MD5 considered harmful today, SHA-1 considered harmful tomorrow

Eric Rescorla ekr at networkresonance.com
Fri Jan 23 12:23:05 EST 2009 

At Tue, 20 Jan 2009 17:57:09 +1300,
Peter Gutmann wrote:
> 
> "Steven M. Bellovin" <smb at cs.columbia.edu> writes:
> 
> >So -- who supports TLS 1.2?
> 
> Not a lot, I think.  The problem with 1.2 is that it introduces a pile of
> totally gratuitous incompatible changes to the protocol that require quite a
> bit of effort to implement (TLS 1.1 -> 1.2 is at least as big a step, if not a
> bigger step, than the change from SSL to TLS), complicate an implementation,
> are difficult to test because of the general lack of implementations
> supporting it, and provide no visible benefit.  Why would anyone rush to
> implement this when what we've got now works[0] just fine?

Ordinarily I wouldn't bother to respond to Peter's curmudgeon act, but
since I was obviously heavily involved with TLS 1.2, I think a bit
of context is in order.

Nearly all the changes to TLS between 1.1 and 1.2 were specifically designed
to accomodate new digest algorithms throughout the protocol. For those
of you who aren't TLS experts, TLS had MD5 and SHA-1 wired all throughout
the protocol and we had to arrange to strip them out, plus find a way
to signal that you were willing to support the newer algorithms. To
avoid this becoming a huge pile of hacks, we had to restructure some of
the less orthogonal negotiation mechanisms. The other major (and totally
optional) change was the addition of combined cipher modes like GCM.
That change was made primarily because we were in there and there was
some demand for those modes. So, no, I don't consider these changes
"gratuitous", though of course they are incompatible. Yes, there were
simpler things we could have done, such as just specifying a new set of
fixed digest algorithms to replace MD5 and SHA-1, but I and others felt
that this was unwise from a futureproofing perspective.

Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
between SSL and TLS. I'm not particularly happy about that either, but
it's what we felt was necessary to do a principled job.

-Ekr







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list