Re: [openssl-users] openSSL and SLOTH attack

2016-01-11 Thread Jeffrey Walton
> So here are the things mentioned in the paper: > 1) Some things that were believed to require preimage resistance >need collision resistance. This by itself reduces security bits >of the hashes by a factor 2. Assuming MD5 and SHA1 didn't have >any problem with collision resistance

Re: [openssl-users] openSSL and SLOTH attack

2016-01-11 Thread Kurt Roeckx
On Mon, Jan 11, 2016 at 09:38:05PM +0100, Jakob Bohm wrote: > On 08/01/2016 18:43, Salz, Rich wrote: > >Are you going to keep posting and posting until you get a response? :( > > > >Master branch, 1.1, is not released but will not be vulnerable (may already > >be fixed) > >1.0.2 is not

Re: [openssl-users] openSSL and SLOTH attack

2016-01-11 Thread Jakob Bohm
On 08/01/2016 18:43, Salz, Rich wrote: Are you going to keep posting and posting until you get a response? :( Master branch, 1.1, is not released but will not be vulnerable (may already be fixed) 1.0.2 is not vulnerable. 1.0.1f and later are not vulnerable. 1.0.0 might be, and is end of life

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Michael Sierchio
"Since the HMAC is only 96 bits long, even a generic collision requires only about 248 HMAC computations" But a sequence/call-flow diagram is on the page Sandeep referenced: http://www.mitls.org/pages/attacks/SLOTH - M ___ openssl-users mailing list To

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Michael Sierchio
2^48. Which is larger than 248, which was a cut-and-paste error. ;-) On Fri, Jan 8, 2016 at 11:00 AM, Michael Sierchio wrote: > "Since the HMAC is only 96 bits long, even a generic collision requires > only about 248 HMAC computations" > > But a sequence/call-flow diagram is

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Salz, Rich
Are you going to keep posting and posting until you get a response? :( Master branch, 1.1, is not released but will not be vulnerable (may already be fixed) 1.0.2 is not vulnerable. 1.0.1f and later are not vulnerable. 1.0.0 might be, and is end of life anyway so you should move of that. 0.9.8

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Jeffrey Walton
On Fri, Jan 8, 2016 at 2:00 PM, Michael Sierchio wrote: > 2^48. Which is larger than 248, which was a cut-and-paste error. ;-) Right The bad guy should *not* be able to compute a MAC to perform the forgery within TCP's 2MSL bound and TLS timers. However, there's a keep

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Blumenthal, Uri - 0553 - MITLL
What is the problem with truncated 96-bit HMAC value? Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. From: Jakob Bohm Sent: Thursday, January 7, 2016 19:25 To: openssl-users@openssl.org Reply To: openssl-users@openssl.org Subject: Re: [openssl-users] openSSL

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread jonetsu
> Does FIPS mode prevent use of MD5: Yes. > Does FIPS mode prevent insecure uses of SHA-1 (a FIPS > algorithm): No. > Does FIPS mode prevent the SSL/TLS handshake from using 96 bit > truncated HMAC values: Probably not. > Does FIPS mode prevent use of the insecurely designed > 'tls-unique'

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Miriam Celi
Hello again OpenSSL users, I'm still trying to find out if the 1.0.2 and 1.0.0 branches are affected, and if so which versions and if there are versions with fixes available. Based on the changelog for the 1.0.2 branch (http://openssl.org/news/cl102.txt), version 1.0.1f which contains the fix

Re: [openssl-users] openSSL and SLOTH attack

2016-01-07 Thread Jakob Bohm
On 07/01/2016 23:06, jonetsu wrote: Does this mean that running 1.01e in FIPS mode is protected regarding this SLOTH attack ? Does FIPS mode prevent use of MD5: Yes. Does FIPS mode prevent insecure uses of SHA-1 (a FIPS algorithm): No. Does FIPS mode prevent the SSL/TLS handshake from using

Re: [openssl-users] openSSL and SLOTH attack

2016-01-07 Thread jonetsu
Does this mean that running 1.01e in FIPS mode is protected regarding this SLOTH attack ? -- View this message in context: http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62074.html Sent from the OpenSSL - User mailing list archive at Nabble.com.

[openssl-users] openSSL and SLOTH attack

2016-01-07 Thread Sandeep Umesh
Hello users, Is there any fixes available from openSSL community for the SLOTH attack - http://www.mitls.org/pages/attacks/SLOTH or what are the possible mitigation points? Thanks Sandeep ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] openSSL and SLOTH attack

2016-01-07 Thread Miriam Celi
Michael Wojcik writes: > > As described on that web page, use OpenSSL 1.0.1f or later. That prevents the currently-practical SLOTH > attack against RSA-MD5 client authentication. > > If you're using an OpenSSL release earlier than 1.0.1f, SLOTH is probably not your biggest

Re: [openssl-users] openSSL and SLOTH attack

2016-01-07 Thread Jakob Bohm
On 07/01/2016 16:46, Michael Wojcik wrote: As described on that web page, use OpenSSL 1.0.1f or later. That prevents the currently-practical SLOTH attack against RSA-MD5 client authentication. If you're using an OpenSSL release earlier than 1.0.1f, SLOTH is probably not your biggest problem.