Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Watson Ladd <watsonbladd@gmail.com> Tue, 12 January 2016 02:03 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8241ACD18 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 18:03:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJCssfhdzFcG for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 18:03:49 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 067231A1F16 for <tls@ietf.org>; Mon, 11 Jan 2016 18:03:49 -0800 (PST)
Received: by mail-yk0-x22f.google.com with SMTP id v14so359548300ykd.3 for <tls@ietf.org>; Mon, 11 Jan 2016 18:03:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=M3deKsJA8oG7D8xFSZ7Q1tzYT9q/u6yS8HUbVUE1gMw=; b=G2dDVHqw38LFUE/EuVhiqNDkMDCRddZJruEs3/xIKjRhPj8+LfXDt7WEgbw7vK7BaC +rmy0B6Fb3UIqTvpixtN20SGpvDkTi5i6B7YX/4DblX5iTo5oIKKQBAxSwyH03fj9+Jr Ix7X/pmPJEQ85T5TYxud6xo5XBEPgASPe87oTYDYDq1jXISsAUTp3y4M7UMVSjbpkeYF DIPK2V3qflYsbLxyTAl4FTwNZFp9F7H2Fs5EMQGQ6N3G/RA1mes/4xijgZO0dqpYYPxi 90GwOMkvUguResFzvfN5QU/yyBNz2/vQKjzzHVjVOfrRoPuf+/5d9Q5xKpaVHoiCO1ZG O6Ww==
MIME-Version: 1.0
X-Received: by 10.129.123.134 with SMTP id w128mr71731854ywc.345.1452564228254; Mon, 11 Jan 2016 18:03:48 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Mon, 11 Jan 2016 18:03:48 -0800 (PST)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4BC617B@uxcn10-5.UoA.auckland.ac.nz>
References: <20160111183017.GA12243@roeckx.be> <9A043F3CF02CD34C8E74AC1594475C73F4BC5FC6@uxcn10-5.UoA.auckland.ac.nz> <CACsn0cmSBB3TDA-LCDCusQA9KWDzwAoJWrZ=67FquW968vrkBA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4BC617B@uxcn10-5.UoA.auckland.ac.nz>
Date: Mon, 11 Jan 2016 18:03:48 -0800
Message-ID: <CACsn0cmm9uzaNj=07Eb++MtCBVvtvTRY3LzMK3RYbEb7sW=DCw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/SXZUCNYl-rh9doSRpwPO3-wlG-I>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 02:03:51 -0000

On Mon, Jan 11, 2016 at 6:01 PM, Peter Gutmann
<pgut001@cs.auckland.ac.nz>; wrote:
> Watson Ladd <watsonbladd@gmail.com>; writes:
>
>>Do the RFCs require the relevant checks or not?
>
> No, they just specify the algorithms and bits on the wire (with a side-order
> of MTI stuff for interoperability).  It's up to implementers to not do stupid
> things.
>
>>That's because real cryptographers understand that this is only 64 times
>>better then SHA1, and so don't bother to mention it.
>
> If it's so trivial to compromise then why, of all the many, many papers
> attacking TLS, has no-one every published an attack based on this?  In fact,
> since it's so easy, perhaps you could publish a paper demonstrating it in
> practice?

SHA-1 collisions have not yet been found. Marc Stevens has published
algorithms he claims reduce the complexity of finding these collisions
to feasible amounts, but they have not yet been run. However,
free-start collisions have been found, as have ways to modify
constants in the SHA-1 IV to get collisions.

>
> Peter.



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.