14 DAY TRIAL // Cryptography is having a bad week, and after details of the HTTPS Bicycle Attack surfaced a few days ago, a new attack type called SLOTH has weakened trust in encryption even more.
Presented at the Real World Cryptography Conference in Stanford, USA, the SLOTH attack has the capability to weaken encryption power in various protocols like TLS, SSH, and IPsec.
The issue resides in our old friends MD5 and SHA-1, two algorithms that have seen better days. MD5 was cracked for the first time in 2004 while SHA-1, at least in theory, was cracked this past fall.
While higher-order security protocols like TLS (on which HTTPS relies), SSH, and IPsec are considered to be secure alternatives for HTTP, Telnet, and IP, two security researchers from INRIA (French Institute for Research in Computer Science and Automation) have discovered that these protocols heavily rely on MD5 and SHA-1 for some of their constituent parts.
MD5 and SHA-1 have no place in modern-day security protocols
Named SLOTH, or Security Losses from Obsolete and Truncated Transcript Hashes, this attack's name is a slap in the face for all the infosec dum-dums that have allowed all these years the weaker MD5 and SHA-1 algorithms to underpin some of the world's top security protocols.
In their research paper, the two researchers, Karthikeyan Bhargavan and Gaetan Leurent, present a new transcript collision attack that targeted the parts of the aforementioned security protocols where MD5 was used.
In their tests, the two were able to slice down a server's security signature from 128-bit to 64-bit. All of this was done in three hours on a 48-core workstation, but on a second try, after optimizing their calculations, the researchers managed to cut down the time to one hour.
"The security losses for other mechanisms such as TLS client authentication are even more dramatic, leading to practical attacks on real-world clients and servers," explain the researchers in a blog post.
As with many other cases in the past, a secure product is as secure as the technology and people behind it allow it to be.