20.3 SLOTH
SLOTH [31] uses a weaker form of second-preimage resistance for a hash function h, namely chosen-prefix collision resistance. Given two prefixes P1 and P2, it should be computationally hard to find a pair of values x1,x2 so that
The use of MD5 and SHA-1 is mandated in TLS 1.0 and TLS 1.1 and is still possible in TLS 1.2. However, these older hash functions are not chosen-prefix collision resistant. This weakness can be used by an attacker either to manipulate the initial handshake messages in order to downgrade the negotiated cipher suites or to break client/server authentication. The possibility of these attacks leads to the deprecation of MD5-based signatures in TLS 1.3.
The attacker in this scenario is a man-in-the-middle with sufficient computing resources to generate the chosen-prefix collisions within a short time frame. The attack is based on the fact that, for example, the ClientHello
can include extensions that the server does not understand or support and...