| rfc8996v3.txt | rfc8996.txt | |||
|---|---|---|---|---|
| skipping to change at line 263 ¶ | skipping to change at line 263 ¶ | |||
| | Key Derivation Function (HKDF) [37], and the removal of cipher | | Key Derivation Function (HKDF) [37], and the removal of cipher | |||
| | suites that use RSA key transport or static Diffie-Hellman ( DH) | | suites that use RSA key transport or static Diffie-Hellman ( DH) | |||
| | [sic] key exchanges, the CBC mode of operation, or SHA-1. Many | | [sic] key exchanges, the CBC mode of operation, or SHA-1. Many | |||
| | extensions defined for use with TLS 1.2 and previous versions | | extensions defined for use with TLS 1.2 and previous versions | |||
| | cannot be used with TLS 1.3. | | cannot be used with TLS 1.3. | |||
| 3. SHA-1 Usage Problematic in TLS 1.0 and TLS 1.1 | 3. SHA-1 Usage Problematic in TLS 1.0 and TLS 1.1 | |||
| The integrity of both TLS 1.0 and TLS 1.1 depends on a running SHA-1 | The integrity of both TLS 1.0 and TLS 1.1 depends on a running SHA-1 | |||
| hash of the exchanged messages. This makes it possible to perform a | hash of the exchanged messages. This makes it possible to perform a | |||
| downgrade attack on the handshake by an attacker able to perform | downgrade attack on the handshake by an attacker able to perform 2^77 | |||
| 2^(77) operations, well below the acceptable modern security margin. | operations, well below the acceptable modern security margin. | |||
| Similarly, the authentication of the handshake depends on signatures | Similarly, the authentication of the handshake depends on signatures | |||
| made using a SHA-1 hash or a concatenation of MD5 and SHA-1 hashes | made using a SHA-1 hash or a concatenation of MD5 and SHA-1 hashes | |||
| that is not appreciably stronger than a SHA-1 hash, allowing the | that is not appreciably stronger than a SHA-1 hash, allowing the | |||
| attacker to impersonate a server when it is able to break the | attacker to impersonate a server when it is able to break the | |||
| severely weakened SHA-1 hash. | severely weakened SHA-1 hash. | |||
| Neither TLS 1.0 nor TLS 1.1 allows the peers to select a stronger | Neither TLS 1.0 nor TLS 1.1 allows the peers to select a stronger | |||
| hash for signatures in the ServerKeyExchange or CertificateVerify | hash for signatures in the ServerKeyExchange or CertificateVerify | |||
| messages, making the only upgrade path the use of a newer protocol | messages, making the only upgrade path the use of a newer protocol | |||
| End of changes. 1 change blocks. | ||||
| 2 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||