[prev in list] [next in list] [prev in thread] [next in thread]
List: namedroppers
Subject: RE: MD5
From: Philip Hallam-Baker <pbaker () verisign ! com>
Date: 2000-08-25 20:42:56
[Download RAW message or body]
> It's one of those judgement things. Script kiddies are not routinely
> breaking MD5 on their PCs. But over three years ago in 1997, RFC 2104
> which defines HMAC, said the following:
It is important to note that the specific attack developed by Dobbertin
is such that the use of HMAC-MD5 is considerably less worrying than use
of RSA-MD5.
The attack itself does not represent a break of MD5 but it is close
enough for use of MD5 to be depreicated in conjunction with signature
since the attack is very close to a complete compromise and certainly
suggests that the difficulty of a complete compromise is nowhere near
O(2^128) complexity as we would like.
The HMAC construction does not actually rely on the specific digest
property that the Dobbertin attack compromises. It does not provide a
means or discovering the key, nor does it allow an integrity attack.
Since we are talking about RSA/MD5 here the argument for moving to SHA-1
is compelling. There is simply not enough confidence in the crypto
community to use MD5 for a new application with no legacy base to
support.
We can guarantee that some people will make SHA-1 a requirement, I do
not think it likely that anyone will argue passionately for RSA-MD5.
Absent a deployed base we should nix RSA-MD5 entirely. [Theoretical
premises in the RFCs concerning Heisod, DECNET etc. asside] DNS is a
global infrastructure and I would have difficulty with the idea that
there is room for any more than one sig alg that everyone uses and a
backup.
Phill
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic