[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: My two cents on TLS mandatory ciphers [Long]
Lewis McCarthy wrote:
> Moshe Rozenblit writes:
> > I propose to consider
> > the following cipher suite for addition to the would be SOULD list:
> > MD5 + RSA for digital signatures
> > RSA for public key encryption
> > DES CBC for symmetric key encryption
> > HMAC with MD5 for keyed hashing MAC.
> >
> > That's the default cipher suite in the proposed STASE-ROSE standard
> > making its way though T1 and ITU-T.
>
> Quoting the current TLS draft,
> "F.1.5. MD5 and SHA
>
> TLS uses hash functions very conservatively. Where possible, both
>
> MD5 and SHA are used in tandem to ensure that non-catastrophic
> flaws in one algorithm will not break the overall protocol."
>
> In particular, signatures with RSA are computed over both an MD5 hash
> and a SHA-1 hash of the input material to be signed (see Section 4.7).
>
> In view of Dobbertin's MD5-compress collisions of last year, using
> MD5 + RSA for digital signatures seems generally inadvisable.
>
> See <http://lists.w3.org/Archives/Public/ietf-tls/threads.html/#02413>
>
> for WG discussion of the use of MD5 in TLS last year.
>
> [...]
> > If there are good reasons for not including this cipher suite in the
>
> > SOULD list, and if such list is adopted in the next couple of
> months,
> > it is possible that the default in STASE-ROSE will be changed to one
>
> > of the members of the SHOULD list, though at present 3DES is an
> > overkill for most network management applications.
>
> You may want to consider using SHA-1 or RIPEMD-160 in lieu of MD5....
> --
> Lewis http://www.cs.umass.edu/~lmccarth/ "In our opinion
> provable security is nothing more than a phantom, similar to
> the perpetuum mobile in thermodynamics." -- Joan Daemen, 1995
Hey, so many two cents could add up to a lot of money:-)
Just kidding....
--
Weilan W Wu
Senior Software Engineer
Software.Com
530 Montecito Street Ste 105
Santa Barbara, California 93103
email: weilan.wu@xxxxxxxxxxxx