Staying with an idea for an F2F network application. I'm just reading on secure communication. I'll quickly get to TLS / SSL Sit with the idea of using it as the basis of any communication, because it employs public key encryption at protocol level and thus it is perfect for my needs. However, I was surprised to read (on Wikipedia) that TLS The latest version of SLV3 has used a mix of MD5 and SHA-1 "because if one of these vulnerabilities is vulnerability then the second will prevent it from compromising SSLv3". However, as I took it, recently both have been found to be inaccurate!
So my questions are as follows:
Does not this mean that SSLv3 is basically flawed, or I am not quite close enough?
And if this is the "safe" option of SSLv3 is present?
PRF has been used in TLSV1 and all previous SSL versions use the MD5 and SAHA1 xor. Confrontation against both hash algorithms is possible. MD5 is very easy to generate collision 2 ^ 24 MD5 versus 2 ^ 63 SHA1 operating from Wikipedia. Instead of being hardcoded in TLSV2, PRF can now negotiate in the same way as the built-in cipher in earlier versions of SSL. It is compulsory to apply initial to TLSV2 SHA2.
However just because a hash is insecure for collisions, it is not necessary that it is unsafe for all applications. For example it is quite dangerous to use a weak hash alone to verify the signature of a file, because it is very possible to change the data in a way that maintains the original signature. (By finding a collision)
In the case of PRF (pseudo-random function), you provide predictive output based on the knowledge of the secret that you want to do, which are not reverse to get input from them. Secret can be done Successful discovery of the collision in this case is not as useful as the previous case.
History has shown that detection of conflicts should still be related to any use of hash algorithms, it can open doors for future discoveries, more important vulnerabilities.
What is the most worried about TLS for me personally, this is the last case where MD5 / SHA1 is commonly used for signature verification when the trust between the root and the intermediary certificate Check the chain. The construction of the arbitrators has been successfully demonstrated by creating conflicts.
Comments
Post a Comment