> I'm also wondering whether it might be misleading to lump the > (in)significance of the currently known collisions for HMAC-SHA1 > and HMAC-MD5 together with the (in)significance for > (general, low-frequent) digital signatures and together with > PKCS#10 & Certificate-issuance design flaw that enables a > mere collision attack to achieve what would normally require > a successful 2nd preimage attack.
I couldn’t really parse this sentence very well, but here are some clarification. As far as we know, HMAC-MD5 and HMAC-SHA1 are still sufficiently strong MAC functions, and their use in the TLS Record is not vulnerable to currently known attacks. TLS also uses HMAC in other situations though, and those may well be vulnerable to collisions. In particular, the Finished message in TLS 1.1 is not a strong MAC because it first hashes the transcript before applying the HMAC. Similarly, the use of truncated HMACs in Finished breaks tls-unique and weakens the renegotiation indication countermeasure. Generally, HMAC uses as a MAC is ok, but when used as a hash function is as vulnerable to collisions as the underlying hash function. Coming back to digital signatures, all uses of weak hash functions are essentially broken. The attacks on certificates were well known, and SLOTH shows that other uses of digital signatures in many mainstream protocols also require collision resistance. Best, Karthik > > Compare the Security Considerations of rfc2104 for the (in)significance > of current collision attacks for HMAC. > > https://tools.ietf.org/html/rfc2104#section-6 > > > -Martin > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
