MD5 in openSSL internals

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

MD5 in openSSL internals

Venkataragavan Narayanaswamy

Hi,

 

We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products.

In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference

 

1.       Does openSSL library use MD5 internally for any operation?

2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

 

Thanks,

Venkat

Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] MD5 in openSSL internals

Erwann ABALEA
MD5 is used in TLS1.0 for RSA signing and random derivation (PRF). See RFC2246.
(Please note that OpenSSL hasn't been mentioned in this sentence).

SHA256 used for the PRF is available with TLS1.2 only. SHA256 used for the HMAC is available for some ciphersuites defined for TLS1.2 only (but I think you could define your own with TLS1.0).

-- 
Erwann ABALEA

Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit :

Hi,

 

We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products.

In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference

 

1.       Does openSSL library use MD5 internally for any operation?

2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

 

Thanks,

Venkat


Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] MD5 in openSSL internals

David Jacobson-3
Careful about this.  The technically correct answer is misleading. 

Yes, MD5 is used in the PRF, but it is XORed with SHA1.  So you get at least the strength of stronger of the two.

    --David Jacobson

On 4/23/13 3:31 AM, Erwann Abalea wrote:
MD5 is used in TLS1.0 for RSA signing and random derivation (PRF). See RFC2246.
(Please note that OpenSSL hasn't been mentioned in this sentence).

SHA256 used for the PRF is available with TLS1.2 only. SHA256 used for the HMAC is available for some ciphersuites defined for TLS1.2 only (but I think you could define your own with TLS1.0).

-- 
Erwann ABALEA

Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit :

Hi,

 

We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products.

In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference

 

1.       Does openSSL library use MD5 internally for any operation?

2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

 

Thanks,

Venkat



Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Re: [openssl-dev] MD5 in openSSL internals

Erwann ABALEA
You're right.

PRF in TLS1.0 is done by splitting the secret in 2 parts, hashing the first with MD5, hashing the second with SHA1, and XORing the 2 results.
RSA signing in TLS1.0 is done by hashing the data with MD5 and SHA1, concatenating the 2 hash results, and signing the 36 bytes result (with PKCS#1v1.5 padding).

PRF construct depends on pre-image resistance. MD5 and SHA1 are still considered pre-image resistant.
RSA signing depends on collision resistance. MD5 is not collision resistant, SHA1 is not considered academically collision resistant, but there's no known attack on collision of both MD5 and SHA1 at the same time.

-- 
Erwann ABALEA

Le 23/04/2013 14:28, David Jacobson a écrit :
Careful about this.  The technically correct answer is misleading. 

Yes, MD5 is used in the PRF, but it is XORed with SHA1.  So you get at least the strength of stronger of the two.

    --David Jacobson

On 4/23/13 3:31 AM, Erwann Abalea wrote:
MD5 is used in TLS1.0 for RSA signing and random derivation (PRF). See RFC2246.
(Please note that OpenSSL hasn't been mentioned in this sentence).

SHA256 used for the PRF is available with TLS1.2 only. SHA256 used for the HMAC is available for some ciphersuites defined for TLS1.2 only (but I think you could define your own with TLS1.0).

-- 
Erwann ABALEA

Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit :

Hi,

 

We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products.

In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference

 

1.       Does openSSL library use MD5 internally for any operation?

2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

 

Thanks,

Venkat




Reply | Threaded
Open this post in threaded view
|

Re: MD5 in openSSL internals

Nikola Vassilev
In reply to this post by Venkataragavan Narayanaswamy

From: Venkataragavan Narayanaswamy <[hidden email]>
Date: Tue, 23 Apr 2013 00:29:17 -0600
ReplyTo: [hidden email]
Subject: MD5 in openSSL internals

Hi,

 

We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products.

