MD5 considered harmful today, SHA-1 considered harmful tomorrow

Eric Rescorla ekr at networkresonance.com
Sat Jan 24 12:51:34 EST 2009 

At Sat, 24 Jan 2009 14:55:15 +1300,
Peter Gutmann wrote:
> >Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
> >between SSL and TLS. I'm not particularly happy about that either, but it's
> >what we felt was necessary to do a principled job.
> 
> It may have been a nicely principled job but what actual problem is the switch
> in hash algorithms actually solving?  Making changes of such magnitude to a
> very, very widely-deployed protocol is always a tradeoff between the necessity
> of the change and the pain of doing so.  In TLS 1.2 the pain is proportionate
> to the scale of the existing deployed base (i.e. very large) and the necessity
> of doing so appears to be zero.  I don't know of any attack or threat to the
> existing dual-hash mechanism that TLS 1.2 addresses, and it may even make
> things worse by switching from the redundant dual-hash (a testament to the
> original SSL designers) to a single algorithm.  This is why I called the
> changes "gratuitous", there is no threat that they address - it can even be
> argued (no doubt endlessly) that they make the PRF weaker rather than stronger
> - but they come at considerable cost.

I agree that given the current set of attacks on SHA-1 and MD5,
there was no existing attack on the protocol. However, that doesn't
mean that improvements in analysis wouldn't lead to such attacks
and so the general feeling of the community was to err on the
side of safety. No doubt if we hadn't done so, there would be
people screaming about how TLS still used MD5. Indeed, that's
how this thread started. So, once again, I don't share your
opinions about these changes being gratuitous.

Moreover, the bulk of the changes weren't to the PRF. That's actually
quite a trivial change to implement, but rather to have accurate
signalling about what combinations of hashes and signatures
implementations could support--something that was painfully
non-orthogonal in SSLv3 and earlier versions of TLS. Again,
one could argue that we could have hacked around this and indeed 
the original Bellovin-Rescorla paper described a number of such
hacks, but the general feeling of the TLS WG was that it was
more important to get it right.
	

> SSL/TLS is (and has been for many years) part of the Internet infrastructure.
> You don't make significant, totally incompatible changes to the infrastructure
> without very carefully weighing the advantages and disadvantages. 

Which we did--including having the very discussion we are having
now--and concluded that the course of action we took was the right
one. You're of course free to weigh the evidence yourself and come to
a different conclusion, and even to hold the opinion that those who
agree with you are complete fools, but it's simply not accurate to
imply, as you do here, that we didn't think about it.

-Ekr

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list