[gnutls-devel] moving out from SHA1

Tim Ruehsen tim.ruehsen at gmx.de
Fri Feb 24 11:17:40 CET 2017

On Friday, February 24, 2017 10:23:31 AM CET Nikos Mavrogiannopoulos wrote:
> Hi,
>  Given the first found collision for SHA1, I think it is time to plan
> removing it from the trusted set. I do not believe we can do that
> today in existing releases, as there is simply too much stuff relying
> SHA1. Even for the web PKI which the transition from SHA1 was already
> in place, major sites like amazon.com today provide an OCSP response
> signed with RSA-SHA1.
> So what I propose, is remove sha1 from the trusted set in gnutls 3.6.0
> (to be released the second half of this year). That release will
> forbid SHA1 from any operation unless special flags to indicate that
> broken algorithms are allowed are set. My intention is not to
> introduce a new flag to allow SHA1, but utilize the catch-all allow
> broken algorithms flag.
> In 3.5.x we forbid SHA1 for certificate verification in TLS, for the
> NORMAL and above levels, in one of the next few releases (3.5.10 or
> 3.5.11), but still allow it for TLS handshake signatures. That is, we
> take advantage of the verifcation PROFILEs associated with a priority
> string keyword, and even though SHA1 is in general acceptable, it will
> be refused for certificate verification. At the same time it will
> allow applications which rely on SHA1 to continue function, as well as
> connection to old servers which use TLS signatures with SHA1 (maybe
> even treat OCSP differently to avoid breaking examples with amazon as
> above).
> 6 months to a year later port that to the 3.3.x branch.
> What do you think?

Thanks, that sounds like a reasonable plan :-)

After reading about the collision yesterday, I already though about impacts 
onto the hopefully-soon-to-be-released wget2.

Just from what read / understood, there is no need to hurry (?):
They said it needed "thousands of CPU years" to generate the collision.
A very rough calculation of the costs:
- $0.01 per GFLOPShour from [1]
- 8760 hours per year
- 3000 CPU years
- assuming 50 GFLOPS per CPU
- 3000 * 8760 * 50 GFLOPShours
- 3000 * 8760 * 50 * $0.01 = 13.140.000$ !!!

Even when assuming 10x less costs per GFLOPShour, it's pretty expensive to 
generate one collision. Or did I misunderstand/misread something basic ?

[1] http://aiimpacts.org/current-flops-prices/

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20170224/73b34423/attachment.sig>

More information about the Gnutls-devel mailing list