On Tue, Jul 10, 2018 at 11:46 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Hubert Kario <hka...@redhat.com> writes: > > >but randoms in TLS 1.0 and TLS 1.1 are signed (effectively) with SHA-1... > > .... but with EMS or LTS in effect, with a lot more than that. > EMS does not fix the ServerKeyExchange signature payload. It's still just the randoms and not the full transcript. But, fixed or not, it is still signed with SHA-1. Ironically, while signing the full transcript is indeed preferable, the SLOTH paper (see sections V.A. and V.B.) shows how it actually then becomes *easier* to exploit a weak hash function: https://www.mitls.org/pages/attacks/SLOTH David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls