[openssl-users] openSSL and SLOTH attack
Jakob Bohm
jb-openssl at wisemo.com
Thu Jan 7 21:32:23 UTC 2016
On 07/01/2016 16:46, Michael Wojcik wrote:
> As described on that web page, use OpenSSL 1.0.1f or later. That prevents the currently-practical SLOTH attack against RSA-MD5 client authentication.
>
> If you're using an OpenSSL release earlier than 1.0.1f, SLOTH is probably not your biggest problem.
>
> The authors recommend discontinuing use of MD5 and SHA-1 in general. So does nearly everyone else. Really the risk of continuing to support MD5 and SHA-1 can only meaningfully be evaluated in the context of your own threat model; but either you already know that, or you don't know what your threat model is, in which case the safe move is to drop support for MD5 and SHA-1 as soon as you can.
>
The above is not a very accurate summary.
In particular, the following would be a clearer summary:
1. Whenever possible, configure both servers and clients
to avoid using MD5 or SHA-1 alone.
2. My suggestion: If it is necessary to retain SHA-1
support due to some correspondents stuck with older
weak algorithms (looking at you Microsoft!), then
isolate it as much as possible, e.g. with different
certificates etc.
3. If possible, configure servers and clients to not
choose encryption modes where the TLS handshake is
confirmed using only 96 bits of the relevant HMAC.
4. Do not use the "official" tls-unique token to bind
something to a TLS handshake, it is unsuited to purpose,
even with the recent extension of its format.
My suggestion: Instead do a strong hash (SHA-256 or
better) of the complete handshake (all handshake
messages in both directions, including record headers).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list