So, right now, there is a push for moving from SHA1 signed certificates to SHA256 signed certificates by Google. My understanding is that you cannot use SHA1 for signing certificates but HMAC-SHA1 can still be used in your cipher suite as a MAC. Is this correct? Or will certificates using HMAC-SHA1 also be rejected by Google and others?
-
1Do "certificates using HMAC-SHA1" exist? – Feb 25 '16 at 14:56
-
@Ricky Demer: Good catch! It should read "connections using HMAC-SHA1". My bad, wrote the question in a hurry. – Earthling Feb 26 '16 at 04:09
2 Answers
Due to the mathematics of how HMACs work, a weakness in the hash algorithm doesn't automatically mean that a HMAC based on it is also weak. This might seem counter-intuitive, but comes down to the fact that the known weakness in SHA1 relates to collisions, and can't be applied to a HMAC due to the construction method. In fact, even HMAC-MD5 is still fairly secure, even though MD5 is considered completely broken.
All this means that Google haven't made any indications of wanting to retire HMAC-SHA1 at the moment. They may want to in the future, especially if different forms of attack against SHA1 are found, but currently the only known way to break a HMAC-SHA1 is to brute force the key, which should, given a sensible key selection process, be really hard.
- 27,263
- 7
- 89
- 101
-
Agreed. Even I understood that there are no indications of retiring HMAC-SHA1. Well, people do recommend using SHA2 when in doubt, but HMAC-SHA1 seems safe as of now. – Earthling Feb 25 '16 at 11:46
-
Exactly - no harm in moving onto SHA2, but for this use case, SHA1 is still acceptable. Other use cases, this isn't the case. – Matthew Feb 25 '16 at 11:47
To complement @Matthew's point (which is very correct): HMAC's security is proven to be good, as long as the underlying hash function is built over an internal "compression function" that fulfils some specific properties. It is known that MD5 and SHA-1 do not fulfil all these properties (because then they would also be ideally resistant to collisions, which they are not), but that just invalidates the proof. It does not turn into an actual attack. Absence of a proof of security is not a proof of absence of security.
In SSL/TLS, HMAC is used in two places: for the integrity checks on records, and as part of the internal "PRF" which is used to derive keys into other keys. Up to and including TLS 1.1, HMAC/SHA-1 is used in both roles, and that's not optional. Banning HMAC/SHA-1 would really mean enforcing TLS-1.2. Right now, too many HTTPS servers still support only TLS-1.0, so Google cannot afford to prohibit pre-1.2 protocol versions. Web browsers gotta browse.
- 170,038
- 29
- 342
- 480
-
As far as I'm aware, [this proof](http://link.springer.com/chapter/10.1007/978-3-662-44371-2_7)'s assumption is not known to fail for SHA-1. – Feb 25 '16 at 15:01