Hubert Kario <hka...@redhat.com> wrote:
>
> We've been over this Martin, the theoretical research shows that for Merkle-
> Damgård functions, combining them doesn't increase their security
> significantly.
You are completely misunderstanding the results.
The security is greatly increased!
Nobody is afraid of the exhaustive search preimage attacks.
What folks with a little crypto clue are afraid of is
significantly-faster-than-exhaustive-search real-time preimage attacks.
And this is where
TLSv1.0 + TLSv1.1 (rsa,SHA1+MD5)
is *significantly* stronger than
TLSv1.2 (rsa,MD5) *cough* -- which a depressingly high number of clueless
implementers actually implemented, see SLOTH
TLSv1.2 (rsa,SHA1)
That is also trivially formally provable.
Assume that a real-time preimage attack for *one* of the functions is
discovered, and compare the resulting efforts.
-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
