Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 12 January 2016 14:14 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1514F1B2A43 for <tls@ietfa.amsl.com>; Tue, 12 Jan 2016 06:14:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlhQqDcAgomj for <tls@ietfa.amsl.com>; Tue, 12 Jan 2016 06:14:21 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFC351B2A42 for <tls@ietf.org>; Tue, 12 Jan 2016 06:14:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1452608060; x=1484144060; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/YPxi2gDOnNP8hqR+ljWK/CGnS6Nl6qe6L2xjzscVCs=; b=ZHxnLZ5qTgMoik/VrmxQJF4biSmGSrNr6rcmMMhgs8y6lYcinqtIMx1/ nWLsw+xwiVq7TbScZ3qOR8b6qZzCL2BCy+03GX6JSZBSDfS6uxc836sX9 KCOS9chUHebSSo+l8l78ck+EyyAdrksgaxXTzXn9xWCZ093a3tUwYEBDf L7fhLW4nKskJNZEdCTTz4Mt3/mLsE8nxAlfMHPkKofA7vYVx5eXk+hGZF CqsBxQbFWZ6CMJrpeIwAL7LVRPjIJ5Zcyt74J+sdIyO1bzghJsJHaHJlw xTaW8mYHXK7jc7dk+3pivZUHPKCqr3AyyZ21EiRg812aFEmRjk4wI7umD w==;
X-IronPort-AV: E=Sophos;i="5.20,557,1444647600"; d="scan'208";a="62783791"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe2.UoA.auckland.ac.nz) ([130.216.4.106]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 13 Jan 2016 03:14:19 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0266.001; Wed, 13 Jan 2016 03:14:19 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
Thread-Index: AQHRTJ4of0rzW9uDJ0Olh4pPg5BcoZ728Kke//8nk4CAAO29gIAABw4AgADgoM4=
Date: Tue, 12 Jan 2016 14:14:18 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BC6877@uxcn10-5.UoA.auckland.ac.nz>
References: <20160112132431.237AA1A3E4@ld9781.wdf.sap.corp>, <C735F785-F38B-4620-B78F-5D5C57FAA36D@gmail.com>
In-Reply-To: <C735F785-F38B-4620-B78F-5D5C57FAA36D@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/RDM4tuZoDM_8JxRxYZOn8Jvpusw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 14:14:22 -0000

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>; writes:

>Coming back to digital signatures, all uses of weak hash functions are
>essentially broken.

Not necessarily.  Use of weak hash functions where the attacker has time to do
offline precomputations/calculations are essentially broken.  I'm not saying
"keep on using MD5", but unless your attacker can find collisions in real time
you're still OK while you take time to switch to SHA-2 or whatever.

Peter.