.