Deprecation of MD5 and SHA1 -- Just in Time?

mitcheli writes: If you're hanging on to the theory that collision attacks against SHA-1 and MD5 aren't yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have provided reason for urgency. They demonstrated a new series of transcript collision attacks centered on the SHA-1 and MD5 implementations in TLS 1.1, 1.2 and 1.3, along with IKEv1 and v2, and SSH 2. They say, "Our main conclusion is that the continued use of MD5 and SHA1 in mainstream cryptographic protocols significantly reduces their security and, in some cases, leads to practical attacks on key protocol mechanisms (PDF)." Of course, Mozilla officially began rejecting new SHA-1 certificates as of the first of the year. And as promised, there have been some usability issues. Mozilla said on Wednesday that various security scanners and antivirus products are keeping some users from reaching HTTPS websites.

Re:You shouldn't use one hash.

[WhiteKnight07]

Actually concatenating hashes together doesn't do much for security at all. In fact it does almost nothing. See: http://link.springer.com/chapt...

Re:You shouldn't use one hash.

hashsha1(hashmd5(data)) is strong, and unlikely to be attacked successfully unless your key data is too short.

This is not widely believed by crypto-security folks to be more secure.

See e.g. https://crypto.stanford.edu/~xb/crypto06b/blackboxhash.pdf ---

We studied the problem of combining multiple hash functions into a single function
that is collision resistant whenever at least one of the original functions is.
The hope was that, given a number of plausibly secure hash constructions (e.g.,
SHA-512 and Whirlpool), one might be able to hedge one’s bet and build a new
function that is at least as secure as the strongest of them. The combination
should be space efficient in that the final output should be smaller than the
concatenation of all hashes.

We showed that no such efficient black-box combination is possible assuming each hash function is evaluated once

It Depends on Why You Are Using Hash Codes

[DERoss]

For use in encryption or for verifying that a file is authentic, SHA1 and MD5 should definitely be avoided.

When transmitting a file over a LAN, WAN, or the Internet, however, SHA1 and MD5 are still useful to ensure that the file has not been corrupted (e.g., packets lost). Also, those two hashes can be used to determine if two files in the same system are the same.

Re:It Depends on Why You Are Using Hash Codes

Someone earlier said "You shouldn't let amateurs design cryptographic systems".

You shouldn't let amateurs design transmission protocols either.
SHA1 and MD5 aren't ideal for transmission. There are simpler hashes that are better at dealing with the type of errors that you typically get from transmissions.
With the correct method you can even repair a couple of incorrectly transmitted bits without having to resend the file.

Two different issues

[kiwix]

The summary mixes two different issues... SHA-1 is being phased out for certificate signatures, but this is not what the SLOTH attack is about.
SLOTH is about the use of MD5 and SHA1 inside the TLS protocol, to sign or MAC the key-exchange messages.
(Disclaimer: I'm one of the authors of the paper)