[Cryptography] Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH

ianG iang at iang.org
Mon Apr 4 21:51:18 EDT 2016


*/Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and 
SSH/*(Karthikeyan Bhargavan and Gaëtan Leurent), In Network and 
Distributed System Security Symposium (NDSS), 2016.

https://mitls.org/downloads/transcript-collisions.pdf
https://mitls.org/pages/publications

Abstract—In response to high-profile attacks that exploit hash function 
collisions, software vendors have started to phase out the use of MD5 
and SHA-1 in third-party digital signature applications such as X.509 
certificates. However, weak hash constructions continue to be used in 
various cryptographic constructions within mainstream protocols such as 
TLS, IKE, and SSH, because practitioners argue that their use in these 
protocols relies only on second preimage resistance, and hence is 
unaffected by collisions. This paper systematically investigates and 
debunks this argument.

We identify a new class of transcript collision attacks on key exchange 
protocols that rely on efficient collision-finding algorithms on the 
underlying hash constructions.

We implement and demonstrate concrete credential forwarding attacks on 
TLS 1.2 client authentication, TLS 1.3 server authentication, and TLS 
channel bindings. We describe almost-practical impersonation and downgrade
attacks in TLS 1.1, IKEv2 and SSH-2. As far as we know, these are the 
first collision-based attacks on the cryptographic constructions used in 
these popular protocols.

Our practical attacks on TLS were responsibly disclosed (under the name 
SLOTH) and have resulted in security updates to several TLS libraries. 
Our analysis demonstrates the urgent need for disabling all uses of weak 
hash functions in mainstream protocols, and our recommendations have 
been incorporated in the upcoming Token Binding and TLS 1.3 protocols.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160405/336f5be0/attachment.html>


More information about the cryptography mailing list