SLOTH attacks weaken secure protocols because they still use MD5 and SHA-1

Researchers Karthikeyan Bhargavan and Gaëtan Leurent from INRIA, the French national research institute for computer science, have discovered a new class of transcript collision attacks that can be leveraged against (supposedly secure) mainstream protocols such as TLS, IKE, and SSH.

They dubbed the attacks SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes), partly as a reference “to laziness in the protocol design community with regard to removing legacy cryptographic constructions.”

The laziness they refer to is the fact that, despite MD5 and SHA-1 hashing algorithms having been found to be vulnerable to collision attacks, they are still used in protocols like TLS.

In the technical paper the researchers published, they demonstrated credential-forwarding attacks on TLS 1.2 client authentication, TLS 1.3 server authentication, and TLS channel bindings, and described impersonation and downgrade attacks in TLS 1.1, IKEv2 and SSH-2 that, if not currently possible, still point to the fact that the security users depend on when using these protocols is not that strong as expected.

These attacks rely directly on the exploitation of the weak hashing algorithms.

If the paper is too technical for you, the researchers have also published a shortened, easier-to-understand summary of their findings and descriptions of their attacks. They have also included a list of currently affected software.

“We hope that these attacks will encourage the protocol community to proactively remove known-weak constructions, rather than waiting for concrete attacks to make it necessary,” they noted. “Partly as a consequence of this work, the TLS working group has decided to remove RSA-MD5 signatures and truncated handshake hashes from TLS 1.3.”

They also pointed out that it would be a great idea for weak hash functions like MD5 and SHA-1 to be disabled in all existing protocols.