SHA1 considered a PITA

Mon, 26 Jan 2009 03:58:03 -0800

More on that "SHA1 disaster brewing" thing. My today understanding (wait until tomorrow before challenging ...) is it could be as bad as this: 

  * servers need to support TLS1.2 before the old hash family is gone.
  * clients need to support old hashes until the servers stop TLS1.1
  * we have our classic client-server deadly embrace!
  * servers won't stop before clients stop before servers stop...

  * nobody is rushing to support TLS1.2
  * Apache won't ship a release httpd to handle SHA2 certs any time soon
  * SHA2 is off the agenda?
  * might want to stick a nonce in each cert?
  * and wait for SHA3?
As I say, that's a potential worst case! It should be better. But, bottom line is that we may be stuck on SHA1 for a lot longer than is technically wise. Like, any time after today. 

iang



-------- Original Message --------
Subject: Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
Date: Fri, 23 Jan 2009 09:23:05 -0800
From: Eric Rescorla <e...@networkresonance.com>

[snip]
Nearly all the changes to TLS between 1.1 and 1.2 were specifically designed to accomodate new digest algorithms throughout the protocol.
For those of you who aren't TLS experts, TLS had MD5 and SHA-1 wired all throughout the protocol and we had to arrange to strip them out, plus find a way to signal that you were willing to support the newer algorithms. To avoid this becoming a huge pile of hacks, we had to restructure some of the less orthogonal negotiation mechanisms. The other major (and totally optional) change was the addition of combined cipher modes like GCM. That change was made primarily because we were in there and there was some demand for those modes. So, no, I don't consider these changes "gratuitous", though of course they are incompatible. Yes, there were simpler things we could have done, such as just specifying a new set of fixed digest algorithms to replace MD5 and SHA-1, but I and others felt that this was unwise from a futureproofing perspective. 

Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
between SSL and TLS. I'm not particularly happy about that either, but
it's what we felt was necessary to do a principled job.

-Ekr







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com



--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to