[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cfrg] Re: [saag] Bad day at the hash function factory

To: "'james hughes'" <jim_hughes at stortek.com>, "David A. McGrew" <mcgrew at cisco.com>
Subject: RE: [Cfrg] Re: [saag] Bad day at the hash function factory
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Date: Fri, 20 Aug 2004 06:47:47 -0700
Cc: saag at mit.edu, Eric Rescorla <ekr at rtfm.com>, cfrg at ietf.org
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Sender: cfrg-bounces at ietf.org

Err, I don't think we can simply obsolete MD5, not according to my
understanding of how the doc series works. Its informational for starters,
so it is not quite within the control scheme... We are long past the point
where the RFC series should be closed and replaced with something more
sophisticated than a flat sequence order.

There are several other docs that rely on MD5 that are not affected by the
collision attack or do not require strong security properties. I tried to
argue for eliminating MD5 in 1995 to no effect.

What we need to do is depricate MD5. This would be easier if we had a way of
obtaining a proper dependency graph for specs that require MD5.

On the HTTP Digest side I don't see that there is a major issue from mere
collisions.  There is no non-repudiation support in the scheme anyway and
the content is only going to be read once in any case. What does it matter
that there was an alternative set of data? Digest is only intended to be a
lightweight replacement for BASIC, not an SSL equivalent.

		Phill

> -----Original Message-----
> From: cfrg-bounces at ietf.org [mailto:cfrg-bounces at ietf.org]On Behalf Of
> james hughes
> Sent: Thursday, August 19, 2004 8:59 PM
> To: David A. McGrew
> Cc: saag at mit.edu; james hughes; cfrg at ietf.org; Eric Rescorla
> Subject: [Cfrg] Re: [saag] Bad day at the hash function factory
> 
> 
> One comment and two discussion points.
> 
> Can we withdraw the MD5 RFC as obsolete?
> 
> On Aug 19, 2004, at 12:23 PM, David A. McGrew wrote:
> >> WHAT'S SAFE?
> >> First, anything that's already been signed is definitely 
> safe.  If you
> >> stop using MD5 today, nothing you signed already puts you at risk.
> 
> I sign a document (in the clear) which says "... pay me $100.00 ... " 
> and now I can create a document that to  "... pay me $10,000 
> ... " with 
> a collision. Just because the original is old, why are old these 
> documents safe?
> 
> >> It's believed that HMAC is secure against this attack 
> (according to 
> >> Hugo
> >> Krawczyk, the designer) so the modern MAC functions should all be
> >> secure.
> 
> While I believe this may be true, I believe that the proof 
> that HMAC is 
> secure requires a collision resistant hash function. If this is the 
> case, then we no longer have a proof that HMAC is secure.  The SAAG 
> should understand this with open eyes.
> 
> I agree that we need to move away from MD5.
> 
> Thanks
> 
> jim
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: der Mouse

Prev by Date: Re: [Cfrg] Crypto results on digest algs
Next by Date: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Previous by thread: [Cfrg] Bad day at the hash function factory
Next by thread: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Index(es):
- Date
- Thread