Re: [TLS] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

Ted Lemon <> Sun, 01 November 2020 21:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AF95A3A097C for <>; Sun, 1 Nov 2020 13:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vOHlt5y79vvK for <>; Sun, 1 Nov 2020 13:53:45 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B12773A0983 for <>; Sun, 1 Nov 2020 13:53:45 -0800 (PST)
Received: by with SMTP id z6so10018241qkz.4 for <>; Sun, 01 Nov 2020 13:53:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ISk9KTcm6/gengRlF1KwFyjVyAi6oUB6TGo9fa5AfUM=; b=gXM9dlZ5tAP1WmRQy4j6P8G4hKKdNKXdq5ckIe5hrBtq4OK/r/dZI5VobqavOlBnbG 1OEkiduxY8v3t2wNmo9PH5I046fujWoZqKlhI9lmqDxCDwesJd0SpR1vI+KBzkk4LiOC 6zrpkKQV9wa9TDAnKdQEsK9wdz+cJS7ZLqmyD5sIbcOqucQz46VCRXbozFdf411KaPgv CeB6cFOO8IeGs1JkofIF7JJAxKE8ENTC43s+8AKQJQ4CGhDx3MdUlUyJajsEQxqdMy4e uDRoPQ/EARKOMw+OYIsAA92KqiQodSO0sCqFVAAwQ2p1U/e3G2oSdHfJCak+ADd5Jg2U FzNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ISk9KTcm6/gengRlF1KwFyjVyAi6oUB6TGo9fa5AfUM=; b=LKgtCFYSnblAd51PcFf4wldE/KjeSZqfzYaic4gUVfChHZkzza4hrB5Z8n72cT1zFI mnjtQo/o3AasWdW5Mm+kyN9y4bppNui2rp7ATvcoiZRU7DwuS6NA5nwBBwam5Bd9rTvW CvlQoRz0/B4tYg1g2yzMdqGH1eY08rOvR5V8BuUyaBkzBK2RAjT1cqyqcXNdAujBWhgZ 1TMaQS/rKJd6IZWUyX6CRiuq+eAzx4Nv1U7IbEPJGOxuVrwrgYKuTRoCg3FPfQ3qolsf gHO9pxR/t0Ndvhmt9/qnz8N7I1vAfBnTwA1GH9LOgelmK70PkWg7abiq/Cc4Dt48Yala jD4A==
X-Gm-Message-State: AOAM532gTFZGfA34UZSC2idrINurhZRus4EQ0y7VWYhfPse12KE9dIYu JrEpEdTqDkxxLRWX6OlzO+qunwQ3hBOOLQ==
X-Google-Smtp-Source: ABdhPJz0SZ9co57cb2Vvg2oVdcBJCLNrdR8H00bVzdsn/iLaF7ukFHwl6a6NheMdoyQ+spVkuWrr7g==
X-Received: by 2002:a37:6fc5:: with SMTP id k188mr12412992qkc.317.1604267624169; Sun, 01 Nov 2020 13:53:44 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id o187sm6646293qkb.120.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 Nov 2020 13:53:43 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <>
Mime-Version: 1.0 (1.0)
Date: Sun, 01 Nov 2020 16:53:41 -0500
Message-Id: <>
References: <>
In-Reply-To: <>
To: Benjamin Kaduk <>
X-Mailer: iPhone Mail (18B84)
Archived-At: <>
Subject: Re: [TLS] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 Nov 2020 21:53:48 -0000

FWIW my nit was simply that algorithms aren’t getting weaker: attacks are getting stronger. Sorry if I worded the suggested text badly. 

> On Nov 1, 2020, at 13:09, Benjamin Kaduk <> wrote:
> Hi Ted,
> Thanks for the review, especially for thinking about the point that Éric
> requested.
> I don't really agree with your nit, though, as there have been improved
> crypanalysis and correspondingly improved cryptographic attacks on both
> algorithms over time (SHA1 more recently than MD5).  Increased
> computational power to take advantage of those cryptographic weaknesses is
> certainly a factor in moving to deprecate the vulnerable algorithms, but it
> is not the only factor.
> -Ben
>> On Wed, Oct 28, 2020 at 08:56:13AM -0700, Ted Lemon via Datatracker wrote:
>> Reviewer: Ted Lemon
>> Review result: Ready with Nits
>> This document is ready for publication, with one minor nit, which is included
>> at the end.
>> Éric additionally made the following request:
>>  As those hash algorithms were 'cheap' for TLS, I would appreciate a review of
>>  the impact if those algorithms are deprecated in TLS 1.2.
>> I am not in a position to do any practical tests, but I will point out several
>> things. First, deprecating MD5 is not going to cause a performance problem
>> because it's slower than SHA1, so we really only need to worry about whether
>> deprecating SHA1 will cause a problem. This document only deprecates SHA1 for
>> use in digital signatures. It "does not deprecate SHA-1 in HMAC for record
>> protection." Given the way TLS uses digital signatures, this should not be a
>> serious concern. At worst case, SHA256 is about 24% slower than SHA1. Best case
>> (shorter text) it is less than 16% slower. It's reasonable to expect that in
>> common use in TLS, the texts being digested will be shorter, not longer.
>> Further, the bulk of the computational burden of TLS is not in the generation
>> of digests for digital signatures. Therefore it seems reasonable to expect that
>> the performance impact of this change is vastly overshadowed by one of the very
>> factors that motivates it: the increased speed of hash computation over time. 
>> Even assuming constant speed legacy hardware, the performance impact is not
>> sufficient to cause concern when considering it as part of the total system
>> that would be using TLS 1.2.
>> Nit:
>> In the abstract:
>>   The MD5 and SHA-1 hashing algorithms are steadily weakening in
>>   strength and their deprecation process should begin for their use in
>>   TLS 1.2 digital signatures.
>> Technically, the strength of these algorithms hasn't changed. What's changed is
>> that their strength is no longer sufficient to prevent realistic attacks. So it
>> might be better to say something like "The vulnerability of MD5 and SHA-1
>> algorithms to practical attacks is steadly increasing and ..."