FWIW my nit was simply that algorithms aren’t getting weaker: attacks are getting stronger. Sorry if I worded the suggested text badly. > On Nov 1, 2020, at 13:09, Benjamin Kaduk <kaduk@xxxxxxx> wrote: > > Hi Ted, > > Thanks for the review, especially for thinking about the point that Éric > requested. > > I don't really agree with your nit, though, as there have been improved > crypanalysis and correspondingly improved cryptographic attacks on both > algorithms over time (SHA1 more recently than MD5). Increased > computational power to take advantage of those cryptographic weaknesses is > certainly a factor in moving to deprecate the vulnerable algorithms, but it > is not the only factor. > > -Ben > >> On Wed, Oct 28, 2020 at 08:56:13AM -0700, Ted Lemon via Datatracker wrote: >> Reviewer: Ted Lemon >> Review result: Ready with Nits >> >> This document is ready for publication, with one minor nit, which is included >> at the end. >> >> Éric additionally made the following request: >> As those hash algorithms were 'cheap' for TLS, I would appreciate a review of >> the impact if those algorithms are deprecated in TLS 1.2. >> >> I am not in a position to do any practical tests, but I will point out several >> things. First, deprecating MD5 is not going to cause a performance problem >> because it's slower than SHA1, so we really only need to worry about whether >> deprecating SHA1 will cause a problem. This document only deprecates SHA1 for >> use in digital signatures. It "does not deprecate SHA-1 in HMAC for record >> protection." Given the way TLS uses digital signatures, this should not be a >> serious concern. At worst case, SHA256 is about 24% slower than SHA1. Best case >> (shorter text) it is less than 16% slower. It's reasonable to expect that in >> common use in TLS, the texts being digested will be shorter, not longer. >> Further, the bulk of the computational burden of TLS is not in the generation >> of digests for digital signatures. Therefore it seems reasonable to expect that >> the performance impact of this change is vastly overshadowed by one of the very >> factors that motivates it: the increased speed of hash computation over time. >> Even assuming constant speed legacy hardware, the performance impact is not >> sufficient to cause concern when considering it as part of the total system >> that would be using TLS 1.2. >> >> Nit: >> >> In the abstract: >> The MD5 and SHA-1 hashing algorithms are steadily weakening in >> strength and their deprecation process should begin for their use in >> TLS 1.2 digital signatures. >> >> Technically, the strength of these algorithms hasn't changed. What's changed is >> that their strength is no longer sufficient to prevent realistic attacks. So it >> might be better to say something like "The vulnerability of MD5 and SHA-1 >> algorithms to practical attacks is steadly increasing and ..." >> >> >> -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