In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer the following or provide me with the documentation reference

 

1.       Does openSSL library use MD5 internally for any operation?

2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

 

Thanks,

Venkat

Reply | Threaded
Open this post in threaded view
|

Re: MD5 in openSSL internals

Viktor Dukhovni
On Wed, Apr 24, 2013 at 03:18:45PM +0000, Nikola Vassilev wrote:

> We are currently analyzing and understanding the security strength
> of the openSSL internal implementation to certify the products.
> In version 0.9.8d, TLSv1.0 alone is supported. Can you please
> answer the following or provide me with the documentation reference
>
> 1.       Does openSSL library use MD5 internally for any operation?
>
> 2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

You're not qualified to perform this analysis.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MD5 in openSSL internals

David Johnston
> On Wed, Apr 24, 2013 at 03:18:45PM +0000, Nikola Vassilev wrote:
>
>> We are currently analyzing and understanding the security strength
>> of the openSSL internal implementation to certify the products.
>> In version 0.9.8d, TLSv1.0 alone is supported. Can you please
>> answer the following or provide me with the documentation reference
>>
>> 1.       Does openSSL library use MD5 internally for any operation?
>>
>> 2.       Can we have SHA256 in the ciphersuite with TLSv1.0?
>
> You're not qualified to perform this analysis.
>

OpenSSL is not open to such analysis if a documentation reference cannot
be given.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MD5 in openSSL internals

Viktor Dukhovni
On Wed, Apr 24, 2013 at 01:55:36PM -0700, [hidden email] wrote:

> > On Wed, Apr 24, 2013 at 03:18:45PM +0000, Nikola Vassilev wrote:
> >
> >> We are currently analyzing and understanding the security strength
> >> of the openSSL internal implementation to certify the products.
> >> In version 0.9.8d, TLSv1.0 alone is supported. Can you please
> >> answer the following or provide me with the documentation reference
> >>
> >> 1.       Does openSSL library use MD5 internally for any operation?
> >>
> >> 2.       Can we have SHA256 in the ciphersuite with TLSv1.0?
> >
> > You're not qualified to perform this analysis.
> >
>
> OpenSSL is not open to such analysis if a documentation reference cannot
> be given.

Neither question requires any OpenSSL documentation, OpenSSL 0.9.8d
implements SSLv2, SSLv3 and TLSv1.0.  Anyone competent to assess
the implementation knows the answers to these questions without
looking at OpenSSL.

The converse is not generally true: I know the answers to the
questions, but I am also not competent to assess the strength of
the cryptography in OpenSSL relative to other implementations of
the same algorithms and protocol standards. That takes additional
expertise, which the OP clearly lacks.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: MD5 in openSSL internals

Salz, Rich
In reply to this post by David Johnston
First poster:
> We are currently analyzing and understanding the security strength of
> the openSSL internal implementation to certify the products.
> In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer
> the following or provide me with the documentation reference
>
> 1.       Does openSSL library use MD5 internally for any operation?
>
> 2.       Can we have SHA256 in the ciphersuite with TLSv1.0?

Well-known respondent:
> You're not qualified to perform this analysis.

Second respondent:
> OpenSSL is not open to such analysis if a documentation reference cannot be given.

Me:
Actually, the first poster did not describe what kind of certification is being done, and therefore we have no idea whether or not such documentation is required. We do have one proof point, the FIPS certification, that shows this documentation is not required. On the basis of that, and the fact that this is free open source software, it is not unreasonable for experienced folks to say "we gave you the source, everything else is up to you."

Taken by themselves, the questions are too vague to really answer.  Is using MD5 as part of the connection setup "internally"? I would interpret question 1 to mean things like power-on selftest, etc, but it's not clear. As for the second question, I can't even understand it: do they want to know if SHA256 is in the protocol, the OpenSSL library, the OpenSSL implementation of the protocol, enabled or disabled by default, or what?

My guess is that English is not the native language, and I would have been more lenient with the first poster, but based on what was written, the first respondent seems accurate to me.

        /r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]