On Fri, May 03, 2019 at 04:53:44PM +0000, Peter Gutmann wrote: > Hubert Kario <hka...@redhat.com> writes: > > >And the practical research: > >https://eprint.iacr.org/2016/131.pdf > >https://www.iacr.org/archive/asiacrypt2009/59120136/59120136.pdf > >only confirms that. > > That would be the practical research that says: > > Due to these constraints, the practical impact of our second preimage attack > is limited and its main significance is theoretical. > > This is obviously some strange use of the word "practical" that I wasn't > previously aware of. > > The other one is a bit too vague to comment on: > > would lead to an attack on the combiner MD5 || SHA-1 with complexity less > than 2^59 (assuming the type 1 collision attack on SHA-1 is fast enough). > > "assuming" and "fast enough" could mean anything ("this leads to an attack on > AES-GCM with complexity less than 2^59 assuming the key recovery attack on > AES-128 is fast enough"). However earlier on the paper says: > > Let’s further assume that a breakthrough in cryptanalysis of SHA-1 brings > down the complexity of a collision search attack to 2^52. We know that the > best collision search attacks on MD5 are as fast as 2^15 > > So what's being shown is that the strength is 2^59 assuming some unspecified > but pretty spectacular new attack on SHA-1 suddenly turns up, rather than > e..g. > 2^(52+15) = 2^67. > > Even with the appearance of this imaginary new attack, the security of > MD5||SHA1 is still better than either MD5 or SHA-1 by itself, which is what > TLS 1.2 specifies. So I think Martin's point is proven.
I'll make the obligatory note that SHA-2 is fine, and if you decide that neither MD5 nor SHA1 are in great shape and decide to not use them at all (whether along or in combination), you are also doing fine. It's not like publishing another RFC is going to magically change the behavior of the already deployed systems that people are currently using these things with, after all, and if someone does change their system, are really going to recommend they go to TLS 1.0 with MD5||SHA1 rather than TLS 1.2 with SHA2? -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
