Re: [TLS] TLS 1.3 draft-07 sneak peek

[Quynh Dang <quynh97@gmail.com>]

The ineffectiveness issue of cascading hashes has been widely known for a
long time ago.

Find block X and block X' which have collided hash for SHA1 which takes
around 2^70 operations or possibly less.

Finding a block N for which X|| N and X' || N have collided hash for MD5
which is expected to have very low complexity (finding collision for MD5).

Therefore, finding collisions for SHA1 and collisions for SHA1 || MD5
require about the same computational complexity.

Quynh.

On Fri, Jul 3, 2015 at 8:38 PM, Dave Garrett <davemgarrett@gmail.com> wrote:

> On Friday, July 03, 2015 08:16:38 pm Martin Rex wrote:
> > All prior protocol versions, including SSLv3, are using RSA signatures
> > with a 278-bit hash (a concatenation of sha1+md5), which is a reasonable
> > and conservative design.  Given that this TLS-specific signature
> > scheme had been used successfully for more than a decade when TLSv1.2
> > was specified, it is difficult to understand why this was deliberately
> > weakened in TLSv1.2, rather than using the straight forward safe
> > solution to define a codepoint for { sha1+md5, rsa } to identify
> > the SSLv3->TLSv1.1 RSA signature transform for use in TLSv1.2
> > rather than newly adding and allowing the well-known weak signature
> > schemes {md5,rsa} and {sha1,rsa} (and de-facto mandating support
> > for the latter).
>
> Yeah, that was a weird choice.
>
> I'm curious; how much more secure can SHA1+MD5 be considered in comparison
> to SHA1? For that matter, how strong is it in comparison to SHA256? Its
> strength would theoretically be stronger than the sum of its parts, though
> I don't know by how much. I'm wondering if there's a study on this topic
> somewhere that someone might be able to point me to.
>
>
> Dave
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>