On Tue, Jul 10, 2018 at 03:38:42PM +0200, Hubert Kario wrote:
> The github version of the document points out that the security of TLS 1.2
> downgrade protection to TLS 1.1 or TLS 1.0 depends on SHA-1.
Is this accurate? TLS 1.0 uses a combined SHA-1 + MD5 PRF. Are
there known attacks that compromise TLS 1.0 via collisions in its
PRF?
[ IIRC, one embarrassing feature of TLS 1.2 vs. TLS 1.0 is that in making
the signature algorithms negotiable, it became possible to offer and
use MD5 where previously TLS 1.0 used SHA-1. ]
> that is the downgrade issue in the protocol
Keep in mind that my example, illustrating potentially counter-productive
raising of the floor, was about SHA-1 signatures in certificates.
Does accepting SHA-1 signatures in *certificate chains* create
opportunities to downgrade TLS 1.2 to TLS 1.0?
For the record, I am not saying that users should not be moving to
TLS 1.2 (if they haven't already). Rather, I'm not aware of practical
cryptographic downgrade attacks to TLS 1.0 (other than software
that might still pessimistically fall back to TLS 1.0 on TLS 1.2
handshake failure).
Absent, such downgrade attacks, what's really needed is broader
support for TLS 1.2 (raising the ceiling), which does not require
removal of support for TLS 1.0 (raising the floor).
As a community we're still prone to pursue improved security primarily
through removal of weak algorithms, and under-appreciate security
improvement via the introduction of stronger algorithms.
Of course removal of weak algorithms has its place, if these
facilitate downgrade attacks, or present unnecessary attack-surface
once no longer used. But we should be careful to not rush into
overzealous deprecation that can sometimes do more harm than good.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
