On Wednesday, 8 May 2019 02:31:57 CEST Martin Rex wrote: > Hubert Kario <hka...@redhat.com> wrote: > >> Thanks to Peter Gutmann for the summary: > >> https://mailarchive.ietf.org/arch/msg/tls/g0MDCdZcHsvZefv4V8fssXMeEHs > >> > >> which you may have missed. > > > > yes, Joux paper also shows that attacking MD5||SHA1 is harder than > > attacking SHA1 alone > > > > but that doesn't matter, what matters is _how much harder it is_ and Joux > > paper says that it's less than a work factor of two, something also knows > > as a "rounding error" for cryptographic attacks > > collision attacks and real-time 2nd preimage attacks on randomly keyed > hashes are substantially different things. > > simple math seems hard. > > > TLSv1.0 + TLSv1.1 both use (rsa, MD5||SHA1) > > TLSv1.2 (rfc5246) permitted (rsa, MD5) and allows (rsa,SHA1)
side note on that, with ECDSA, all three versions use (ecdsa, sha1) so everything we are discussing applies to RSA and RSA only > if we assumed that there *existed* (it currently doesn't, mind you) > > a successful preimage attack on MD5 with effort 2^20 > a successful preimage attack on SHA1 with effort 2^56 > > then if Joux would apply not just to multicollisons, but also 2nd preimage, > > then the efforts would be: > > TLSv1.2 (rsa,MD5) 2^20 > TLSv1.2 (rsa,SHA1) 2^56 > > TLSv1.0 (rsa, MD5||SHA1) >= 2^57 (slightly more than the stronger of the > two) > > > Comparing TLSv1.0 (rsa,MD5||SHA1) 2^57 with TLSv1.2 (rsa,MD5) 2^20 > > A factor 2^37 is significantly more than "marginally stronger". MD5 was deprecated and removed by basically every library and can't be used in TLS 1.2, I specifically meant SHA1 > If you are aware of successfull 2nd preimage attacks on > either MD5 or SHA1, please provide references. "attacks only get better with time" -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
