<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<meta charset="utf-8">
<strong style="color: rgb(0, 0, 0); font-family: sans-serif;
font-size: 14.4px; font-style: normal; font-variant: normal;
letter-spacing: normal; line-height: 20.5714px; orphans: auto;
text-align: justify; text-indent: 0px; text-transform: none;
white-space: normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);"><em>Transcript Collision Attacks: Breaking Authentication
in TLS, IKE, and SSH</em></strong><span style="color: rgb(0, 0,
0); font-family: sans-serif; font-size: 14.4px; font-style:
normal; font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20.5714px; orphans: auto; text-align:
justify; text-indent: 0px; text-transform: none; white-space:
normal; widows: 1; word-spacing: 0px; -webkit-text-stroke-width:
0px; display: inline !important; float: none; background-color:
rgb(255, 255, 255);"><span class="Apple-converted-space"> </span>(Karthikeyan
Bhargavan and Gaëtan Leurent), In Network and Distributed System
Security Symposium (NDSS), 2016.<br>
<br>
</span><span style="color: rgb(0, 0, 0); font-family: sans-serif;
font-size: 14.4px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
20.5714px; orphans: auto; text-align: justify; text-indent: 0px;
text-transform: none; white-space: normal; widows: 1;
word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline
!important; float: none; background-color: rgb(255, 255, 255);"></span><a class="moz-txt-link-freetext" href="https://mitls.org/downloads/transcript-collisions.pdf">https://mitls.org/downloads/transcript-collisions.pdf</a><br>
<a class="moz-txt-link-freetext" href="https://mitls.org/pages/publications">https://mitls.org/pages/publications</a><br>
<br>
Abstract—In response to high-profile attacks that exploit hash
function collisions, software vendors have started to phase out the
use of MD5 and SHA-1 in third-party digital signature applications
such as X.509 certificates. However, weak hash constructions
continue to be used in various cryptographic constructions within
mainstream protocols such as TLS, IKE, and SSH, because
practitioners argue that their use in these protocols relies only on
second preimage resistance, and hence is unaffected by collisions.
This paper systematically investigates and debunks this argument.<br>
<br>
We identify a new class of transcript collision attacks on key
exchange protocols that rely on efficient collision-finding
algorithms on the underlying hash constructions.<br>
<br>
We implement and demonstrate concrete credential forwarding attacks
on TLS 1.2 client authentication, TLS 1.3 server authentication, and
TLS channel bindings. We describe almost-practical impersonation and
downgrade<br>
attacks in TLS 1.1, IKEv2 and SSH-2. As far as we know, these are
the first collision-based attacks on the cryptographic constructions
used in these popular protocols.<br>
<br>
Our practical attacks on TLS were responsibly disclosed (under the
name SLOTH) and have resulted in security updates to several TLS
libraries. Our analysis demonstrates the urgent need for disabling
all uses of weak hash functions in mainstream protocols, and our
recommendations have been incorporated in the upcoming Token Binding
and TLS 1.3 protocols.
</body>
</html>