Sites Inria

Version française



Team secret and Team Prosseco : SLOTH vulnerability detection

Yesterday, after months of talking with various software vendors, we publicly disclosed a new attack called SLOTH discovered by Gaetan Leurent and Karthikeyan Bhargavan (both INRIA Paris researchers : Team SECRET and Team PROSECCO).

SLOTH vulnerability detection

The basic idea is that many important cryptographic protocols, including TLS, SSH, IPsec, still use weak hash functions such as MD5 in important parts of the protocol. Before now, protocol experts thought that this is ok, because they thought thatit was too difficult to exploit these weaknesses.

Gaetan Leurent and Karthikeyan Bhargavan paper shows that these weaknesses can indeed be exploited; for example, if a bank customer is using a certificate to authenticate to a bank website, They show an attacker can break into this connection by performing 1 hour of computation on a single desktop workstation. (With more machines, the attacker can do this even faster.)The high-level conclusion is that (like with Freak and Logjam) it is important to find and remove all old and obsolete cryptographic algorithms from important protocols like TLS, otherwise they will almost always lead to attacks.

We are encouraging all protocol developers to remove MD5 immediately, and indeed many TLS implementations have done so.


SLOTH is an acronym for the loss of security due to the use of obsolete and truncated hash constructions in mainstream Internet protocols. SLOTH is also a not-so-subtle reference to laziness in the protocol design community with regard to removing legacy cryptographic constructions.

For example, MD5 signatures have been known to be cryptographically broken since at least 2005, but they continue to be used in TLS today, when collision attacks have become significantly more practical, even on standard desktop workstations. Furthermore, SLOTH is part of a series of recent attacks on the use of legacy crypto constructions including POODLEFREAK and Logjam.

We hope that these attacks will encourage the protocol community to proactively remove known-weak constructions, rather than waiting for concrete attacks to make it necessary. 

-> See

Keywords: Prosecco SLOTH Secret Detection Karthik Bhargavan Vulnerability