Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2cyberstorm.muRose HillMauritius+230 59762817logan@cyberstorm.muCenter for Internet SecurityEast GreenbushNYUnited States of AmericaKathleen.Moriarty.ietf@gmail.comCloudflare Inc.alessandro@cloudflare.com
Security
TLStls
The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to attack, and this document deprecates their use in TLS 1.2 and DTLS 1.2 digital signatures.
However, this document does not deprecate SHA-1 with Hashed Message Authentication Code (HMAC), as used in record protection. This document updates RFC 5246.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Requirements Language
. Signature Algorithms
. Certificate Request
. Server Key Exchange
. Certificate Verify
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Authors' Addresses
IntroductionThe usage of MD5 and SHA-1 for signature hashing in (D)TLS 1.2 is specified in . MD5 and SHA-1 have been proven to be insecure,
subject to collision attacks . In 2011, detailed the security considerations, including collision attacks
for MD5.
NIST formally deprecated use of SHA-1 in 2011
and
disallowed its use for digital signatures at the end of 2013, based on both the attack described in and the
potential for brute-force attack. In 2016, researchers from the National Institute for Research in Digital Science and Technology (INRIA) identified
a new class of transcript collision attacks on TLS (and other protocols)
that relies on efficient collision-finding algorithms on the underlying hash
constructions . Further, in 2017,
researchers from Google and Centrum Wiskunde & Informatica (CWI) Amsterdam
proved SHA-1 collision attacks were practical.
This document updates
in such a way that MD5 and SHA-1 MUST NOT
be used for digital signatures. However, this document does not deprecate SHA-1 with HMAC, as used in record protection.
Note that the CA/Browser Forum (CABF) has also deprecated use of SHA-1 for use in certificate signatures .
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Signature Algorithms
Clients MUST include the signature_algorithms extension. Clients MUST NOT include MD5
and SHA-1 in this extension.
Certificate Request
Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest messages.
Server Key Exchange
Servers MUST NOT include MD5 and SHA-1 in ServerKeyExchange
messages. If the client receives a ServerKeyExchange message
indicating MD5 or SHA-1, then it MUST abort the connection with
an illegal_parameter alert.
Certificate Verify
Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages. If a
server receives a CertificateVerify message with MD5 or SHA-1, it MUST
abort the connection with an illegal_parameter alert.
IANA ConsiderationsIANA has updated the "TLS SignatureScheme" registry by changing the recommended status of
SHA-1-based signature schemes to "N" (not recommended), as defined by .
The following entries have been updated; other entries in the registry remain the same.
Value
Description
Recommended
Reference
0x0201
rsa_pkcs1_sha1
N
[RFC9155]
0x0203
ecdsa_sha1
N
[RFC9155]
IANA has also updated the reference for the "TLS SignatureAlgorithm" and "TLS
HashAlgorithm" registries to refer to this document in addition to RFCs 5246 and
8447.
Security Considerations Concerns with (D)TLS 1.2 implementations falling back to SHA-1 is an issue.
This document updates the TLS 1.2 specification to deprecate support for MD5
and SHA-1 for digital signatures. However, this document does not deprecate SHA-1 with HMAC, as used in record protection.
ReferencesNormative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.The Transport Layer Security (TLS) Protocol Version 1.2This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.The Transport Layer Security (TLS) Protocol Version 1.3This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.IANA Registry Updates for TLS and DTLSThis document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process.This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301.Informative ReferencesBallot 118 -- SHA-1 Sunset (passed)CA/Browser ForumTransitioning the Use of Cryptographic Algorithms and Key LengthsUpdated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 AlgorithmsThis document updates the security considerations for the MD5 message digest algorithm. It also updates the security considerations for HMAC-MD5. This document is not an Internet Standards Track specification; it is published for informational purposes.The First Collision for Full SHA-1Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSHFinding Collisions in the Full SHA-1Acknowledgements The authors would like to thank for his help in writing the initial
draft version of this document. We are also grateful to , , , , and
for their feedback.
Authors' Addressescyberstorm.muRose HillMauritius+230 59762817logan@cyberstorm.muCenter for Internet SecurityEast GreenbushNYUnited States of AmericaKathleen.Moriarty.ietf@gmail.comCloudflare Inc.alessandro@cloudflare.com