The sloth is coming! Quick, get MD5 out of our internet protocols
Researchers point to lingering hash function
The outdated and crackable MD5 hash function is still lingering in critical parts of the internet's infrastructure and could undermine security, researchers have warned.
In a paper [PDF] published in time for a cryptography conference in Silicon Valley this week, the authors from French research institute INRIA note that while MD5 (and its successor SHA1) are being phased out, they continue to be used in "mainstream protocols" like TLS, IKE, and SSH.
This is not exactly news, but the assumption has always been that its continued use doesn't compromise security due to "pre-image resistance," meaning it would require far too much computational power to crack. The paper argues this isn't true and you could crack a code in an hour (given a powerful server) and use it to impersonate an end user – i.e., break into a system.
The researchers have come up with a name for this: SLOTH or Security Losses from Obsolete and Truncated Transcript Hashes. Why "sloth"? Because it is "a not-so-subtle reference to laziness in the protocol design community with regard to removing legacy cryptographic constructions." MD5 signatures have been acknowledged as flawed for over a decade.
In a related blog post, authors Karthikeyan Bhargavan and Gaëtan Leurent claimed to have identified "a new class of transcript collision attacks" that would "significantly reduce" the security of the critical TLS and SSH protocols.
The paper provides extensive details of two possible attacks: one on TLS 1.2 client authentication, and one on the "tls-unique channel binding" used in a number of authentication protocols such as Token Binding, FIDO, and SCRAM.
One example given is a TLS server using a 3072-bit RSA key and SHA-256 as a hash algorithm. Expected security of server signatures would be 128 bits, but the paper describes how that could be halved to 64 bits. This is still significant and difficult to crack, but brings it into the realm of possibility. The authors say that the situation is much worse for other scenarios "leading to practical attacks on real-world clients and servers."
They even created a proof of concept demo between a standard Java TLS client and a Java TLS server. Using a workstation with 48 cores, they were able to crack the connection in one hour – something they claim "can be significantly reduced" with custom hardware.
To be used practically – to be able to impersonate an end user and get into a corporate intranet or a bank account – the end user would have to visit a website controlled by an attacker and authenticate themselves. While this makes it difficult, it does mean that a sophisticated phishing attack could bypass other security measures.
The researchers' overall point: it's time to pull MD5 out of everything.
On a related note, crypto veteran David Chaum is due to speak at the Real World Cryptography Conference in Stanford later this afternoon about a new encryption scheme he is calling PrivaTegrity that is aimed at improving online privacy.
In a nutshell, he claims it will provide better-than-Tor anonymity at faster speeds, and that means it could be incorporated into smartphone apps without causing painful delays.
The system is still in alpha but the plan is to develop it first as a messaging app and then expand it to include photos, videos and so on. It will be interesting to see how it develops. ®