[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    RE: MD5
From:       Philip Hallam-Baker <pbaker () verisign ! com>
Date:       2000-08-25 20:42:56
[Download RAW message or body]

> It's one of those judgement things.  Script kiddies are not routinely
> breaking MD5 on their PCs.  But over three years ago in 1997, RFC 2104
> which defines HMAC, said the following:

It is important to note that the specific attack developed by Dobbertin
is such that the use of HMAC-MD5 is considerably less worrying than use
of RSA-MD5.

The attack itself does not represent a break of MD5 but it is close
enough for use of MD5 to be depreicated in conjunction with signature
since the attack is very close to a complete compromise and certainly
suggests that the difficulty of a complete compromise is nowhere near
O(2^128) complexity as we would like.

The HMAC construction does not actually rely on the specific digest
property that the Dobbertin attack compromises. It does not provide a
means or discovering the key, nor does it allow an integrity attack. 

Since we are talking about RSA/MD5 here the argument for moving to SHA-1
is compelling. There is simply not enough confidence in the crypto
community to use MD5 for a new application with no legacy base to
support.

We can guarantee that some people will make SHA-1 a requirement, I do
not think it likely that anyone will argue passionately for RSA-MD5.
Absent a deployed base we should nix RSA-MD5 entirely. [Theoretical
premises in the RFCs concerning Heisod, DECNET etc. asside] DNS is a
global infrastructure and I would have difficulty with the idea that
there is room for any more than one sig alg that everyone uses and a
backup. 


		Phill

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

[prev in list] [next in list] [prev in thread] [next in thread]