On Mon, Jan 11, 2016 at 3:09 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Kurt Roeckx <k...@roeckx.be> writes: > >>After the SLOTH paper, we should think about starting to deprecate TLS 1.0 >>and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2. > > The vulnerabilities shown in the SLOTH paper were based on the fact that > implementations still allow MD5 for authentication/integrity protection, even > if (for example) it's explicitly disabled in the config. So the problem > wasn't a fault in the protocol, it's buggy implementations (as it was for ones > that allowed 512-bit keys, non-prime primes, and so on). Throwing out TLS 1.1 > based on this seems rather premature.
Do the RFCs require the relevant checks or not? And given that implementations frequently get these sorts of things wrong, how do we make the standard robust against it? > >>As I understand it, they estimate that both TLS 1.2 with SHA1 and TLS 1.0 and >>1.1 with MD5|SHA1 currently require about 2^77 to be broken. They all depend >>on the chosen prefix collision on SHA1, with the MD5 part in TLS 1.0 and 1.1 >>not adding much. > > That's presumably based on Joux' multicollisions paper, which also says that > "We also discuss the potential impact of our attack on several published > schemes. Quite surprisingly, for subtle reasons, the schemes we study happen > to be immune to our attack". And if you actually read beyond the abstract, you would see that he never considers the straight up concatenation of MD5 and SHA1 which is indeed vulnerable, exactly matching the attacks he develops. > > More pragmatically, no-one has ever demonstrated any problem with the MD5 || > SHA1 construct used in TLS, despite there being obvious problems in MD5 and > SHA1 by themselves. That's because real cryptographers understand that this is only 64 times better then SHA1, and so don't bother to mention it. > > Peter. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
