> So here are the things mentioned in the paper: > 1) Some things that were believed to require preimage resistance > need collision resistance. This by itself reduces security bits > of the hashes by a factor 2. Assuming MD5 and SHA1 didn't have > any problem with collision resistance it would be reduced from > 128 and 160 bit to 64 and 80. But they have a problem with > collision resistance and so it's worse, specially for MD5. > 2) Some implementations support MD5 based signatures in TLS 1.2 > 3) Some implementations accept the MD5 based signatures in TLS 1.2 > while it would appear they didn't. > > SLOTH really is just about 1). It says that you should stop using > MD5 and really look at stopping to use SHA1. And so 2) and 3) are > just 2 cases where MD5 is used. > > But just fixing 2) and 3) is just fixing the problem with MD5, > while we should also look at stopping SHA1. TLS 1.0 and 1.1 use > MD5 + SHA1, so while those are enabled we're stuck at the level of > SHA1. Forgive my ignorance... Aren't these two different application of the hash? The latter, TLS 1.0 and 1.1, is approved when they are used as the PRF. Is the PRF in danger? (I only skimmed the paper, but I did not get the impression the PRF was in jeopardy). Jeff