It’s a week into 2016 and already we are being faced with new issues relating to SSL and its troubled passed. This new attack, called SLOTH, stands for “Security Losses from Obsolete and Truncated Transcript Hashes”.
This attack, which is detailed here: http://www.mitls.org/downloads/transcript-collisions.pdf is based upon the outdated and highly crackable MD5 hashing function that is still being used in areas of the internet and could be used to undermine the very security its meant to protect. MD5 signatures have been acknowledged as flawed for over a decade now, so its no surprise that vulnerabilities are still being found.
In the paper, researches from the French research institute INRA have noted that while MD5 hash (like its successor SHA1) are being phased out slowly, they continue to be used in “mainstream protocols
” like TLS, IKE, and SSH.
How does the SLOTH attack work?
The researches say that their attacks are based around how the SHA-1 and MD5 hashing functions are implemented within TLS 1.1, 1.3 and 1.3, along with IKEv1 and v2, and SSH 2.
Once implemented, the attacks go work against the algorithms which are located within the TLS client and server authentication, this allows the researchers to open the door to impersonation attacks. Not only this, but it may also be possible to be exposed to credential forwarding if the attack targets TLS channel binding.
If this wasn’t bad enough, when attacking against the IKE initiator authentication, the researchers were able to carry out impersonation attacks, and downgrade attacks against SHA-1 in SSH 2 and TLS 1.1 handshakes.
The researchers, Bhargavan and Leurent said “Our main conclusion is that the continued use of MD5 and SHA1 in mainstream cryptographic protocols significantly reduces their security and, in some cases, leads to practical attacks on key protocol mechanisms.”
“Furthermore, the use of truncated hashes and MACs for authenticating key exchange protocol transcripts is dangerous and should be avoided where possible.”
Since the researchers disclosed their findings to the TLS working group and other affected parties, work has been taken steps to further try and deprecate MD5 signatures where appropriate.
What is affected?
Currently, its been found that SLOTH impacts the Firefox and Android browsers as well as around around 31% of the web servers found on the Internet. This is due to developers implementing less well-known and updated TLS libraries in their software.
The researchers mention a number of attacks in their paper, saying that these attacks can require a lot of processing power which means that the majority of attacks will be carried out by state sponsored attackers. They continue on saying that “One transcript collision attack against TLS server signatures using MD5 cut the effective security in half from 128 bits to 64 bits. The security loss for other attacks against TLS authentication were worse.”
How to stay safe?
How to we get around this and ensure that we are not exposed to SLOTH? Ensure that all of your certificates and SSL / TLS infrastructure is up to date, including any applications that utilise TLS, anything that utilises old weaker hashing functions like MD5 and SHA-1 should not just be deprecated; they should be forcefully disabled in existing protocols.