On Friday, 3 May 2019 16:56:54 CEST Martin Rex wrote: > Hubert Kario <hka...@redhat.com> wrote: > > We've been over this Martin, the theoretical research shows that for > > Merkle- Damgård functions, combining them doesn't increase their security > > significantly. > > You are completely misunderstanding the results. > > The security is greatly increased!
like I said, that were the follow up papers the original is still Joux: https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf > TLSv1.2 (rsa,MD5) *cough* -- which a depressingly high number of clueless > implementers actually implemented, see SLOTH SLOTH? You mean the same one in which Bhargavan and Leurent write: Concatenation: To strengthen protocols against collisions in any one hash function, it may be tempting to use a combination of two independent hash functions. For example, TLS versions up to 1.1 use a concatenation of MD5 and SHA-1. While the output length of this construction is 288 bits, it does not offer the security of a 288-bit hash function. In particular, Joux described a multi-collision attack that breaks the concatenation of two hash functions with roughly the same effort as breaking the strongest one of the two [18]. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
