Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH

Abstract : In response to high-profile attacks that exploit hash function collisions, software vendors have started to phase out the use of MD5 and SHA-1 in third-party digital signature applications such as X.509 certificates. However, weak hash constructions continue to be used in various cryptographic constructions within mainstream protocols such as TLS, IKE, and SSH, because practitioners argue that their use in these protocols relies only on second preimage resistance, and hence is unaffected by collisions. This paper systematically investigates and debunks this argument. We identify a new class of transcript collision attacks on key exchange protocols that rely on efficient collision-finding algorithms on the underlying hash constructions. We implement and demonstrate concrete credential-forwarding attacks on TLS 1.2 client authentication, TLS 1.3 server authentication, and TLS channel bindings. We describe almost-practical impersonation and downgrade attacks in TLS 1.1, IKEv2 and SSH-2. As far as we know, these are the first collision-based attacks on the cryptographic constructions used in these popular protocols. Our practical attacks on TLS were responsibly disclosed (under the name SLOTH) and have resulted in security updates to several TLS libraries. Our analysis demonstrates the urgent need for disabling all uses of weak hash functions in mainstream protocols, and our recommendations have been incorporated in the upcoming Token Binding and TLS 1.3 protocols.
Type de document :
Communication dans un congrès
Network and Distributed System Security Symposium -- NDSS 2016, Feb 2016, San Diego, United States. 〈10.14722/ndss.2016.23418〉
Liste complète des métadonnées

Littérature citée [37 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01244855
Contributeur : Gaëtan Leurent <>
Soumis le : mardi 29 mars 2016 - 10:48:47
Dernière modification le : jeudi 26 avril 2018 - 10:28:27
Document(s) archivé(s) le : lundi 14 novembre 2016 - 07:34:29

Fichier

SLOTH_NDSS16.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Karthikeyan Bhargavan, Gaëtan Leurent. Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH. Network and Distributed System Security Symposium -- NDSS 2016, Feb 2016, San Diego, United States. 〈10.14722/ndss.2016.23418〉. 〈hal-01244855〉

Partager

Métriques

Consultations de la notice

520

Téléchargements de fichiers

457