On Tuesday, 10 July 2018 18:38:22 CEST Peter Gutmann wrote: > David Benjamin <david...@chromium.org> writes: > >EMS does not fix the ServerKeyExchange signature payload. It's still just > >the randoms and not the full transcript. > > Maybe we're talking about different things here, EMS hashes the full > transcript, for 1.0 and 1.1 with the dual SHA-1 and MD5 hash, for 1.2 with > whatever's negotiated, hopefully SHA-2 (even if SHA-1 is used, you've now > got two hashes you need to defeat simultaneously, not one).
defeating two hashes, when both use use the Merkle-Damgård construction, is not much harder than breaking just one of them (increase of work factor less than 2) read the SLOTH paper for details and references > So while the > ServerKeyExchange signature may not detect an attacker able to compromise > SHA-1 in real time (and that statement alone should tell you how feasible > the attack actually is) yes, _now_ not for "foreseeable future" and not after quantum computers come into play -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls