Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
Hubert Kario wrote: >> >> Thanks to Peter Gutmann for the summary: >> >> https://mailarchive.ietf.org/arch/msg/tls/g0MDCdZcHsvZefv4V8fssXMeEHs >> >> which you may have missed. > > yes, Joux paper also shows that attacking MD5||SHA1 is harder than attacking > SHA1 alone > > but that doesn't matter, what matters is _how much harder it is_ and Joux > paper says that it's less than a work factor of two, something also knows > as a "rounding error" for cryptographic attacks collision attacks and real-time 2nd preimage attacks on randomly keyed hashes are substantially different things. simple math seems hard. TLSv1.0 + TLSv1.1 both use (rsa, MD5||SHA1) TLSv1.2 (rfc5246) permitted (rsa, MD5) and allows (rsa,SHA1) if we assumed that there *existed* (it currently doesn't, mind you) a successful preimage attack on MD5 with effort 2^20 a successful preimage attack on SHA1 with effort 2^56 then if Joux would apply not just to multicollisons, but also 2nd preimage, then the efforts would be: TLSv1.2 (rsa,MD5) 2^20 TLSv1.2 (rsa,SHA1) 2^56 TLSv1.0 (rsa, MD5||SHA1) >= 2^57 (slightly more than the stronger of the two) Comparing TLSv1.0 (rsa,MD5||SHA1) 2^57 with TLSv1.2 (rsa,MD5) 2^20 A factor 2^37 is significantly more than "marginally stronger". If you are aware of successfull 2nd preimage attacks on either MD5 or SHA1, please provide references. -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
On Tuesday, 7 May 2019 01:57:30 CEST Martin Rex wrote: > Hubert Kario wrote: > > On Friday, 3 May 2019 16:56:54 CEST Martin Rex wrote: > >> Hubert Kario wrote: > >> > We've been over this Martin, the theoretical research shows that for > >> > Merkle- Damgård functions, combining them doesn't increase their > >> > security > >> > significantly. > >> > >> You are completely misunderstanding the results. > >> > >> The security is greatly increased! > > > > like I said, that were the follow up papers > > > > the original is still Joux: > > https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf > > Thanks to Peter Gutmann for the summary: > > https://mailarchive.ietf.org/arch/msg/tls/g0MDCdZcHsvZefv4V8fssXMeEHs > > which you may have missed. yes, Joux paper also shows that attacking MD5||SHA1 is harder than attacking SHA1 alone but that doesn't matter, what matters is _how much harder it is_ and Joux paper says that it's less than a work factor of two, something also knows as a "rounding error" for cryptographic attacks -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic signature.asc Description: This is a digitally signed message part. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
David Benjamin writes: >It meant bugs like OpenSSL's get papered over with SHA-1 That affects a whole lot more than just OpenSSL, a bit like ECDSA means P256 so hash means SHA-1. Try switching to SHA-2 (in non-TLS usage) and you'll find all the implementations that simply default to SHA-1, or, worse, skip any algorithm indication that may be present and just assume the other side will do SHA-1. Which so far has worked well enough that no-one's noticed that other options don't. Peter. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls