Re: My two cents on TLS mandatory ciphers [Long]

[Lewis McCarthy <lmccarth@xxxxxxxxxxxx>]

Moshe Rozenblit writes:
> I propose to consider
> the following cipher suite for addition to the would be SOULD list:
> MD5 + RSA for digital signatures
> RSA for public key encryption
> DES CBC for symmetric key encryption
> HMAC with MD5 for keyed hashing MAC.
> 
> That's the default cipher suite in the proposed STASE-ROSE standard 
> making its way though T1 and ITU-T. 

Quoting the current TLS draft,
  "F.1.5. MD5 and SHA

     TLS uses hash functions very conservatively. Where possible, both
     MD5 and SHA are used in tandem to ensure that non-catastrophic 
     flaws in one algorithm will not break the overall protocol."

In particular, signatures with RSA are computed over both an MD5 hash
and a SHA-1 hash of the input material to be signed (see Section 4.7).

In view of Dobbertin's MD5-compress collisions of last year, using
MD5 + RSA for digital signatures seems generally inadvisable.

See <http://lists.w3.org/Archives/Public/ietf-tls/threads.html/#02413>
for WG discussion of the use of MD5 in TLS last year.

[...]
> If there are good reasons for not including this cipher suite in the 
> SOULD list, and if such list is adopted in the next couple of months, 
> it is possible that the default in STASE-ROSE will be changed to one 
> of the members of the SHOULD list, though at present 3DES is an 
> overkill for most network management applications.

You may want to consider using SHA-1 or RIPEMD-160 in lieu of MD5....
-- 
Lewis    http://www.cs.umass.edu/~lmccarth/    "In our opinion
provable security is nothing more than a phantom, similar to
the perpetuum mobile in thermodynamics."  -- Joan Daemen, 1995