[Cryptography] sunsetting SHA-1 in Chrome

[ianG]

On 18/09/2014 09:55 am, Albert Lunde wrote:
> On 9/7/2014 3:16 AM, Alexander Klimov wrote:
>> <http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html>
>>
>>   Chrome will start the process of sunsetting SHA-1 (as used in
>>   certificate signatures for HTTPS) with Chrome 39 in November. HTTPS
>>   sites whose certificate chains use SHA-1 and are valid past 1 January
>>   2017 will no longer appear to be fully trustworthy in Chrome’s user
>>   interface.
> 
> How do the Chrome and Microsoft deprecations of SHA1 view the use of
> SHA1 in TLS cipher suites?
> 
> As I understand it SHA1 is being used in a HMAC in TLS, which is
> somewhat stronger than SHA1 alone in a certficate.  There's some reason
> to suspect both, but it's a different case.


Very different.  SHA1 sits in a cert for about 2 years, and (originally
[0]) certs were vulnerable to collision attacks.

Whereas a HMAC in protocols sits there for maybe 2 seconds and isn't
really vulnerable to collision attacks.


> Alternatives to SHA1 in TLS doesn't seem to show up until TLS 1.2.


Yeah.  The problem is that although TLS espoused a goal of
crypto-agility, the evidence suggests it was more to do with
crypto-vanity as seen in a steady stream of new block ciphers.  The
failure of hashes was unexpected so not actually part of the protocol;
whereas the failure of ciphers was expected but didn't really return
dividends.

In practice, crypto-agility has never really delivered the returns,
cryptography has been the one solid thing we can lean on for a decade
into the future.



iang



[0]   These days, certs are supposed to include a 20 byte nonce which
kills the collision attack.