(Secure) alternative to TLS / SSLv3 ?

views:

168

answers:

+1 Q:

(Secure) alternative to TLS / SSLv3 ?

Toying with an idea for a F2F networked application I've just been reading up on secure communication. I quickly settled with the idea of using TLS / SSL as the basis for any communication since it employs Public Key encryption at the protocol level and thus is perfect for my needs. However I was surprised to read (on wikipedia) that the newest version of TLS, SSLv3 uses a mix of MD5 and SHA-1 "because if any vulnerability was found in one of these algorithms the other would prevent it from compromising SSLv3". However, as I take it, lately both have been found flawed !

So my questions are thus:
Does this not mean that SSLv3 is basically flawed, or am I not reading close enough ?
And if so does a "secure" alternative to SSLv3 exist ?

+3 A:

The PRF used in TLSv1 and all earlier SSL versions does use an xor of MD5 and SHA1. Collisions against both hash algorithms are possible. MD5 collisions are much easier to generate. From wikipedia 2^24 MD5 vs 2^63 SHA1 operations. In TLSv2 the PRF rather than being hardcoded can now be negotiated in much the same way as underlying ciphers in earlier versions of SSL. The initial must implement for TLSv2 is unmixed SHA2.

However just because a hash is vulnerable to collisions does not necessarily render it insecure for all applications.

For example it is quite dangerous to use vulnerable hashes alone to verify the signature of a file because it is very feasable to alter the data in a way that maintains the original signature. (By finding a collision)

In the case of the PRF (Pseudo random function) what you want to do is provide predictable output based on the knowledge of a secret that cannot be feasibly reverse engineered to obtain the input secret. In this case successful search for collisions is not as useful as in the previous case.

Finding collisions should still be concerning to any use of a hash algorithm as history has shown it can open doors to FUTURE discovery of much more significant vulnerabilities.

Personally what is most alarming about TLS to me is the previous case where MD5/SHA1 is commonly used for signature verification when checking the trust chain between root and intermediary certificates. Forging of intermediaries by generating collisions has been successfully demonstrated.

Einstein 2010-05-16 18:56:02

The hashes in TLS < 1.2 are not XORed they're concatenated, so you are essentially getting a hash that is at least as strong as the strongest of the two for every input.

GregS 2010-05-17 23:37:47

Not true, from sec 5 of RFC 2246: PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed);

Einstein 2010-05-18 02:09:36

Sorry, my mistake.

GregS 2010-05-18 02:56:18

+2 A:

The weaknesses in MD5 and SHA-1 do not impact the use of MD5 and SHA-1 in TLS. However, if you find TLS unacceptable due to the use of MD5 or SHA-1 (e.g. because some kind of regulation mandates phasing out MD5 and SHA-1, or maybe you find it bad public relations), then you can investigate SSH, which uses similar concepts.

Thomas Pornin 2010-05-16 22:44:34

I'd be interested in learning why the weaknesses of MD5/SHA-1 don't apply. What version does this hold true for?

MakerOfThings7 2010-10-15 03:09:19

Known weaknesses for MD5 and SHA-1 are for collisions. In SSL/TLS (all versions), MD5 and/or SHA-1 are used for pseudo-random number generation, digital signatures, and integrity checks; none of these usages is impacted by collisions. They rely on preimage resistance (and some related properties), for which MD5 and SHA-1 are as solid as ever (i.e. no known weakness -- yet).

Thomas Pornin 2010-10-15 14:42:58

ansaurus

tags:

views:

answers:

(Secure) alternative to TLS / SSLv3 ?

related questions