TLS ServerKeyExchange with 1024 DHE may encode dh_Y as 127 bytes, breaking Internet Explorer 11 - by Andrey Jivsov

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


ID 1253526 Comments
Status Resolved Workarounds
Type Bug Repros 1
Opened 4/16/2015 3:28:49 PM
Access Restriction Public

Description

ServerKeyExchange message sent by our TLS server for DHE ciphersuites, e.g. DHE-DSS-AES256-SHA, includes a field dh_Y (g^x) that fits in 128 or fewer bytes for 1024-bit ephemeral DH. In 1 out of 256 exchanges dh_Y will fit into 127 bytes because it will have the highest byte equal 0.  Sending dh_Y tightly packed into 127 bytes will make Internet Explorer fail the handhshake.  

This is observed with the latest IE available for download in Apr 2015:  IE 11.0.17 (KB3032359), Version 11.0.9600.17691.

This is a clear IE bug. Its existence probably stems from the fact that DSA cert is required (rare on public internet) and that the cert must be DSA 1024+SHA1, which provide substandard security at this point and is rare on the Inernet. The ECDHE doesn't have this problem because the payload is preceded by a fixed value, usually 0x4.

In more details, let's parse a sample ServerKeyExchange message. It starts with

     struct {
          opaque dh_p<1..2^16-1>;
          opaque dh_g<1..2^16-1>;
          opaque dh_Ys<1..2^16-1>;
      } ServerDHParams;     /* Ephemeral DH parameters */

00 80  (dh_p)
                         ae fe-89 c6 4b 34 e9 bc 16 78
0010 - f7 e8 50 c9 62 9a 1c eb-cd 85 02 13 5c 68 d5 ed   ..P.b.......\h..
0020 - b0 8a f9 32 ee 3d be 7d-2b a1 38 7e b0 ea f7 74   ...2.=.}+.8~...t
0030 - b5 98 ba 04 0b 69 00 19-55 0f a5 7c e2 ba 5e e8   .....i..U..|..^.
0040 - d6 fb 9e 28 2d b9 31 47-89 42 b4 ff a2 58 d6 a8   ...(-.1G.B...X..
0050 - 6d 58 9b 75 e4 2c 74 13-38 42 10 d6 7e 41 45 c6   mX.u.,t.8B..~AE.
0060 - c8 8c 73 20 53 f2 28 ba-e5 7a ea d3 46 2c 98 c6   ..s S.(..z..F,..
0070 - d3 bd 10 a3 2d b0 6e db-75 31 89 fc 8a f4 94 97   ....-.n.u1......
0080 - f2 e0 3d 9c 7d 8b 

00 01 (dh_g)

       02 

00 7f (dh_Ys)

                                        fa 97 3a c9 f1   ..=.}........:..
0090 - 17 50 36 7a a5 a0 ef 0d-c5 ce 3d b3 84 eb c3 e3   .P6z......=.....
00a0 - ba cb 58 18 bc 92 59 2d-db 45 21 6c 9e b0 b6 80   ..X...Y-.E!l....
00b0 - 1f 62 b9 c5 7b e6 c1 35-bf 75 fe c9 f5 5c 4a f0   .b..{..5.u...\J.
00c0 - 81 4a e8 69 f8 12 89 fa-e5 ef 4d 93 58 f6 c0 63   .J.i......M.X..c
00d0 - 25 de d2 04 1c 60 62 c5-3c 4c e1 7e d0 a1 1e 0f   %....`b.<L.~....
00e0 - dc 5c bf 60 ae 5a 7a 30-af c4 c2 4c 50 11 92 50   .\.`.Zz0...LP..P
00f0 - d0 1e f5 52 f0 5e 92 40-a3 cd c5 01 d8 19 e9 08   ...R.^.@........
0100 - 13 c8 94 ee 84 ee 53 b0-a3 00 

... and I left the rest unparsed:

04 01 01 00 9a a2   ......S.........
0110 - 81 18 27 05 c0 c8 9d db-42 89 8a 15 f9 53 80 12   ..'.....B....S..
0120 - c2 d1 13 30 18 46 c2 45-99 ac c9 c1 07 4a 8c 18   ...0.F.E.....J..
0130 - 1e 70 dc 04 3f 02 4d af-35 32 44 37 5a 8c 22 8c   .p..?.M.52D7Z.".
0140 - 72 a4 ca 00 6d 7e cf b2-45 ed 1c 69 e5 41 84 88   r...m~..E..i.A..
0150 - cc ed 57 63 cd b0 6f 7e-f4 3b 52 d7 2b 82 de 2e   ..Wc..o~.;R.+...
0160 - f3 bb 65 31 e1 71 38 05-78 3a 0a 53 b4 77 f9 43   ..e1.q8.x:.S.w.C
0170 - b8 53 8d 25 29 74 64 43-62 d8 88 91 13 47 1e 4b   .S.%)tdCb....G.K
0180 - 0f ff e7 7e d0 1e 98 09-71 2e 6a 8f c9 d8 53 43   ...~....q.j...SC
0190 - 38 99 ce 3d 9c 40 9d 7e-2e f2 b0 af b0 b6 3b 03   8..=.@.~......;.
01a0 - 1b 69 83 18 6a 0c ba 0d-56 76 f0 8c 65 23 f2 a9   .i..j...Vv..e#..
01b0 - 56 cb e2 d0 8a 98 ca d5-d4 b6 70 86 dd 0e f6 f0   V.........p.....
01c0 - b7 77 05 61 5f a2 39 6e-6f 39 13 5d 4b 5f 69 c9   .w.a_.9no9.]K_i.
01d0 - 89 17 9e ad a1 43 11 d6-6a cd ed 13 a9 7d 70 38   .....C..j....}p8
01e0 - 17 96 d3 15 9b 9d 41 9b-12 81 38 ed ac 49 f3 76   ......A...8..I.v
01f0 - a7 0c bf 99 11 25 1d 6f-80 b6 c4 10 2b 4d d3 8c   .....%.o....+M..
0200 - 7b 3a 5b d1 87 07 6a 40-e9 e6 68 0d a9 e6 

IE doesn't like "00 7f  (dh_Y)", while it is happy with "00 80 (dh_Y)".
Sign in to post a comment.
Posted by Microsoft on 3/28/2016 at 8:23 AM
Based on recent testing the issue has been fixed and will be closed out to reflect this. Should you happen to see the problem as still active in Win10 please feel free to re-activate at your earliest convenience.

All the best,
The MS Edge Team
Posted by RonCl on 2/12/2016 at 7:17 AM
Frad and EricLaw - Thanks for the updates. Very much appreciated.
Posted by RonCl on 1/27/2016 at 7:26 AM
We are seeing this same sort of behavior when using the Microsoft .Net Framework Class HttpWebRequest . Does anyone know if this bug in IE 11 is due to it's reliance on that class or if the HttpWebRequest class calls the same low level code that IE 11 is calling when this bug is encountered?

Related discussion: http://security.stackexchange.com/questions/104845/dhe-rsa-pubkey-length-in-tls-1-2
Posted by Microsoft on 10/8/2015 at 9:52 AM
Hello everyone,

Yes we are working on this and will provide more information as it becomes available. Thanks for taking the time to file this feedback.

All the best,
The Microsoft Edge Team
Posted by EricLaw [ex-MSFT] on 8/13/2015 at 8:31 AM
From Microsoft: I just got confirmation from the team that we’re aware of the issue, and working to resolve it in a future update.
https://twitter.com/jonathansampson/status/631608981165768704
Posted by EricLaw [ex-MSFT] on 8/12/2015 at 2:47 PM
Possible repro: https://www.ssllabs.com/ssltest/analyze.html?d=fs.dimensional.com

Ref: https://twitter.com/BlommersC/status/631577876429672448