Kurt Roeckx <k...@roeckx.be> writes: >After the SLOTH paper, we should think about starting to deprecate TLS 1.0 >and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2.
The vulnerabilities shown in the SLOTH paper were based on the fact that implementations still allow MD5 for authentication/integrity protection, even if (for example) it's explicitly disabled in the config. So the problem wasn't a fault in the protocol, it's buggy implementations (as it was for ones that allowed 512-bit keys, non-prime primes, and so on). Throwing out TLS 1.1 based on this seems rather premature. >As I understand it, they estimate that both TLS 1.2 with SHA1 and TLS 1.0 and >1.1 with MD5|SHA1 currently require about 2^77 to be broken. They all depend >on the chosen prefix collision on SHA1, with the MD5 part in TLS 1.0 and 1.1 >not adding much. That's presumably based on Joux' multicollisions paper, which also says that "We also discuss the potential impact of our attack on several published schemes. Quite surprisingly, for subtle reasons, the schemes we study happen to be immune to our attack". More pragmatically, no-one has ever demonstrated any problem with the MD5 || SHA1 construct used in TLS, despite there being obvious problems in MD5 and SHA1 by themselves. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
