SLOTH, attack on TLS using MD5
Last Updated: 2016-01-08 20:59:54 UTC
by Mark Hofman (Version: 1)
Giving a talk late last year I was asked what some of my predictions were for 2016. One of the ones we talked about was further issues with TLS and the various algorithms used to provide a protocol that lies at the heart of e-commerce. Well looks like I got my wish, although you could argue that it was last year as a 2015 CVE number was assigned, however made public this week. (Thanks Rich for the heads up)
Two researchers at miTLS (www.mitls.org, Karthikeyan Bhargavan, Gaëtan Leurent) have been working away at looking at issues with the protocol and have identified a challenge with TLS 1.2, if it still uses MD5 (https://www.mitls.org/pages/attacks/SLOTH#introduction). Their attack dubbed SLOTH has identified a weakness that if RSA-MD5, or ECDSA-MD5 if used it significantly weakens the protocol and allows impersonation, credential forwarding and downgrade attacks. Unlike your more traditional MitM attacks this would not provide users with a warning. Currently, reading in the paper, real time attacks are not practical, but it is just a matter of having a large enough computer.
The core of the issue is again MD5. Back in 2005 it was shown that collisions were possible and yet for core security functions we still use it (think IPSec, TLS, ...). This research has convinced the TLS working party to remove MD5 from TLS 1.3. The recommendation is to consider removing RSA-MD5 and ECDSA-MD5 from your allowed algorithms stack for your web servers. OpenSSL RHEL and others have release updates to address this issue.
For the details have a read of the paper here.
Mark H - Shearwater