Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

Peter Gutmann <> Fri, 03 May 2019 16:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 104B8120272 for <>; Fri, 3 May 2019 09:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fS1zeFKOQH8R for <>; Fri, 3 May 2019 09:53:49 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD3BF1201A0 for <>; Fri, 3 May 2019 09:53:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1556902429; x=1588438429; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=vH6HlI+64eC1Xx4OeaEhRh0sCx+aIrv9pKMzFgk+/Zo=; b=h9lXRcmHWeTE/sFiWeXE9p5nqaQ9beaU2jgDsIu29lGIc2+LBR4fvxzC aSxuelm7WQCtw7DCVhpX+8Ianu6wVgEuGwmcZmtcNTo4GtIOgh37VE7uJ oxxstnAMCKQ7GimCCE1CMr1VSxpFh0zI6DY2zgQvrtmr9/voBoSiXwIxt y+wN7DNvAMzJp/+nYB2lT4aBg7SbxNzbnflnsyPfj35qThkt1+8P8r0Jj +BcprrfQyYOzD0DHchxdMDXMNLdShOkfA007w6mOkYL7eXjOamRJgUCWR E4B18X7kvyvuYCN8js5QVVfcb3370zXi6ynV6s4lt7WnlGFGj0wGAw96w w==;
X-IronPort-AV: E=Sophos;i="5.60,426,1549882800"; d="scan'208";a="60188578"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 04 May 2019 04:53:45 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 4 May 2019 04:53:45 +1200
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Sat, 4 May 2019 04:53:45 +1200
From: Peter Gutmann <>
To: Hubert Kario <>, "" <>, "" <>
Thread-Topic: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
Date: Fri, 3 May 2019 16:53:44 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 May 2019 16:53:52 -0000

Hubert Kario <> writes:

>And the practical research:
>only confirms that.

That would be the practical research that says:

  Due to these constraints, the practical impact of our second preimage attack
  is limited and its main significance is theoretical.

This is obviously some strange use of the word "practical" that I wasn't
previously aware of.

The other one is a bit too vague to comment on:

  would lead to an attack on the combiner MD5 || SHA-1 with complexity less
  than 2^59 (assuming the type 1 collision attack on SHA-1 is fast enough).

"assuming" and "fast enough" could mean anything ("this leads to an attack on
AES-GCM with complexity less than 2^59 assuming the key recovery attack on
AES-128 is fast enough").  However earlier on the paper says:

  Let’s further assume that a breakthrough in cryptanalysis of SHA-1 brings
  down the complexity of a collision search attack to 2^52. We know that the
  best collision search attacks on MD5 are as fast as 2^15

So what's being shown is that the strength is 2^59 assuming some unspecified
but pretty spectacular new attack on SHA-1 suddenly turns up, rather than e.g.
2^(52+15) = 2^67.

Even with the appearance of this imaginary new attack, the security of
MD5||SHA1 is still better than either MD5 or SHA-1 by itself, which is what
TLS 1.2 specifies.  So I think Martin's point is proven.