[gnutls-devel] moving out from SHA1

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Fri Feb 24 17:50:48 CET 2017


On Fri, 2017-02-24 at 11:17 +0100, Tim Ruehsen wrote:

> > In 3.5.x we forbid SHA1 for certificate verification in TLS, for
> > the
> > NORMAL and above levels, in one of the next few releases (3.5.10 or
> > 3.5.11), but still allow it for TLS handshake signatures. That is,
> > we
> > take advantage of the verifcation PROFILEs associated with a
> > priority
> > string keyword, and even though SHA1 is in general acceptable, it
> > will
> > be refused for certificate verification. At the same time it will
> > allow applications which rely on SHA1 to continue function, as well
> > as
> > connection to old servers which use TLS signatures with SHA1 (maybe
> > even treat OCSP differently to avoid breaking examples with amazon
> > as
> > above).
> > 
> > 6 months to a year later port that to the 3.3.x branch.
> > 
> > What do you think?
> 
> Thanks, that sounds like a reasonable plan :-)
> 
> After reading about the collision yesterday, I already though about
> impacts 
> onto the hopefully-soon-to-be-released wget2.
> 
> Just from what read / understood, there is no need to hurry (?):
> They said it needed "thousands of CPU years" to generate the
> collision.
> A very rough calculation of the costs:
> - $0.01 per GFLOPShour from [1]
> - 8760 hours per year
> - 3000 CPU years
> - assuming 50 GFLOPS per CPU
> - 3000 * 8760 * 50 GFLOPShours
> - 3000 * 8760 * 50 * $0.01 = 13.140.000$ !!!
> Even when assuming 10x less costs per GFLOPShour, it's pretty
> expensive to 
> generate one collision. Or did I misunderstand/misread something
> basic ?

My understanding is the same; the cost for a collision is quite high.
Note that a collision itself is not catastrophic for signatures and
practical attacks are quite complex, but may still be feasible as with
md5 [0]. These attacks on MD5 showed that short time after the first
collision practical attacks could be mounted by academics.

regards,
Nikos

[0]. https://www.win.tue.nl/hashclash/rogue-ca/




More information about the Gnutls-devel mailing list