You're right.
PRF in TLS1.0 is done by splitting the secret in 2 parts, hashing the
first with MD5, hashing the second with SHA1, and XORing the 2 results.
RSA signing in TLS1.0 is done by hashing the data with MD5 and SHA1,
concatenating the 2 hash results, and signing the 36 bytes result (with
PKCS#1v1.5 padding).
PRF construct depends on pre-image resistance. MD5 and SHA1 are still
considered pre-image resistant.
RSA signing depends on collision resistance. MD5 is not collision
resistant, SHA1 is not considered academically collision resistant, but
there's no known attack on collision of both MD5 and SHA1 at the same time.
--
Erwann ABALEA
Le 23/04/2013 14:28, David Jacobson a écrit :
Careful about this. The technically correct answer is misleading.
Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at
least the strength of stronger of the two.
--David Jacobson
On 4/23/13 3:31 AM, Erwann Abalea wrote:
MD5 is used in TLS1.0 for RSA signing and random derivation (PRF).
See RFC2246.
(Please note that OpenSSL hasn't been mentioned in this sentence).
SHA256 used for the PRF is available with TLS1.2 only. SHA256 used
for the HMAC is available for some ciphersuites defined for TLS1.2
only (but I think you could define your own with TLS1.0).
--
Erwann ABALEA
Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit :
Hi,
We are currently analyzing and understanding the security strength
of the openSSL internal implementation to certify the products.
In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer
the following or provide me with the documentation reference
1.Does openSSL library use MD5 internally for any operation?
2.Can we have SHA256 in the ciphersuite with TLSv1.0?
Thanks,
Venkat
