9

Many browsers and Internet companies have recently claimed that SSL Certificates with a signature algorithm of SHA1 will imminently no longer be considered secure. Most notably, Google and Google Chrome.

Yet I've read that since the SSL/TLS negotiation and Cipher Suite don't make use of plain SHA1 (or even MD5), and instead use SHA1 within an HMAC; that using a Cipher Suite with SHA1 is still an acceptable security practice.

Is this the case?

While we're on it, is it also the case of using MD5 in a cipher suite?

Eddie
  • 1,003
  • 3
  • 15
  • 27

1 Answers1

9

The main thing that makes HMAC secure in typical use even with MD5 is that it is used with a secret key. That means only preimage attacks are really relevant, since finding a collision is always an online attack if you don't know the key. With known attacks the preimage resistance of both MD5 and SHA-1 is > 100 bits. Additionally, HMAC may be secure even with some insecure hash functions.

However, not all cipher suites just use HMAC for message authentication. Older SSL cipher suites (before SSLv3) use plain hash functions for that. Hash functions are also used in many suites as message digests for public key signatures. Is that secure?

Well, yes. Probably. Again, only preimage attacks should apply to the ways they are used in SSL/TLS. A collision attack would require generating a large number of messages to find a pair with equal hash values. That is only a concern whenever the attacker can both predict the data to be signed and influence some of it. E.g. signatures are used for key exchange, where they are used to sign random keys, which the attacker cannot know much less influence.

Still, attacks only get better. Where using more modern algorithms is possible, you should do that.

otus
  • 32,462
  • 5
  • 75
  • 167