SLOTH Attacks Up Ante on SHA-1, MD5 Deprecation

Researchers have demonstrated new collision attacks against SHA-1 and MD5 implementations in TLS, IKE and SSH.

If you’re hanging on to the theory that collision attacks against SHA-1 and MD5 aren’t yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have demonstrated new attacks that raise the urgency to move away from these broken cryptographic algorithms.

Karthikeyan Bhargavan and Gaetan Leurent recently published an academic paper, “Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH,” in which they describe a series of new class of transcript collision attacks against SHA-1 and MD5 as they’re implemented in protocols such as TLS, Internet Key Exchange and Secure Shell (SSH).

“Weak hash functions continue to be used in various cryptographic constructions within mainstream protocols such as TLS, IKE, and SSH, because practitioners argue that their use in these protocols relies only on second preimage resistance, and hence is unaffected by collisions,” Bhargavan and Leurent wrote. “We systematically investigate and debunk this argument.”

Their attacks, which they dubbed SLOTH (an acronym for Security Loss due to the use of Obsolete and Truncated Hash constructions), center on the SHA-1 and MD5 implementations in TLS 1.1, 1.3 and 1.3, along with IKEv1 and v2, and SSH 2. The researchers’ attacks against both algorithms in TLS client and server authentication open the door to impersonation attacks, as well as credential forwarding if the attack targets TLS channel binding. Against IKE initiator authentication, the researchers were able to carry out impersonation attacks, and downgrade attacks against SHA-1 in SSH 2 and TLS 1.1 handshakes.

“Our main conclusion is that the continued use of MD5 and SHA1 in mainstream cryptographic protocols significantly reduces their security and, in some cases, leads to practical attacks on key protocol mechanisms,” Bhargavan and Leurent wrote. “Furthermore, the use of truncated hashes and MACs for authenticating key exchange protocol transcripts is dangerous and should be avoided where possible.”

The researchers disclosed their findings to the TLS working group and other affected parties, which already has taken steps to deprecate MD5 signatures where appropriate.

“These changes impact the Firefox and Android browsers, about 31 percent of web servers, most Java application servers and their clients, and many other custom applications that use less well-known TLS libraries,” the researchers wrote, adding that they will maintain a site,, describing known attacks, software in the line of fire, and whether protocols and implementations have been fixed.

The researchers’ paper describes a number of attacks that require some processing muscle, leaving them in the arena of well-resourced nation-state attackers for now. One transcript collision attack against TLS server signatures using MD5 cut the effective security in half from 128 bits to 64 bits. The security loss for other attacks against TLS authentication were worse, the researchers said, making such attacks much more practical.

“In all cases, the complexity of our transcript collision attacks are significantly lower than the estimated work for a second preimage attack on the underlying hash function. This definitively settles the debate on whether the security of mainstream cryptographic protocols depend on collision resistance,” the researchers wrote. “The answer is yes, cryptographers were right. Except in rare cases, mainstream protocols do require collision resistance for protection against man-in-the-middle transcript collision attacks. Consequently, we strongly recommend that weak hash functions like MD5 and SHA-1 should not just be deprecated; they should be forcefully disabled in existing protocols.”

Suggested articles