> So here are the things mentioned in the paper:
> 1) Some things that were believed to require preimage resistance
>need collision resistance. This by itself reduces security bits
>of the hashes by a factor 2. Assuming MD5 and SHA1 didn't have
>any problem with collision resistance
On Mon, Jan 11, 2016 at 09:38:05PM +0100, Jakob Bohm wrote:
> On 08/01/2016 18:43, Salz, Rich wrote:
> >Are you going to keep posting and posting until you get a response? :(
> >
> >Master branch, 1.1, is not released but will not be vulnerable (may already
> >be fixed)
> >1.0.2 is not
On 08/01/2016 18:43, Salz, Rich wrote:
Are you going to keep posting and posting until you get a response? :(
Master branch, 1.1, is not released but will not be vulnerable (may already be
fixed)
1.0.2 is not vulnerable.
1.0.1f and later are not vulnerable.
1.0.0 might be, and is end of life
"Since the HMAC is only 96 bits long, even a generic collision requires
only about 248 HMAC computations"
But a sequence/call-flow diagram is on the page Sandeep referenced:
http://www.mitls.org/pages/attacks/SLOTH
- M
___
openssl-users mailing list
To
2^48. Which is larger than 248, which was a cut-and-paste error. ;-)
On Fri, Jan 8, 2016 at 11:00 AM, Michael Sierchio
wrote:
> "Since the HMAC is only 96 bits long, even a generic collision requires
> only about 248 HMAC computations"
>
> But a sequence/call-flow diagram is
Are you going to keep posting and posting until you get a response? :(
Master branch, 1.1, is not released but will not be vulnerable (may already be
fixed)
1.0.2 is not vulnerable.
1.0.1f and later are not vulnerable.
1.0.0 might be, and is end of life anyway so you should move of that.
0.9.8
On Fri, Jan 8, 2016 at 2:00 PM, Michael Sierchio wrote:
> 2^48. Which is larger than 248, which was a cut-and-paste error. ;-)
Right The bad guy should *not* be able to compute a MAC to perform
the forgery within TCP's 2MSL bound and TLS timers. However, there's a
keep
What is the problem with truncated 96-bit HMAC value?
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
From: Jakob Bohm
Sent: Thursday, January 7, 2016 19:25
To: openssl-users@openssl.org
Reply To: openssl-users@openssl.org
Subject: Re: [openssl-users] openSSL
> Does FIPS mode prevent use of MD5: Yes.
> Does FIPS mode prevent insecure uses of SHA-1 (a FIPS
> algorithm): No.
> Does FIPS mode prevent the SSL/TLS handshake from using 96 bit
> truncated HMAC values: Probably not.
> Does FIPS mode prevent use of the insecurely designed
> 'tls-unique'
Hello again OpenSSL users,
I'm still trying to find out if the 1.0.2 and 1.0.0 branches are affected,
and if so which versions and if there are versions with fixes available.
Based on the changelog for the 1.0.2 branch
(http://openssl.org/news/cl102.txt), version 1.0.1f which contains the fix
On 07/01/2016 23:06, jonetsu wrote:
Does this mean that running 1.01e in FIPS mode is protected regarding this
SLOTH attack ?
Does FIPS mode prevent use of MD5: Yes.
Does FIPS mode prevent insecure uses of SHA-1 (a FIPS
algorithm): No.
Does FIPS mode prevent the SSL/TLS handshake from using
Does this mean that running 1.01e in FIPS mode is protected regarding this
SLOTH attack ?
--
View this message in context:
http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62074.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
Hello users,
Is there any fixes available from openSSL community for the SLOTH attack -
http://www.mitls.org/pages/attacks/SLOTH
or what are the possible mitigation points?
Thanks
Sandeep
___
openssl-users mailing list
To unsubscribe:
Michael Wojcik writes:
>
> As described on that web page, use OpenSSL 1.0.1f or later. That prevents
the currently-practical SLOTH
> attack against RSA-MD5 client authentication.
>
> If you're using an OpenSSL release earlier than 1.0.1f, SLOTH is probably
not your biggest
On 07/01/2016 16:46, Michael Wojcik wrote:
As described on that web page, use OpenSSL 1.0.1f or later. That prevents the
currently-practical SLOTH attack against RSA-MD5 client authentication.
If you're using an OpenSSL release earlier than 1.0.1f, SLOTH is probably not
your biggest problem.
15 matches
Mail list logo