Deprecation of MD5 and SHA1 -- Just in Time?

mitcheli writes: If you're hanging on to the theory that collision attacks against SHA-1 and MD5 aren't yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have provided reason for urgency. They demonstrated a new series of transcript collision attacks centered on the SHA-1 and MD5 implementations in TLS 1.1, 1.2 and 1.3, along with IKEv1 and v2, and SSH 2. They say, "Our main conclusion is that the continued use of MD5 and SHA1 in mainstream cryptographic protocols significantly reduces their security and, in some cases, leads to practical attacks on key protocol mechanisms (PDF)." Of course, Mozilla officially began rejecting new SHA-1 certificates as of the first of the year. And as promised, there have been some usability issues. Mozilla said on Wednesday that various security scanners and antivirus products are keeping some users from reaching HTTPS websites.

Re:You shouldn't use one hash.

You shouldn't let amateurs design cryptographic systems either...

Re:You shouldn't use one hash.

[WhiteKnight07]

Actually concatenating hashes together doesn't do much for security at all. In fact it does almost nothing. See: http://link.springer.com/chapt...

Re:You shouldn't use one hash.

hashsha1(hashmd5(data)) is strong, and unlikely to be attacked successfully unless your key data is too short.

This is not widely believed by crypto-security folks to be more secure.

See e.g. https://crypto.stanford.edu/~xb/crypto06b/blackboxhash.pdf ---

We studied the problem of combining multiple hash functions into a single function
that is collision resistant whenever at least one of the original functions is.
The hope was that, given a number of plausibly secure hash constructions (e.g.,
SHA-512 and Whirlpool), one might be able to hedge one’s bet and build a new
function that is at least as secure as the strongest of them. The combination
should be space efficient in that the final output should be smaller than the
concatenation of all hashes.

We showed that no such efficient black-box combination is possible assuming each hash function is evaluated once

Catch 22

[Geoffrey.landis]

Wow, looks like Firefox has some real problems.
From the link quoted: https://blog.mozilla.org/secur...

How to tell if you’re affected
If you can access this article in Firefox, you’re fine.

So, if you Firefox is affected, they won't tell you about it. They'll only tell you if your Firefox is not affected.

Later, same blog post:

What to do if you’re affected
The easiest thing to do is to install the newest version of Firefox. You will need to do this manually, using an unaffected copy of Firefox or a different browser, since we only provide Firefox updates over HTTPS.

So, if your Firefox is affected, you can't upgrade it: you need to have the working version of Firefox to download a working version of Firefox.

What a Catch 22! You can't know about the problem unless you already have fixed the problem, and you can't fix the problem... unless you have already fixed the problem.

Re:Catch 22

People will notice, they will not be able to use their bank for example, they probably try reinstalling Firefox, or the worse for Mozilla, install Chrome

It Depends on Why You Are Using Hash Codes

[DERoss]

For use in encryption or for verifying that a file is authentic, SHA1 and MD5 should definitely be avoided.

When transmitting a file over a LAN, WAN, or the Internet, however, SHA1 and MD5 are still useful to ensure that the file has not been corrupted (e.g., packets lost). Also, those two hashes can be used to determine if two files in the same system are the same.

Re:It Depends on Why You Are Using Hash Codes

When transmitting a file over a LAN, WAN, or the Internet, however, SHA1 and MD5 are still useful to ensure that the file has not been corrupted (e.g., packets lost).

That's error checking though, not cryptography. They're not saying these hashes are useless, just not a good idea in security.

For use in encryption or for verifying that a file is authentic, SHA1 and MD5 should definitely be avoided.

... Also, those two hashes can be used to determine if two files in the same system are the same.

That kind of sounds like you contradicted yourself there. (Maybe some minor semantic difference)

Re:It Depends on Why You Are Using Hash Codes

[TheCarp]

Of course, everything depends on use case. Just being able to find collisions doesn't break all potential uses. It breaks specific use cases where the attacker has a known target and time to work.

It doesn't break use cases where the attacker has an unknown target and little time. It wouldn't break an authentication protocol based on a hash challenge response, since the attacker is asked to offer up his hash, which is checked.

Doesn't matter if he can generate arbitrary collisions then, because he has no target to collide with. If he had the password, he could answer the challenge before it expires.

Re:It Depends on Why You Are Using Hash Codes

Someone earlier said "You shouldn't let amateurs design cryptographic systems".

You shouldn't let amateurs design transmission protocols either.
SHA1 and MD5 aren't ideal for transmission. There are simpler hashes that are better at dealing with the type of errors that you typically get from transmissions.
With the correct method you can even repair a couple of incorrectly transmitted bits without having to resend the file.

Re:It Depends on Why You Are Using Hash Codes

[castionsosa]

I'd use CRC-64 or CRC-128 over MD5 anyway, just because it is a lot fewer cycles to compute CRCs than to do the more advanced work needed for a cryptographically secure hash.

I would probably abandon MD5 and SHA1 altogether. If it doesn't need to be cryptographically secure, CRCs do the job. If it does need to be secure, I'd use SHA-3 with whatever length was needed for the job at hand. MD5 is "neither fish, nor fowl" and like MD4, just needs to be moved away from.

Re:It Depends on Why You Are Using Hash Codes

[castionsosa]

Would it be better to use a large CRC as opposed to a cryptographically secure hash for deduplication work? CRCs are a lot easier to compute.

Re:It Depends on Why You Are Using Hash Codes

[Bengie]

Unless you have a cryptographically strong hash, you have to compare the data. CRCs are meant only to let you know if data has been corrupted, not if the data is the uniquely different than other data. CRC may be faster than SHA2-256, but it is much slower than having to read and compare a bunch of data.

Re:It Depends on Why You Are Using Hash Codes

[fahrbot-bot]

Someone earlier said "You shouldn't let amateurs design cryptographic systems".

You shouldn't let amateurs design transmission protocols either.

You shouldn't let amateurs do most things - including porn.

Two different issues

[kiwix]

The summary mixes two different issues... SHA-1 is being phased out for certificate signatures, but this is not what the SLOTH attack is about.
SLOTH is about the use of MD5 and SHA1 inside the TLS protocol, to sign or MAC the key-exchange messages.
(Disclaimer: I'm one of the authors of the paper)

Re:You shouldn't use one hash.

[Bengie]

Even Better, although I used SHA512 myself.

salt = cryptorand.getbbytes(64);
final = salt +HMACSHA1(data,salt);

Re:Still useful outside a cryptographic context?

[Bengie]

ZFS uses either Fletcher4-256 or SHA-256. Fletcher is based on CRC-64.

Re:You shouldn't use one hash.

[cc1984_]

Very interesting article. However, it seems to be saying that a concatenation of an X bit hash and a Y bit hash are no better than a third hash of length X+Y bits. My original comment was in respect that md5 . sha1 would be better than md5 or sha1 alone, but even then I'm no crypto expert so I'm prepared to be proved wrong on that.

Re:You shouldn't use one hash.

[Pseudonym]

hashsha1(hashmd5(data)) is strong, and unlikely to be attacked successfully unless your key data is too short.

If hashmd5(text1) == hashmd5(text2), then hashsha1(hashmd5(text1)) == hashsha1(hashmd5(text2)).