Is TLS / SSLv3 insecure?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2022-12-30 17:27 出处：网络

Toying with an idea for a F2F networked application I\'ve just been reading up on secure communication.

相关专题：encryption ssl

Toying with an idea for a F2F networked application I've just been reading up on secure communication. I quickly settled with the idea of using TLS / SSL as the basis for any communication since it employs Public Key encryption at the protocol level and thus is perfect for my needs. However I was surprised to read (on wikipedia) that the newest version of TLS, SSLv3 uses a mix of MD5 and SHA-1 "because if any vulnerability was found in one of these algorithms the other开发者_运维问答 would prevent it from compromising SSLv3". However, as I take it, lately both have been found flawed !

So my questions are thus:

Does this not mean that SSLv3 is basically flawed, or am I not reading close enough ?

And if so does a "secure" alternative to SSLv3 exist ?

The weaknesses in MD5 and SHA-1 do not impact the use of MD5 and SHA-1 in TLS. However, if you find TLS unacceptable due to the use of MD5 or SHA-1 (e.g. because some kind of regulation mandates phasing out MD5 and SHA-1, or maybe you find it bad public relations), then you can investigate SSH, which uses similar concepts.

The PRF used in TLSv1 and all earlier SSL versions does use an xor of MD5 and SHA1. Collisions against both hash algorithms are possible. MD5 collisions are much easier to generate. From wikipedia 2^24 MD5 vs 2^63 SHA1 operations. In TLSv2 the PRF rather than being hardcoded can now be negotiated in much the same way as underlying ciphers in earlier versions of SSL. The initial must implement for TLSv2 is unmixed SHA2.

However just because a hash is vulnerable to collisions does not necessarily render it insecure for all applications.

For example it is quite dangerous to use vulnerable hashes alone to verify the signature of a file because it is very feasable to alter the data in a way that maintains the original signature. (By finding a collision)

In the case of the PRF (Pseudo random function) what you want to do is provide predictable output based on the knowledge of a secret that cannot be feasibly reverse engineered to obtain the input secret. In this case successful search for collisions is not as useful as in the previous case.

Finding collisions should still be concerning to any use of a hash algorithm as history has shown it can open doors to FUTURE discovery of much more significant vulnerabilities.

Personally what is most alarming about TLS to me is the previous case where MD5/SHA1 is commonly used for signature verification when checking the trust chain between root and intermediary certificates. Forging of intermediaries by generating collisions has been successfully demonstrated.