Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
Tony Arcieri <bascule@gmail.com> Mon, 11 January 2016 23:14 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EDED1AC411 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 15:14:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ut9Xp9w8m2wI for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 15:13:58 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E22F1A8F4D for <tls@ietf.org>; Mon, 11 Jan 2016 15:13:58 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id f206so231223966wmf.0 for <tls@ietf.org>; Mon, 11 Jan 2016 15:13:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=twbP1NRIXqxFiDRH2dRVww5r/CkksKCrne2bEJwS9HE=; b=LDw+jV80VxFiduCNns39HOq0ou7G7b7fjyZUJwdWTxFY3SRKHZM+JgQZs8ZwhCzcBw hYA/FwsNLsLMvYGNhVKnGwd9muK0TAEB7q24DQPGdZHgPa3bbVHN/zKziOClPLAItMZM JbJC1zsA6dsOg2ucFPe3v229ZR+jX53vpvcGqFzXW0Flrc01Uss/VEoYHyxG97Q3O7pA +NOlYn81NXeO21mdQ1uQUr6ZJmRb8u0DTW3ulsB4wtimrth/ftwV66sjDN5y9iMp9r1e ofdmB6oUOZtlwlzaDwmRC20pOEdD/ruMBAQBHt7QUUQutZxfs5XN7M6xNGf+ix87jaPc rkhw==
X-Received: by 10.194.75.202 with SMTP id e10mr153789610wjw.160.1452554037082; Mon, 11 Jan 2016 15:13:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.47.73 with HTTP; Mon, 11 Jan 2016 15:13:37 -0800 (PST)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4BC5FC6@uxcn10-5.UoA.auckland.ac.nz>
References: <20160111183017.GA12243@roeckx.be> <9A043F3CF02CD34C8E74AC1594475C73F4BC5FC6@uxcn10-5.UoA.auckland.ac.nz>
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 11 Jan 2016 15:13:37 -0800
Message-ID: <CAHOTMVK7JQ-UR1j=H3Rio4V-FgSvxgLdU3PDTZhLuA5bOMr+wg@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary="047d7bb049c065c4a705291717ae"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qFJTOdmtjZuXkqbzjV-LInWN0k0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2016 23:14:00 -0000
On Mon, Jan 11, 2016 at 3:09 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > The vulnerabilities shown in the SLOTH paper were based on the fact that > implementations still allow MD5 for authentication/integrity protection, > even > if (for example) it's explicitly disabled in the config. So the problem > wasn't a fault in the protocol, it's buggy implementations (as it was for > ones > that allowed 512-bit keys, non-prime primes, and so on). Throwing out TLS > 1.1 > based on this seems rather premature. > My understanding is TLS 1.2 specifically was amended to allow MD5 signatures even though this was not the case in previous TLS versions, or at least that was the claim of the miTLS presenters on SLOTH at RealWorldCrypto 2016. If this is the case, this seems like a big regression in TLS 1.2. -- Tony Arcieri
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… David Benjamin
- [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature… Kurt Roeckx
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Tony Arcieri
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… David Benjamin
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Yuhong Bao
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Andrei Popov
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Viktor Dukhovni
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Andrei Popov
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Watson Ladd
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Martin Thomson
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Andrei Popov
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Bill Frantz
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Samuel Neves
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Watson Ladd
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0,… Dave Garrett
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Yuhong Bao
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Loganaden Velvindron
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Viktor Dukhovni
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Dave Garrett
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Tony Arcieri
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Karthikeyan Bhargavan
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Stephen Farrell
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Martin Rex
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Hubert Kario
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Karthikeyan Bhargavan
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Hubert Kario
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Hubert Kario
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Dave Garrett