2

SHA-1 is on the way to deprecation, in particular for digital certification (x509). But I can't find ressources about SHA-1 deprecation from SSL/TLS Cipher Suites.

Is it implicit, as deprecation implies that SHA-1 usage will be deprecated in all cases ? Or is there a different strategy concerning SHA-1 usage in Cipher suite ?

I also don't understand how attackers could forge SHA1 certificate signature, as the hash is still "protected" by the signature (CA private key). So forging the hash with collisions, ok, but one would detect that hash is not trusted anymore (signature wouldn't be the same). I miss something ?

crypto-learner
  • 347
  • 4
  • 10
  • I expect those suites to become less common as AES-GCM and AEAD modes in general gain popularity. TLS 1.3 will probably only support AEAD modes excluding the traditional SHA-1 based suites. – CodesInChaos Dec 01 '14 at 13:10
  • 2
    HMAC-SHA-1 used as a MAC is still plenty strong. The problems with the traditional SHA-1 based suites isn't that they use SHA-1, it's that they're using either CBC with encrypt-then-mac (tricky to implement correctly) or RC4. – CodesInChaos Dec 01 '14 at 13:12
  • @CodesInChaos Ok thanks, but what about cipher suites which use SHA1 as a signature scheme ? Will they be considered "deprecated" ? – crypto-learner Dec 01 '14 at 14:05
  • 1
    There is also some good information about this in this question:

    http://crypto.stackexchange.com/questions/19286/sha1-no-longer-considered-secure-for-ssl-certificates-what-about-cipher-suite

     – Eddie Dec 02 '14 at 15:38

1 Answers1

3

Ciphers don't use signature schemes. They do use MACs, which are different (and employ HMAC variants of hash functions, e.g. HMAC-SHA1). There is no danger in using SHA1 in this manner (or MD5 either, but I wouldn't advise doing that if you can avoid it). TLS 1.0 and TLS 1.1 also use SHA1 and MD5 internally, but this is still considered secure because they use them differently than certificates do. The main reason SHA1 is becoming deprecated is because the community believes attackers may someday soon gain the ability to forge SHA1 certificate signatures.

flashbang
  • 163
  • 8
  • Ok but i can't understand how attackers could forge SHA1 certificate signature, as the hash is still "protected" by the signature (CA private key). So forgin the hash with collisions, ok, but one would detect that hash is not trusted anymore (signature would'nt be the same). I miss something ? – crypto-learner Dec 01 '14 at 15:30
  • @crypto-learner The typical attack based on collisions in certificate hashes is creating two certificates with the same hash, one having the to-attack domain in it and one a domain you control. Then get the CA to sign the certificate for the domain you control and present the certificate with the attacked domain to the user in SSL. – CodesInChaos Dec 01 '14 at 16:18
  • @CodesInChaos Ok I see, the "attack" is before CSR is made. – crypto-learner Dec 01 '14 at 16:55
  • I'm not sure if that Certificate collision attack would still work, even if people managed to do a chosen prefix attack like what happen with MD5. In response to those attacks many (all?) CAs included a piece of unpredictable data early in the certificate, which should prevent collision attacks. – CodesInChaos Dec 01 '14 at 16:58
  • @CodesInChaos In fact, an attacker wouldn't need to get the CA to sign the "fake" certificate, because if the two certificates have the same hash, they have the same signature (private key + hash). So the attacker can just get the signature of the "original" certificate (public info) and appends this signature on the fake one. No ? – crypto-learner Dec 04 '14 at 14:01
  • 1
    @crypto-learner The attacker would get the CA to look the harmless looking one of the colliding pair and then use the malicious one with the same signature. – CodesInChaos Dec 04 '14 at 14:45
  • @CodesInChaos Thanks for answering. I am know wondering why CA signs the certificate hash rather than the "raw content", there couldn't be collisions, I guess it is obvious, like performances when signing, perhaps also signature size, but x509 certificate are rather short file. Any idea ? – crypto-learner Dec 04 '14 at 22:27
  • 1
    @crypto-learner because the length of a message that you can sign is limited by the modulus size. So for example if you have a 2048-bit RSA keypair, you are limited to signing 2048 bits/256 bytes of information. A hash can easily fit in this, while an x509 certificate cannot. But a hash is (theoretically) unique to whatever data it is a hash of - meaning it's just as good as if the original message were signed (provided that the hash function is secure). – flashbang Dec 05 '14 at 02:12
  • @acid Thanks for your comment, but actually, padding could be used to resolve the "modulus size" problem, no ? As when you want to encipher large file with public key. – crypto-learner Dec 05 '14 at 12:09