Jump to content


SLOTH attack targets old hash functions

attack hash old news

  • Please log in to reply
1 reply to this topic

#1 combactfighter



  • New Members
  • Pip
  • 1 posts

Posted 27 January 2016 - 02:55 PM

SLOTH attack targets old hash functions


Researchers from the Prosecco team at INRIA published a number of attacks that exploit the use of weak hash functions in TLS and other protocols. They called their attack SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes). The most severe attack is affecting the systems that use of client certificates and continue to support RSA-MD5 signatures.

It’s been known since 2005 that MD5 hash collisions are easy to carry out. Many practitioners have argued in the past that the hash collisions don’t matter in certain scenarios and that the security of many protocols only relies on the so-called second preimage resistance. The INRIA researchers debunked many of these claims with their new publication.

The most notable scenario where an attack is possible is when client certificates are used. If a user authenticates himself at a malicious server using a client that supports RSA-MD5 signatures, then the server can use the information provided to impersonate the user on some other target server (which must also support RSA-MD5).

A surprising aspect of this is that TLS 1.2 is vulnerable to this attack while prior versions are not. The reason for this is that TLS 1.2 allows negotiation of the signature algorithm (prior versions always use a concatenation of MD5 and SHA1) and, crucially, still supports the insecure MD5 as an option. This is very surprising given the fact that TLS 1.2 was published in 2008—several years after practical attacks against MD5 were announced.

This attack is made worse by the fact that various implementations accept RSA-MD5 signatures even if they advertise that they don’t do this. Several cryptographic libraries have received updates in response to this research, including NSS, GnuTLS, BouncyCastle and mbedTLS. An old version of OpenSSL (before 1.0.1f) was also affected.

#2 zhang888


    Donald Trump of IT/Security

  • Moderators
  • 2205 posts

Posted 28 January 2016 - 01:12 AM

Nice to see that LibreSSL was again not vulnerable to latest discovered methods.


Btw, a reference for all previous SSL/TLS attacks with nice docs and details can be found here:



Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15045 - BW: 52445 Mbit/sYour IP: Access.