Diff: rfc9155v2.txt - rfc9155.txt

	rfc9155v2.txt	rfc9155.txt

	Internet Engineering Task Force (IETF) L. Velvindron	Internet Engineering Task Force (IETF) L. Velvindron
	Request for Comments: 9155 cyberstorm.mu	Request for Comments: 9155 cyberstorm.mu
	Updates: 5246 K. Moriarty	Updates: 5246 K. Moriarty
	Category: Standards Track CIS	Category: Standards Track CIS
	ISSN: 2070-1721 A. Ghedini	ISSN: 2070-1721 A. Ghedini
	Cloudflare Inc.	Cloudflare Inc.

	November 2021	December 2021

	Deprecating MD5 and SHA-1 Signature Hashes in (D)TLS 1.2	Deprecating MD5 and SHA-1 Signature Hashes in (D)TLS 1.2

	Abstract	Abstract

	The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to	The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to
	attack, and this document deprecates their use in (D)TLS 1.2 digital	attack, and this document deprecates their use in (D)TLS 1.2 digital

	signatures. However, this document does not deprecate SHA-1 in the	signatures. However, this document does not deprecate SHA-1 with
	Hashed Message Authentication Code (HMAC), as used in record	Hashed Message Authentication Code (HMAC), as used in record
	protection. This document updates RFC 5246.	protection. This document updates RFC 5246.

	Status of This Memo	Status of This Memo

	This is an Internet Standards Track document.	This is an Internet Standards Track document.

	This document is a product of the Internet Engineering Task Force	This document is a product of the Internet Engineering Task Force
	(IETF). It represents the consensus of the IETF community. It has	(IETF). It represents the consensus of the IETF community. It has
	received public review and has been approved for publication by the	received public review and has been approved for publication by the

	skipping to change at line 84 ¶	skipping to change at line 84 ¶
	potential for brute-force attack. In 2016, researchers from the	potential for brute-force attack. In 2016, researchers from the
	National Institute for Research in Digital Science and Technology	National Institute for Research in Digital Science and Technology
	(INRIA) identified a new class of transcript collision attacks on TLS	(INRIA) identified a new class of transcript collision attacks on TLS
	(and other protocols) that relies on efficient collision-finding	(and other protocols) that relies on efficient collision-finding
	algorithms on the underlying hash constructions	algorithms on the underlying hash constructions
	[Transcript-Collision]. Further, in 2017, researchers from Google	[Transcript-Collision]. Further, in 2017, researchers from Google
	and Centrum Wiskunde & Informatica (CWI) Amsterdam [SHA-1-Collision]	and Centrum Wiskunde & Informatica (CWI) Amsterdam [SHA-1-Collision]
	proved SHA-1 collision attacks were practical. This document updates	proved SHA-1 collision attacks were practical. This document updates
	[RFC5246] in such a way that MD5 and SHA-1 MUST NOT be used for	[RFC5246] in such a way that MD5 and SHA-1 MUST NOT be used for
	digital signatures. However, this document does not deprecate SHA-1	digital signatures. However, this document does not deprecate SHA-1

	in HMAC, as used in record protection. Note that the CA/Browser	with HMAC, as used in record protection. Note that the CA/Browser
	Forum (CABF) has also deprecated use of SHA-1 for use in certificate	Forum (CABF) has also deprecated use of SHA-1 for use in certificate
	signatures [CABF].	signatures [CABF].

	1.1. Requirements Language	1.1. Requirements Language

	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
	"OPTIONAL" in this document are to be interpreted as described in	"OPTIONAL" in this document are to be interpreted as described in
	BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all	BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
	capitals, as shown here.	capitals, as shown here.

	skipping to change at line 145 ¶	skipping to change at line 145 ¶

	IANA has also updated the reference for the "TLS SignatureAlgorithm"	IANA has also updated the reference for the "TLS SignatureAlgorithm"
	and "TLS HashAlgorithm" registries to refer to this document in	and "TLS HashAlgorithm" registries to refer to this document in
	addition to RFCs 5246 and 8447.	addition to RFCs 5246 and 8447.

	7. Security Considerations	7. Security Considerations

	Concerns with (D)TLS 1.2 implementations falling back to SHA-1 is an	Concerns with (D)TLS 1.2 implementations falling back to SHA-1 is an
	issue. This document updates the TLS 1.2 specification [RFC5246] to	issue. This document updates the TLS 1.2 specification [RFC5246] to
	deprecate support for MD5 and SHA-1 for digital signatures. However,	deprecate support for MD5 and SHA-1 for digital signatures. However,

	this document does not deprecate SHA-1 in HMAC, as used in record	this document does not deprecate SHA-1 with HMAC, as used in record
	protection.	protection.

	8. References	8. References

	8.1. Normative References	8.1. Normative References

	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119,	Requirement Levels", BCP 14, RFC 2119,
	DOI 10.17487/RFC2119, March 1997,	DOI 10.17487/RFC2119, March 1997,
	<https://www.rfc-editor.org/info/rfc2119>.	<https://www.rfc-editor.org/info/rfc2119>.

End of changes. 4 change blocks.
	4 lines changed or deleted	4 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/